UPDATE: Around 2 months after writing this post, I moved back to Passpack. I wrote about serious data integrity andÂ security concerns with Lastpass hereÂ and my interactions with their support team regarding these issuesÂ here. In my opinion, Passpack is significantly more secure, stable and reliable – rather important requirements for a password manager!
UPDATE 2: See related post on how I securely backing up my Passpack account.
I started using an online password manager around 8 months ago, and have never regretted my decision. I used to use an excel spreadsheet because I thought it was easier – both of these tools are significantly better than that!
I was used to opening the spreadsheet, copying and pasting the password and entering it into the relevant website I was using. I used the built in browser password manager quite a lot as well. This was amazingly insecure. If my computer was stolen, then all of my passwords would be vulnerable.
I checked out a few password managers and tested them based on a few criteria. I wanted it to be online so that the data is available anywhere in the world, preferably good integration with my Android smartphone, easy to use, reliable and most importantly – secure. I was not keen to give my 250+ passwords to anyone – let along a dodgy website. The chances of my computer being stolen by someone who is interested in stealing my passwords is a lot smaller than the attractiveness of hacking an insecure password management website with thousands of user’s passwords.
I ended up using Passpack and have recently switched to LastPass. This post should hopefully explain what I like/dislike about them both, and perhaps help you make up your mind which one to go for.
I started off using Passpack. It gives a free account of up to 100 passwords which is great – it gave me a good amount of time to try it out. I was hesitant to pay for something, but their range of accounts is good, and I could get away with $1.50 a month – not breaking the bank!
Essentially, I chose it because it’s a bit like an online spreadsheet. You can add entries in the nice interface and can add secure notes and share them with others easily. When you log in, you can copy the username/password of entries without actually opening them (little icons next to the name), and when you do open an entry the password and notes are hidden by default – great if someone is looking over your shoulder. You can tag up your entries as well, which makes them super easy to organise.
Passpack It Button
It was a few months before I investigated the ‘Passpack It’ button. It’s a bookmark toolbar button which when clicked automatically enters your username/password into the fields on the webpage and clicks the login button for you. IE you only need to click once to log into a webpage. However, you need to show your bookmarks toolbar – something I don’t do by default and it can reduce your viewable page size if you’re using a netbook or small laptop. Furthermore, if you have more than 1 account for the webpage you’re on then a pop-up box appears and asks you to choose which one you want to use, so essentially 2 clicks. If you have lots of accounts, then you may need to scroll down the box to find the one you want. All in, the costs outweighed the benefits and it was my manager of choice.
Then I started using Magento! Passpack It requires training on some new websites – you need to tell it where the username/password fields are so that it knows where to enter the data. Unfortunately, it required training on every Magento login page. Magento logs you out then attempts to log you back into the page you were on, so essentially the login URL changes every time (unless you purposefully go to the default login page via a bookmark). This was a little bit of a pain as you can image – 1 click login to 8 clicks over 25-30 seconds.
By this time I was also managing 4 accounts for the guys in my office – sharing passwords between us all. Everyone found the Magento issue a pain. Also, everyone I shared the passwords with continued to use their built in browser password manager – they had no incentive to go and use a 3rd party tool which didn’t work that well. If I change a password that they use, then it’s likely they have difficulty logging in, until they go to Passpack and get the new one. Critically, passwords shared with other users are visible to them. They can copy and paste them into an email very easily – not very secure if you’re sharing passwords with many short-term team members.
One of my original attractions to Passpack was the security. All data is encrypted locally via your own encryption key which you need to enter to gain access to your account. That means to gain entry you need the username, password and packing key (essentially a 2nd password). You can read more about Passpack security here.
Lastpass offers a free account and a premium paid account for $1 a month. The only features of the paid account that I use are the password sync (when you change a password it gets synced to the people you share it with) and the Android app.
Disclaimer: I’ve been using it for about 10 days now so my impressions may be premature.
My first impression was not great – the interface is pretty ugly. I also don’t like the fact it’s recommended that you shut down all your browsers to install LassPass. It feels like you’re installing a desktop application, but its actually more like individual browser plugins. I exported from Passpack easily, and into LastPass easily – it has a predefined Passpack format which simplifies the whole thing. Unfortunately, it doesn’t support tags, so it turned my tags into categories – not ideal.
Bypass Browser Passwork Manager
Importantly, LastPass bypasses your browser password manager (if you let it) which forces you to use it. It also enters the most commonly used username/password into the relevant fields automatically, so you just need to click ‘login’. You get a dropdown box at the top of the page if you want to change which account you’re logging in with, or you can use the keyboard shortcut Alt+Page Up/Page Down – a nice touch.
