PassPack on the browser end

So while the fallout from the last time I came across this company clears up, I decided to find out exactly how they do what they do. At the time of this writing, PassPack is at Beta5.39.5.

First and foremost… My old nemesis, multiple stylesheets for multiple browsers.

Whenever I see :

<!--[if gte IE 7]>

That’s usually the sign of a poor UI implementation. That means they are jumping through hoops when they really shouldn’t. That excerpt above means that they have a separate stylesheet for Internet Explorer 7. There’s one more for IE6, and it appears they have been through several versions of each stylesheet. It also appears that they’ve been experimenting with stylesheets specifically for the iPhone as well.

I know there’s no “standard” when it comes to the CSS implementation (especially CSS2), but in the year 2008, can we start “attempting” to use cross-browser CSS please? But hey, it’s a beta, so let’s move on.

You will be reminded to enter in an email, I strongly suggest you do use it. Just in case you forget your password… for the password reminder *cough*.

There’s an option for Auto-Login, and I suggest you not use it. As far as I can see, this defeats the whole purpose of security. Call me paranoid, but I never enable auto-logins in anything I use. Call it an old habit as an admin, but I think it makes sense.

PassPack auto lockout The system will automatically log you out when inactive. You can change this setting by going into Account > Options. I suggest you not increase this setting. It defaults at 5 minutes, and in fact, you may want to reduce that to 2. Quickly finish up any entry you are making as the system cannot lockup while you are making an entry. Do not walk away from your computer while you are entering in anything because of this.

Get into this habit : Login, do your thing, logout.  You might think it’s a pain to re-enter your info, but don’t worry about having to log in again. It’s much worse if you left it unattended for some stranger screw up your passwords.

Passpack Password ListThe Password display shows if you have set any of the additional options for each password entry… That is an actual Password, a UserID, a Link to whatever login page you will need the password for as well as any Tags. I’m not sure if the Tags make any sense if you are descriptive in the Title.

PassPack Disposable Login Do use the disposable logins if you plan to take a trip. It allows you to create a one-time use login for when you are away from your home computer. It’s a good idea if you are using a system in a CyberCafe or hotel.

PassPack makes extensive use of JavaScript to do what it does, which means, you will have to use a JS enabled browser (screen-readers for the visually impaired and text-only browsers like Lynx are out). This is to make sure that bots cannot access the system, since they and other automated hacking tools are unable make use of JavaScript.

The scripts are designed to ensure that you are not being tricked into entering data while browsing another page. I.E. Phishing attempts. Also a lot of password encoding, special character recognition, strength metering, query sanitizing etc… takes place client-side. Some of the scripts appear to be written by Francesco Sullo, also the author of aSSL.  

It’s too bad their employees couldn’t learn any lessons from this guy, because he apparently knows how to spam “Evangelize” properly… That’s what I call helpful spam.  Now if only he would stop giving 5 stars to his own product on

In addition to this, PassPack does use some publicly available code. The system makes heavy use of the jQuery script library to do AJAX calls and perform other UI functions. jQuery alone has a number of browsers that it is compatible with, and a few others that it isn’t.

PassPack itself, thus, will be have the same browser compatibilities. In addition to this, you cannot use the iCab browser as well as OmniWeb. Both browsers are for the Mac.

Any attempt to use them or other incompatible browser, and you will be greeted with the following message :

Sorry. The version beta5 of PassPack 
has not been full tested with this browser version.

The Pros:

It works!
As far as betas go, it’s pretty decent. I would like to see more UI refinement and for God’s sake, get rid of the multiple stylesheets.
I think I will be keeping my account and I look forward to the next iteration. Hopefully they will continue to perform as advertised.

What exactly is PassPack? It’s a bookmarker on steroids. Except, substitute “Title” with “Location” and “URL” with “Password”. For what it is, it gets the job done.

