A Disposable Login is a set of Pass and Packing Key that you use once, and then it gets thrown away. Disposable Logins help protect your PassPack Account when using a public computer (like in an internet point).
Disposable Logins are sometimes referred to as One Time Password or OTP for short. However at PassPack you get more than just a single use password, you get a Pass/Packing Key combination… so we prefer “Disposable Login”. [smile]
What Disposable Logins Protect Against
Since PassPack is available 24/7 via Internet, it is perfect for use both at home, and on the road. However, when traveling you may need to use a public computer.
These public computers may contain programs that record and save all of the information you input into web forms. If you were to use your normal Pass and Packing Key to access your PassPack account from a computer which uses such an auto-form filler, you would be giving away the “keys to your kingdom”.
By using a Disposable Login however, you can prevent this from happening. Remember - once you use a Disposable Login, it can never be used again. So even if your disposable Pass and Packing Key get “captured”, they are useless.
For an extra dash of security, Disposable Logins have an expiration date that you can set yourself. Unused Disposable Logins will be automatically deleted once they expire.
How to set up Disposable Logins with PassPack
You should set up your Disposable Logins before traveling. It’s very fast and easy. Sign in to your PassPack account as usual, and click the Disposable Login link under the Account Tab. Press the Generate button and you’ll see a screen like the one below.
Choose the number of Disposable Logins that you want to create and when they should expire (again, use the plus and minus buttons. Then press the Generate button. You’ll see the list of generated codes, press the Print button (there is no way you will be able to memorize them - they look like a bunch of nonsense). A tiny, anonymous looking window will open. Print it as you normally would.
Store your printout in a safe place together with your travel documents, or clip it and put it in your wallet.
How to use your Disposable Login
Connect to https://www.passpack.com as you normally would. Be very careful that you type that correctly as the Anti-phishing welcome message won’t work while you are away. Make sure you have your printout of your Disposable Logins with you. Then follow these steps.
On the Sign In page, enter your same User ID as always, then choose a row from your list of Disposable Logins.
Insert a Disposable Pass instead of your usual Pass, then the matching Disposable Packing Key instead of your usual Packing Key.
Cross off the entire row on your printout - this combination will never work again.
You should see your Entries as you normally would. For security reasons, you can not use the Account, Security or Tools tabs when you are using a Disposable Login.
Technorati Tags: PassPack, password manager, passwords, security, lifehack, security, one time password
20 Comments
One other option is to use Portable Apps (http://portableapps.com) on a USB drive. Still, disposable logins is a cool idea.
@Abey
Sure, there are plenty of applications that run off a USB drive, particularly password managers. The problem with these is that you aren’t always allowed to insert your USB drive in public computers. Then what?
I’ve heard roboform users complain about this in the past.
This is a really good idea - this will definitely be useful when I have to resort to public terminals.
Thanks
@Toby
I’m glad you like it. Please try it out and let me know what you think. Is it easy to use? Is there anything confusing? Anything that could be improved?
We thrive on feedback!
Thanks to you,
Tara
True. If you are stuck with a disabled USB drive then something like disposable logins is a good security precaution.
Great..
I just played with it and liked the way it’s implemented. It’s nice to see you guys trying to make it as much secure possible in any way as you can. The Disposable Login is a real cool idea
@Raghu
I’m glad you like it. :) Thanks for the kind words.
Your disposable login is a great idea! However, how about more logins that would:
close the account for 1,2,3 .. days
close off all unused disposable logins
show last few attempted logins (date time)
I’m not a glutton for memorizing yet more logins, but these are what I need when I travel to give me protection against theft and some confidence that my account is not being hammered on.
Can do?
@Carls
Thanks, I’m glad you like it. And thank you too for the suggestions. Here’s a quick reply:
>> close the account for 1,2,3 .. days
Interesting. I’ll add that to the suggested features list
>> close off all unused disposable logins
There is a Delete button that will do this (only visible if you have unused logins available). Here’s a screenshot: Disposable Login - Delete Unused Logins
>> show last few attempted logins (date time)
We will be adding some logs items, but there is no timetable on that yet. I’ll add a note that this has been requested again.
Thanks again and keep those ideas coming!
Cheers,
Tara
If you use AES, how do you generate a OTP? Do you decrypt and then re-encrypt the data, so the user has a permanent and a temporary entry in your database?
Hi Paul,
I’m not sure if your question was to understand whether or not we are able to read your OTPs (we can’t), or if you are interested in knowing the technical details of how we accomplish this.
The OTP is created in the browser (not the server) with AES encryption. The Packing Key is never sent to the server, OTPs do not have database entries per se and PassPack can’t “look up” your OTPs.
The way the browser understands if a Packing Key is correct is that it attempts to decrypt the data. If the result has the expected format, then the key was correct. If not, the key was not correct. That basic procedure doesn’t change regardless of whether it’s the original Packing Key, or the disposable Packing Key.
