Passpack offers 3 useful options which can help with making secure backups:
- Passpack Desktop – an Adobe Air desktop application that downloads and saves all your passwords locally. Needs ‘synced’ to maintain accuracy.
- Backup – this creates a backup of all your passwords in a .pp format which can only be restored in either Passpack website or Passpack Desktop.
- Export – the most open/flexible of the methods. Export all your passwords to a csv/html table.
Issues with these methods:
- Passpack Desktop is a local application so if my computer was stolen or it stopped working at the same time as the web version went down, then I lose my data. It works offline so should be safe, but if the company that developed it became compromised, there could be issues with using it.
- Similarly, the Passpack backup can only be used by Passpack Desktop and the online version. If Passpack is compromised or goes bust, then I could lose the ability to make use of that backup.
- Lastly, exporting my sensitive data to a spreadsheet is definitely useful, but that spreadsheet needs to be protected, otherwise someone who gains access to my computer could easily copy all my data.
Steps I’ve Taken
After issues accessing Passpack on the office computers this morning, I installed Passpack Desktop on all of them, and on my own PC. Now we all have an offline version in case of connection problems.
That’s probably sufficient for employees who only have shared passwords in their account – all the actual records reside in the master account which has over 350 passwords in it.
I felt an additional step was required which was free from any ties to Passpack – I wanted to backup the raw data. So now the question becomes, how can you securely protect a file on your desktop computer?
My first idea was to use some Windows based password/encryption method – however, there isn’t one.
Next, I started looking at 3rd party software to achieve the same task. I looked at archiving the file in a password protected .7z or .zip file using 7zip, however, it appears that it’s fairly trivial to crack them.
Therefore, I felt that I was being directed towards encryption software of some sort. I’ve recently used TrueCrypt to encrypt my laptop hard drive (and will probably do the same with my desktop shortly). However, I wasn’t comfortable simply having the file on an encrypted drive, as I would want it backed up.
To combat this, I created an encrypted volume and placed the exported csv file into that volume. While the volume is mounted it can be read by anyone accessing my computer, but when it’s not, it’s pretty secure. I can then backup this volume to Dropbox and sync it amongst my PCs – enabling it to be decrypted on any computer with TrueCrypt installed.
FYI if you are following these steps, it makes sense to create the TrueCrypt volume first and then download and save the csv to it so that it only ever touches your HD within the TrueCrypt volume. IE if you save it to your desktop then move it into the encrypted volume, then you will need to securely delete it and overwrite the free space on your drive to ensure that it’s completely unrecoverable from the drive.
Unfortunately, this whole process means that there is 1 more password I’m going to have to remember, bringing the sum total to 4. Passpack password and packing key, laptop pre-boot disk decryption password and finally password backup decryption password. 5 by the time I encrypt my desktop computer.