If you’re signing up for a new site, LastPass automatically asks you if you want to generate a password for the site, then enters it into the password fields. Very nice feature. I have a separate password generator in my browser for this very purpose – but the LastPass one makes it much easier. Once, it didn’t ask me to save the site after generating a password, but clicking the LastPass button and there’s an option to ‘copy the generated password to clipboard’ – nice!
The LastPass toolbar (essentially just a button) sits at the end of the navigation bar. Very discrete, but also easy to get to and no extra bookmarks toolbar. Clicking the button reveals a menu which allows you to do a wealth of things like copy username/password of any entry, view accounts for the page you’re on, access your ‘password vault’, access secure notes, access ‘form fills’ (something I’ve not investigated), and more…
This brings me very nicely to the LastPass vault. When you click the button and view your vault – you’re shown what I think is the local vault. This is different to the online account. They look different and have different functionality…but it’s the same data – your data. Why? It seems you can only edit your settings in the online one, but if you want to edit a password and propagate that change to the people you share it with – you need to do it in the local one. I really don’t understand why there are two and think it adds complication and confusion with no benefit to the user.
There also seems to be some complication in the way that LastPass handles fields. One on entry, my username and password field disappeared behind a ‘show fields’ button. When I opened the entry, I couldn’t see the email address/password fields. No idea what happened there. I had to delete it and re-add it to get them back.
Quirks like this have happened a few times. As I imported my passwords, they are already saved in the system, but some of them haven’t been used through LastPass yet. I was able to overwrite passwords by messing around with the ‘auto login’ and ‘auto fill’ buttons that appear at the top of the page when logging into a site. Auto fill enters your username/password into the fields on the page, auto login allows you to enter username/password and login by clicking that one button. If I set up auto login with one account, then auto filled another account, then clicked auto login, it would overwrite the password for the 2nd account with the one for the auto login account. Gasp! LastPass will overwrite one of my saved passwords with one from another account without confirming with me first! I have been able to repeat this behaviour so it was not a fluke.
Occasionally no data appears in the username and password box and the auto fill button does nothing. Refreshing the page seems to sort this issue, although sometimes a browser restart is required.
It also seems to occasionally save passwords for sites without telling you. Or, it updates the site URL without telling you or asking you to confirm. I like to keep my data organised, especially my sensitive data. I want to decide what is stored and what is not, what is changed and what is not…I want control because it’s my data. There’s helpful, and there’s intrusive. When you don’t know what it’s doing – you don’t trust it.
LastPass allows you to share passwords with other people, and not allow them to see the password. Great feature when working with teams. However, to allow syncing of updates to passwords, you need to have a premium paid account, and you need to set the passwords to sync before you share them. IE if you share a password, then upgrade to premium, you need to cancel the original share and re-share your passwords. Slightly annoying.
LastPass only requires you to enter a master password. It encrypts and decrypts your data in your browser, so LastPass don’t actually see it, but it’s definitely less secure than Passpack in that someone only needs to learn your password to get access to your account – better make it secure! Read more about LastPass security here.
Both of these are great tools. At the moment, I find LastPass more useful, despite its faults, as the sharing and browser integration are superior. If Passpack worked in the same way as LastPass (browser toolbar button rather than Passpack It bookmark and sharing passwords without revealing them) then I would probably move back. Moving between them is easy which is great.
Hope I’ve covered everything!
Really useful post, thanks.
Time by time, people move between Passpack and LastPass and it is always difficult to have info about their decision.
I understand your choice. But I disagree with you when you say:
This is a serious security hole. But It is really difficult to synthetize so, as soon as possible, I will write a post about this problem. Stay in touch.
@Francesco: I’m not sure how this represents a security hole – can it be more insecure than allowing them to see the password? Look forward to reading your post about this.
@Fergus it’s hole because it’s misleading feature. You think that other person cannot “see” the passwords despite they can, even thought there is no such a button.
If you share password (with Lastpass or any other tool), always assume other party can read it in cleartext. And change the password after stopping sharing, do not rely on inability of other party to “see” it.
I think you have a little typo here, I think image is meant to be imagine:
I’m not sure about your statement that LastPass is less secure because it has 1 password instead of 2. Two passwords of 8 digits in length are probably as secure as one password of 16 digits. I’m not sure that just having 2 passwords actually makes it any more secure. From reading the two sites security pages, it seems like they’re equally secure. Arguably, LastPass is more security paranoid in that they claim they don’t have access to your data, I don’t think that’s true of Passpack.
