PassPack on the browser end

So while the fallout from the last time I came across this company clears up, I decided to find out exactly how they do what they do. At the time of this writing, PassPack is at Beta5.39.5.

First and foremost… My old nemesis, multiple stylesheets for multiple browsers.

Whenever I see :

<!--[if gte IE 7]>

That’s usually the sign of a poor UI implementation. That means they are jumping through hoops when they really shouldn’t. That excerpt above means that they have a separate stylesheet for Internet Explorer 7. There’s one more for IE6, and it appears they have been through several versions of each stylesheet. It also appears that they’ve been experimenting with stylesheets specifically for the iPhone as well.

I know there’s no “standard” when it comes to the CSS implementation (especially CSS2), but in the year 2008, can we start “attempting” to use cross-browser CSS please? But hey, it’s a beta, so let’s move on.

You will be reminded to enter in an email, I strongly suggest you do use it. Just in case you forget your password… for the password reminder *cough*.

There’s an option for Auto-Login, and I suggest you not use it. As far as I can see, this defeats the whole purpose of security. Call me paranoid, but I never enable auto-logins in anything I use. Call it an old habit as an admin, but I think it makes sense.

PassPack auto lockout The system will automatically log you out when inactive. You can change this setting by going into Account > Options. I suggest you not increase this setting. It defaults at 5 minutes, and in fact, you may want to reduce that to 2. Quickly finish up any entry you are making as the system cannot lockup while you are making an entry. Do not walk away from your computer while you are entering in anything because of this.

Get into this habit : Login, do your thing, logout.  You might think it’s a pain to re-enter your info, but don’t worry about having to log in again. It’s much worse if you left it unattended for some stranger screw up your passwords.

Passpack Password ListThe Password display shows if you have set any of the additional options for each password entry… That is an actual Password, a UserID, a Link to whatever login page you will need the password for as well as any Tags. I’m not sure if the Tags make any sense if you are descriptive in the Title.

PassPack Disposable Login Do use the disposable logins if you plan to take a trip. It allows you to create a one-time use login for when you are away from your home computer. It’s a good idea if you are using a system in a CyberCafe or hotel.

PassPack makes extensive use of JavaScript to do what it does, which means, you will have to use a JS enabled browser (screen-readers for the visually impaired and text-only browsers like Lynx are out). This is to make sure that bots cannot access the system, since they and other automated hacking tools are unable make use of JavaScript.

The scripts are designed to ensure that you are not being tricked into entering data while browsing another page. I.E. Phishing attempts. Also a lot of password encoding, special character recognition, strength metering, query sanitizing etc… takes place client-side. Some of the scripts appear to be written by Francesco Sullo, also the author of aSSL.  

It’s too bad their employees couldn’t learn any lessons from this guy, because he apparently knows how to spam “Evangelize” properly… That’s what I call helpful spam.  Now if only he would stop giving 5 stars to his own product on

In addition to this, PassPack does use some publicly available code. The system makes heavy use of the jQuery script library to do AJAX calls and perform other UI functions. jQuery alone has a number of browsers that it is compatible with, and a few others that it isn’t.

PassPack itself, thus, will be have the same browser compatibilities. In addition to this, you cannot use the iCab browser as well as OmniWeb. Both browsers are for the Mac.

Any attempt to use them or other incompatible browser, and you will be greeted with the following message :

Sorry. The version beta5 of PassPack 
has not been full tested with this browser version.

The Pros:

It works!
As far as betas go, it’s pretty decent. I would like to see more UI refinement and for God’s sake, get rid of the multiple stylesheets.
I think I will be keeping my account and I look forward to the next iteration. Hopefully they will continue to perform as advertised.

What exactly is PassPack? It’s a bookmarker on steroids. Except, substitute “Title” with “Location” and “URL” with “Password”. For what it is, it gets the job done.

The Cons:

It’s not accessible. The UI could use a bit more streamlining as I can see how novice users can get a bit tangled up during the registration process. They need to make it clearer ahead of time that there are three crucial bits of information required from the user during the registration :
Your Username
Your Password (Moderately complex)
Your PackingKey (Very complex)

The Password allows you to login to the system. The PackingKey unlocks all your entries.

They haven’t restricted access to the stylesheets and script libraries. Which means a compromised browser may be tapped by an unscrupulous individual and trick the user into entering in his/her info. I should not be able download any of the script files or CSS by plugging the URL into my browser. This is kind of important.

Fortunately the fix is simple; They just need to check the referrer… /css.php?getfile=stylesheet.css Or something similar to make sure the files are being requested by the same domain. This is especially important for the JavaScript files. In short, if it can be hot-linked, that’s a problem.

It would be nice if they can accommodate users with special needs.

What’s inherent to this system, and indeed endemic to all web-based solutions, it’s web-based. As in you need to have Internet access to retrieve your passwords.

Now if only they will fix their ridiculous marketing campaign, things would be dandy.

The changing face of spam

You have to respect the sheer audacity. I wonder if some of these people go to special schools or take special classes to learn these tactics in guerilla warfare. They almost succeeded in “Trojan Horsing” their wares onto my blog. Sadly, the problem may not be the school or the classes. It’s the students…

After posting the phrase based password generation technique the other day, I was faced with a curious link in my referrer list.

Then I realized that I got a comment from someone who works at PassPack (Or PassHack) who politely encouraged me to look at their product via their “Product blog”. Very convenient indeed. I won’t turn this text into a link since they’ve already had their stay on my blog.

Passhack Spam1

Why, thank you, “L”! But you see, even the poor Jack O’Spades has already had this information spammed mentioned on his blog by “d”.

Passhack Spam2

Both employees of PassPack. Both gushing over their own product. Objectivity anyone?

You don’t think this is any serious way to advertise a product, do you? I mean, surely, there has to be a limit to how many times you can mention one product in two related posts. You guys really need to coordinate your spam activities to prevent this kind of mix-up in the future.

The really funny thing is that these folks might have been able to get away with it if they hadn’t posted a link to their corporate HelpDesk. Don’t bother trying to browse You will be greeted with the staff login page. I was checking my referrers the other day, and lookie here!

Peekaboo! I see you!
Passhack spam3

Note to spammers :
Get smarter! Or better yet, get lost!

Update 5:43 pm

I’m starting to become convinced that this is nothing more than a misunderstanding. I don’t believe that this was intentional spam, merely the result of poor employee training. I’m sure, my general attitude didn’t help much.

Tara, the founder of PassPack has been very forthcoming, so we shall see how things go on from here.

I hope for all our sakes, they drop this ridiculous tech “Evangelism” nonsense. It’s just another overhyped buzzword like “Web 2.0” or “AJAX”.

We don’t care about buzzwords! We care about originality and substance!

Update 09/2008

This post contains, by far, the the most amusing response to a comment by “L” …

Is there a “mark as spam” option for comments? Very annoying.

And “d” attempts to squeeze PassPack into a post about “Time Managment”. Now that’s ambition right there!