The technical details of how this all works is far beyond the scope of a blog comment. Now that we’re finishing up the server transfer, we’ll be able to dedicate more time to building a developers center. The specs on the OTP are one of the topics we’ll cover, as well details on the anti-phishing mechanism and more.
@Tara:
If the data is encrypted using AES, then only one key is able to decrypt it. From what I have been reading this one key should be the packing key. The OTP idea is great, but this makes me believe that the data is not actually encrypted using the packing key as the key to the AES algorithm. What happens? Is the packing key and OTP keys used to decrypt the real key? If this is the case, wouldn’t it be possible to determine the real key from memory when it is decrypted using a OTP?
Thanks,
Brad
This is a great idea. I read about it on one of the Lifehacker comments on secure passwords while travelling and am signing up because of this feature!
I also found your service from Lifehacker and think it’s great so far. I’ve definitely changed all my oft used passwords to secure ones already (although I don’t know any of my passwords now). One thing I have a question about is the maximum of disposable logins you can have at once. It seems like 3 might be too low a limit if you’re planning to be on vacation and use public kiosks for a while. I know that there are security concerns if you have a printout of all your disposable logins, defeating the purpose of all the other security features if the sheet is lost or stolen, but the megaparanoid geek in me would probably write the passwords on separate sheets of paper or something so you can’t lose them all at once. Other suggestions of keeping your set of disposable logins are also welcome.
@Richard
I think we’ll actually be setting the limit at 10 with the Beta 6 release.
Thanks for the feedback - and welcome aboard!
Cheers,
Tara
I like the disposable login idea, however, I would still like the option of using a USB key for a physical verification of the user. Ideally, this would be an option, so you could choose not to use it (when traveling or accessing computers where you can’t plug in the USB).
This way, even if a computer had a key logger, without the USB key, you couldn’t access the account.
I really like PassPack and would also gladly pay a usage fee for some extra features, I would very much like to see:
- Physical and software OTP token and an option to have more than one per account (e.g. one for my and one for my wife) and an option to use a simple code+the otp
- Software based offline version
- time/infinate 3rd party limited access to items I choose
@Dan
The disposable logins will protect you from keyloggers - but yes, we’re looking into different two factor authentication options. Many people have asked for this.
@Erez
Great ideas. For sharing your account with your wife, that’s fine but you may also be interested in our Sharing feature (not yet released).
I’d immagine that there would only be one token per account, but having sharing across two account would resolve that. You would each have your own account, own token, and share only what needs to be shared between you.
On the software based offline version. We have the Google Gears Offline Version. That’s a start… we’ll evolve the offline version with time.
Let me know if you have more questions– and keep the suggestions coming!
Cheers,
Tara
I have been having fun……
I thought last night “what other method could I use to write these OTPs down”? so I have come up with an idea.
It is quite difficult to explain although it is a fairly simple idea.
Have a look at the `starwheel` that I have just done with m$ publisher.
http://barefootcoder.com/tmp
[@Tara- If you like this jpg please put it on your server somewhere]
Pick a start point on the outer wheel and remember (sorry!) the number next to it, now hand write each passphrase character going clockwise (or anti-clockwise, your choice!) around the outside of the star.
Next, pick a start point for your packingkey. (This could be the same as the passphrase but would be much less secure) Now start hand writing each character (again, clockwise or anti-clockwise) (dont forget which way you go) around the inside of the star.
There you have it.
You will end up having a meaningless piece of paper to everyone else.
All you need to remember (again sorry!) is, for example,
`6 clock 9 anti`
I know it’s not perfect but it is better than just printing the codes.
Am I right in thinking that there are 32^32=1024 possibilities of reading your codes with this idea?
Anyway I have tried it and it works fine. By all means print this starwheel out and have a go. The jpg is a little big and it could be shrunk a bit.
Hints:
-Underline any lower case letter.
- Make sure you cross through a zero.
Variations:
-Use pictures instead of numbers.
-Use a ships-wheel design instead of a star.
I hope this helps anyone
Have fun.
pj
What if you offered a SecurID service? That way you would need to enter your unpacking code + a token that is on an RSA SecurID that you carry with you. That way even if a keylogger discovered your packing key, it would only work until your token changes. (which is about every 30 secconds I believe). I know this service requires hardware on your end and the token that I would need isn’t cheap, but I would gladly pay for it.
2 Trackbacks/Pingbacks
[...] lavorato anche a Pasqua, mettendo on line una nuova funzionalità per PassPack. Si tratta delle disposable login, ossia della possibilità di creare una login temporanea per accedere all’account di [...]
[...] You can read more about this feature at PassPack’s blog posting about OTP’s: http://passpack.wordpress.com/2007/04/09/passpack-disposable-logins-otp/ [...]
Post a Comment