Re: Password Manager Software recommendations

[Tara Kelly <tara () passpack com>]

Hello,
I was trying not to butt in because it would have sounded like a product 
plug... I'm a founding partner at PassPack, reading this list for a week 
or so. But since mdevlin mention us, well - I can resist no longer.

PassPack:
Yes - Easy to use for most non-technical end-users [built with "normal 
people" in mind]
Yes - Small resource footprint [it's hosted, needs a browser to run and 
an Internet connection]
Yes - Easy to deploy [nothing to install]
Yes - Use of AES
Yes - Product must be actively supported/maintained for the foreseeable 
future
Maybe - Suitable for business/enterprise (MS Windows) environments

That last "maybe" is the clincher I think. We currently have free 
accounts aimed at individuals, and we'll be adding paid packages over 
the course of the 12-16 months. Among these will be two packages PRO and 
BIZ. The PRO will allow shared slave accounts and is meant for 
micro-small businesses. The BIZ package will have full administration of 
users and accounts, privacy controls.

As far as MS Windows is concerned - Yes, PassPack runs on Win, Linux and 
Mac. It's been tested on IE6+, Firefox 1.5+, Safari 2, Opera 8+. It's an 
Ajax application, which means that all data is encrypted in the browser, 
with a key that never leaves the browser. Only encrypted data (without 
the key) gets sent to the server for storage. It's based on the 
Host-Proof Hosting pattern if you're interested in looking that up: 
http://ajaxpatterns.org/Host-Proof_Hosting

Since all encryption takes place in the browser, we use a Javascript 
implementation of AES128 - at the time of creation, the AES256 
implementation was causing the browser to run under stress. However 
we're evaluating a new, hopefully faster implementation of AES256. Our 
architecture allows us to update the algorithms fairly easily (we've 
already done this with 0 data loss) so that is a change which will 
probably come about in the next months.

You can find links to the algorithms we use here:
https://www.passpack.com/info/thanks/

Here's a screenshot and features list (with links to more info on the blog):
http://passpack.wordpress.com/passpack-infosheet/

Like I said, PassPack is new to the market, so the information on the 
website may be too limited for your needs. Let me know if you have any 
questions. Also - feedback and suggestions are greatly appreciated.

Cheers,
Tara



mdevlin () boston com ha scritto:
> Passpack.com is a web based password manager I came across the other 
> day. It uses AES, and allows you to import/export passwords along with 
> making offline encrypted backups of your database
>
>
>
>
> ----- Original Message -----
> From: fRANz [andrea.francesconi () gmail com]
> Sent: 05/07/2007 10:28 PM ZE2
> To: security-basics () securityfocus com
> Subject: Re: Password Manager Software recommendations
>
>
>
> On 5/4/07, BSD Dude <bsdguy2000 () yahoo com> wrote:
>
> > The basic general requirements are:
> >
> > Easy to use for most non-technical end-users
> > Small resource footprint
> > Easy to deploy
> > Use of AES, Two-fish, and/or Blowfish algorithms
> > Product must be actively supported/maintained for the foreseeable 
> > future (I am aware of the problems with this type of requirement)
> > Suitable for business/enterprise (MS Windows) environments
>
> Any web-based password manager?
>
> Regards,
> -f