This is probably the biggest “true” security issue. If Passpack was significantly compromised, they could probably reveal your passwords to an attacker. According to the sales spiel, the same is not true of LastPass.
Thanks for sharing this stuff. I’m definitely thinking seriously about switching to one of these tools. But as you know, being both paranoid and open source obsessed, I’m not sure I want to put my data into a “black hole” of some proprietary company. I might instead use DropBox to sync an encrypted KeePass file between my various locations. I wonder if there’s a browser plugin for KeePass. LastPass has a browser plugin for Firefox Mobile, which is a very sweet feature.
Much food for thought…
@Callum: Thanks – fixed the typo.
The fact you need a password and an encryption key means that someone needs to get both to gain access to your account – to me that seems more secure. Someone needs to get 2 pieces of data from you rather than just 1.
Also, the fact that you enter your own encryption key means that your data is encrypted browser side before being sent to Passpack, and therefore I don’t think they have access to it.
Hello Fergus, I finally take the time to write a post about masked passwords and why they are a security hole: http://blog.passpack.com/2011/04/why-masked-passwords-are-a-serious-security-hole/
Thanks for writing that post – it helps me understand what you were talking about.
My understanding is that having a masked password feature gives you a false sense of security, because the masking is very easy to break (presuming you have a certain level of expertise to do so).
If this is the case, then presumably it is still slightly more secure than a non-masked password as anyone who can copy and paste (a lower level of expertise) can steal the password? Providing you update your passwords at the same frequency, then a masked one would provide a small security benefit as all people below the level of expertise required to reveal it would not be able to see it?
Let me know if that makes sense and if I understand your post correctly.
FYI You may want to take a bite out of your competitors for much more serious security issues: http://fer.gy/2011/03/18/serious-security-issues-with-lastpass/ – Lastpass continually cross-contaminates my data, including sharing sensitive passwords with people they are not supposed to be shared with. The lack of functionality to stop it automatically updating your stored information is a serious flaw. If Passpack had a browser plugin, could record more than 2 fields (ie more than username and password to login) and worked with Magento then it would be simply amazing.
The only case where a masked password is useful is in order to limit the risk of phishing.
Imagine that you share a password with a person that you consider not so smart. If he can not copy the password he can not paste it in a phishing site. Since he can only use the autologin functionality, since the autologin doesn’t recognize the site, you are safe.
I have to admit that I was doubtful about the possibility to introduce masked passwords only with this scope. But I talked with a lot of users and I understood that the risk that users would misunderstand its scope is high. So, for now I abandoned the idea.
The problem behind the request of masked passwords is the need of a real single-sign-on system, i.e. a system that allows to access a shared service without username and password, but just with some token.
The only way to build a web SSO is to engage the website owners and convince them to integrate in their platform some specific code.
I have the solution. So I could invest my time to build the technology. But the problem is: how can I reach the website owners (like the banks)?
OpenID failed with something that is definitely easier than that.
Facebook would have the force to try. And maybe they are thinking to try. Who knows.
PS. I will think about your suggestions.
Hi Francesco – once again thanks for taking the time to reply.
Yes indeed, I had forgot about the risk of phishing. We had an incident where our corporate eBay account was hacked and although we were using Passpack at the time, and so one of my staff may have copied and pasted the password, I don’t believe this was the case. Masked password certainly alleviates this risk.
Perhaps introducing the functionality with some kind of disclaimer, or making it a setting which you must activate before using may be useful for some users without giving others a false sense of security.
My overwhelming impression is that Lastpass is popular because it’s easy to use. That appears to also be it’s shortfall though – it’s too invasive and makes too many decisions itself. Making Passpack integrate more seamlessly with browsers and websites could make it easier to use, and therefore more popular.
In terms of security – it is less secure if you only use the standard security options. If you utilise the double authenitication methods then the security becomes much greater. In addition when using double factor authentication you can specificy certain authorised devices that will only use single factor authentication.
For me this gives the best balance – you either need multifactor authentication for unknown devices, or single factor on my local device. I use the Yubi key option and must say that it is fantastic.
Hi Jon – can you let me know which system you are referring to?
You have three options with lastpass:
Free – Grid Multifactor Authentication – You basically get a grid of numbers and when you login you are challenged to provide the number at a certain grid reference.
Premium – LASTPASS SESAME – turns any USB key into multfactor authentication. It is a bit clunky as you have to open the app on the USB key, but it works.
Premium – Yubikey – you buy one or multiple USB yubikey devices. Works a bit like a chip and pin credit card. Each time you login to lastpass you plug in the yubikey and press the button. This adds a coded message into lastpass which gets checked against the security server owned by Yubikey. Each time you authenticate the code on the key changes.
So how do you all feel now that LastPass has been compromised? I don’t care how easy it is if it’s not secure.
I have also alluded to the security problems in their system: http://fer.gy/2011/03/18/serious-security-issues-with-lastpass/
Think I’ll need to make the firm move back to Passpack, although the fact it doesn’t work with Magento at the moment is a bit of a hurdle – hopefully that will be fixed soon.
Jonathan, I am a long time user of Lastpass and feel great about how they handled this situation. They were being extremely cautious and open about what happened – not many companies will do that especially when it may have an impact on their business!!
As I can find no follow-up on this incident it definitely seems like nobody’s info was compromised or accessed.
You can find a more detailed explanation of exactly what happened here http://blogs.computerworld.com/18265/four_things_you_should_know_about_lastpass
I also like the way they handled it transparently, but let’s not pretend they are careful. They were hosting their forum and support site on the same network as the application server before their compromise. That’s just careless.
Wow – were they really! I’m glad I moved back to Passpack in that case!
Fergus, Just came across your post. I appreciate the time and effort you took to evaluate, write-up, post & reply to questions and comments regarding password managers. Well Done.
Thanks! Glad you found it useful.
I really appreciate you taking time for writing this. It’s a very useful post.
I’ve tried both and find Passpack to have superior security. Many of my passwords feed to high security information (Banking institution records, Attorney Client communications, Evidence in Criminal Proceedings) and I can’t justify using Lastpass due to it’s lax security with password sharing.
Thanks for sharing. I definitely agree, and have just updated the above post to reflect 2 more blog posts I wrote afterwards.
Is no one concerned about the fact that PassPack only has 1 developer (out of two people working at PassPack)? What happens if he gets hit by a bus?
Yeah – very good point. I’m not sure if there are other people or not, but as long as your account is securely backed up, then the only downside would be loss of the service, rather than loss of data.
I’ve just found about Passpack through a friend who told me that this is what they use to share passwords at his workplace.
From looking through its site (but without using it), it looks pretty similar to LastPass (which I’ve been using happily for about a year now).
About LastPass security – how would LastPass use of Google Authenticator change your evaluation of its security? I feel pretty secure with it.
As far as I’m aware, the technical architecture of Passpack and Lastpass are very different, with Passpack being built in a more secure way (see their post on why they couldn’t have been hacked the way Lastpass got hacked). The way you interact with them is also quite different.
Passpack and Lastpass have supported 2 factor authentication for a long time, although it would be nice if Passpack also added Google Authenticator. Lastpass adding it doesn’t necessarily mean that the underlying system is any more secure than it was previously as far as I’m aware.
Personally, the issues I described in my follow up post about Lastpass security were by far enough to make me not use it again, unless things have changed significantly since I wrote that post.
Thanks for the reply.
Have you got LastPass to fix this? I’m asking because switching over to PassPack now could be a pain so I’d like to hear more evidence that this is necessary:
1. Google’ing a bit around about such an issue didn’t come up with anything.
2. Your “scary moment” post if from March 2011, that’s almost two years ago, is there a chance that it was fixed?
However, I just found the following post: https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details, which makes me concerned about LastPass’ attitude towards secure coding, then again it’s from around the same time as your post so maybe things have changed since.
Unfortunately I don’t remember what the outcome of my communication with Lastpass was at the time, but it’s probably detailed in the blog post linked above.
My thought on it would be that the appalling way they handled my support ticket (while I was a premium user with ‘Priority’ support) and pretty much indifferent approach they took to the issue (and indeed the post you linked to) would suggest that it’s a deeper issue than a couple of bugs here and there, some of which may be more serious than others. I would suggest it’s a cultural issue at Lastpass where they appear to not take security as seriously as some other services.
As you suggest, this was all 2 years ago, so things may well be very different now. However, I would guess that culture is hard to change, so unless there have been some pretty substantial changes in the company, I would guess they’re not likely to be that reliable and they are not a company I would trust with my sensitive data (up to 650+ passwords).
On a side note, there hasn’t been much happening at Passpack for a wee while now. Very few blog posts, very few updates. It appears as though their founders are less invested in the project and I’m not sure what that means for its future. This is all my speculation, and it certainly still appears to be secure. The updates that have come out in the last 12 months have been about security issues so they still appear to be on top of the game, just not pushing the project forward with any significant momentum.
As it stands today, I’m still very happy using Passpack and have not seen anything which would encourage me to look for alternatives, so know little about developments of other services in the last couple of years.
Has any one used Intuitive Password? Its a new cloud based password manager.