The Cons:

It’s not accessible. The UI could use a bit more streamlining as I can see how novice users can get a bit tangled up during the registration process. They need to make it clearer ahead of time that there are three crucial bits of information required from the user during the registration :
Your Username
Your Password (Moderately complex)
Your PackingKey (Very complex)

The Password allows you to login to the system. The PackingKey unlocks all your entries.

They haven’t restricted access to the stylesheets and script libraries. Which means a compromised browser may be tapped by an unscrupulous individual and trick the user into entering in his/her info. I should not be able download any of the script files or CSS by plugging the URL into my browser. This is kind of important.

Fortunately the fix is simple; They just need to check the referrer… /css.php?getfile=stylesheet.css Or something similar to make sure the files are being requested by the same domain. This is especially important for the JavaScript files. In short, if it can be hot-linked, that’s a problem.

It would be nice if they can accommodate users with special needs.

What’s inherent to this system, and indeed endemic to all web-based solutions, it’s web-based. As in you need to have Internet access to retrieve your passwords.

Now if only they will fix their ridiculous marketing campaign, things would be dandy.


6 thoughts on “PassPack on the browser end

  1. An interesting review. Its nice to see someone who investigates sites by using the oh-so-overlooked ‘view page source’ option. I read with interest your previous encounter with this group and whilst it is admirable what they are trying to achieve, the paranoid voice in me tells me never to trust a third party with any confidential details.

    Whilst programs like passwordsafe (open source hosted on Sourceforge) age fairly trustworthy, they are, in essence a honey pot for hackers if a built is maliciously altered and posted (after all, how many people check MD5/SHA1 checksums?!)

    On that note however, you have suggested some good security practices and it would be good if more people took note. The number of weak or username-based passwords I have seen whilst working for various companies is simply shocking at times.

  2. Thanks!
    Yeah, I know what you mean.

    It’s beyond belief how many times I’ve come across “Password” for the password. And these are supposed to be “tech savvy” folks that I work with… Go figure!

    Honestly, I’ve got nothing against the project itself. Even the enthusiasm amuses me. It’s this aura of “smug” that comes from their marketing tactics that I can’t stand. I guess it’s understandable since they are new. But they can’t stay “new” forever. Eventually they’ll have to grow up.

    For small, non-identifiable and not critical, things that I forget from time to time, maybe I’ll use this. But for my bank or system pass? No way! I commend the effort, though I believe, as you said, this isn’t a good system for me either as per my own paranoia.

  3. Hi Rodrigo,

    I left a one-line review on about my service. It is true, but I was so excited I forgot to turn on my brain first :)
    So, there it is.

    Your suggestions are interesting and I will consider them for future releases. The Host-Proof Hosting pattern requires a Javascript approach. I am studying about accessibility concerns but it is very difficult to find the right solutions.

    But, I want to ask you a courtesy. L. and D. are with us from the end of February. They will work on knowledge base and write articles. They are young, haven’t any fault (they were under our supervision) and are frightened by all this agression.

    I want to ask you not to use their names in your post. Maybe do you can say “their employeers”, please?
    We are responsible. They are not.


  4. Hi Francesco.

    Very well, I’ve removed their names from the article.

    This isn’t “aggression” BTW…
    This is just me being a jerk… I.E. “Being myself”
    I’m not angry or upset at any of you. Nor do I wish to see any problems for your project. In fact, I wish you the best of luck!

    Please send them my apologies if they truly are frightened.

    I’ve worked with accessible interfaces for the web before, so If you need any help and/or suggestions client-side, send me an email. It’s posted on the front page of my blog.

    Like I posted as a comment to your “Transparent Evangelism” article, I just have a tendancy to be as direct as possible when I’m faced with the sublimely ridiculous. The actions of your “employees” were as sublime as they come.

  5. Pingback: Building (clean) dashboards for your app « This page intentionally left ugly

  6. Pingback: Transparent Evangelism no longer Transparent « This page intentionally left ugly

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s