Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Should I trust online password management services like passpack.com?
6 points by nomatteus on Jan 6, 2010 | hide | past | favorite | 7 comments
I've recently been looking for a good password management system. Key features being cross-platform and cross-browser implementation.

I started using Passpack.com a few weeks ago and it seems to be a pretty good solution. My only issues are how exactly they store your password database and how much can I really trust this service? Storing any sensitive data online always raises flags so I'm wondering if it's safe to use an online password service such as this? Are there any security tests I can perform to help ensure the security of this app?

The other option is to use something like Keepass--the advantage being that the password database is stored locally and is in my control. Though it might be a bit more complicated to get all my computers synced to use this.

So basically, can I trust any online password-storing site, and if not, should I switch to using only desktop apps like Keepass, where I'm in control of where the encrypted password database file lives?




They can grab all your passwords, because you're going to type them into their service, and because it's a web service, they can switch the implementation as they please. If it's implemented as they seem to imply (server just sends you an AES-crypted blob of passwords, JavaScript AES implementation decrypts the blob client-side using the packing key), then what happens if the bad guys root them and "enhance" their JavaScript to send the packing key back to the server?

I think that you are going to have to trust such a service with your plaintext passwords, because you need to recover the plaintext passwords from it. The problem is aggravated by it being a web service whose implementation can be switched at any time.


Ignoring the concerns about AES256 cyphers for this response...

The site that I use for my passwords is called Clipperz. (www.clipperz.com/beta). They encrypt everything in JS like the others, but they've fully released their source code for inspection. I know JS, and it looks legit, although I can't speak to their encryption technique (although they did everything else so well, I use that as a proxy for their competence).

The other cool thing is that they allow you to download an html/js/css file so you can open your passwords even when offline (big file, 1.5MB or so, but handy to keep your encrypted passwords around offline).


From their website:

Your data is encrypted on-the-fly before leaving your browser. Passpack uses the AES-256 encryption algorithm...only you can decrypt it with your secret Packing Key.

If the technology works as they say, it is secure. Now the problem becomes how to verify whether it works as they say. It is almost impossible to verify claims like these. Theoretically, they can read your password anytime they want just by modifying the JavaScript (or whatever they are using ) and you will never know.

Personally I would not trust them with my really passwords.


Indeed, just see here:

http://www.h-online.com/security/news/item/NIST-certified-US...

To see some NIST certified "AES-256 encryption" which turns out to be easily sidestepped - an example of the difficulty of verifying whether it works as they say.


Egads that is crazy to me. What happens when/if they go down for several hours/days? What happens when their web host gets knocked offline? What happens when they get DDOSed? What happens when/if they get acquired?

Wow - I can't imagine using a web company of individuals I know nothing about to store something so important.

And besides, I wouldn't post what password solution I use on the internet anyway.


I use KeePass on a memory stick. When I need a password I can just plug it into whichever computer I happen to be using.


I been using 1password for a couple months and I love it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: