34 responses to “Password Security & Packing Keys

  1. Marco Barulli

    Dear Tara,
    at Clipperz we are working on a similar project.
    It’s nice to see other people betting on the success of “browser cryptography”!

    With regard to authentication, we opted for a more sophisticated approach that does not require to send the password, or even an “hashed and salted” password to the server. Our registered users will have just one password (better a passphrase) that can be used for both authentication and encryption.

  2. Hi Marco,
    I actually paid a visit to your site yesterday. Nice work – and thanks for the link on the home page. :)

    We opted away from single key authentication for a couple of reasons. Not the least of which is to allow us more flexibility towards the future. Just as AES replaced DES, something will, someday, replace AES. The double key approach allows us to evolve and change our algorithms as time goes by – without having to cancel the user data. You can do that since you’re in sneak preview mode, but we’re moving towards a commercial system and that’s just not a viable option for us.

    The page you linked is a wonderful resource for those looking to better understand the algorithms used, so thats for taking the time to post that. Have you had a look at Passlet.com yet? Parvez has found some nice solutions and is quite nice and helpful. It’s great to see that this field is so open to collaboration. I’m looking forward to bouncing ideas off you in the future!

  3. Hi, nice work, but
    “Your Packing Key never travels over the internet. And it certainly never gets saved to our server.”
    Where is it keeped ? in a cookie ?

  4. @Joe
    Using a cookie to store the Packing Key would be very unsafe. We don’t do that.

    The Packing Key is not saved anywhere. The system is able to check that the Packing Key is correct by trying to unpack the data with it: if the result is a jumbled mess, then the Packing Key was incorrect; if the result makes sense, then the Packing Key was correct and you are shown your data. All of this happens in the browser.

    Once the Packing Key has been correctly entered, it is temporarily stored in your browser’s memory. It is removed from memory as soon as: (a) you sign out, (b) you “pack it up” or (c) after 2 minutes of inactivity the application automatically locks up.

    Let me know if you’d like more info.

    Thanks for the “nice work”!

  5. Glad to know that you don´t use cookies, although I saw that you have writed some cookie on my browser with some key, maybe only needed by the website ?

    “if the result makes sense”…I suppose you check this with a flag along the data ?

    Thanks :)

  6. @joe
    Yes, the cookie you see is automatically set by the browser when a server-side session is opened and it contains the sessionid. These cookies expire as soon as the browser window is closed.

    Without going too much into detail, here’s how we handle server-side sessions: On the server, no other information is associated with this session – for example, many sites also store variables like User ID or Password in the session, we don’t do that. The session is used exclusively to thwart attempts at forcing the Ajax functions to run outside of the PassPack application itself. I hope that makes sense.

    Re: “if the result makes sense” – The system takes the results, and check to makes sure that it conforms to a specific syntax. in particular, it should look like a JavaScript object. If the results do not adhere to this syntax and therefore the system deuces that the Packing Key was incorrect. Rest assured, we don’t use any eval() in that process as that would be unsafe.

  7. Pingback: PassPack: Secure Online Password Manager » D’ Technology Weblog — Technology, Blogging, Gadgets, Fashion, Life Style.

  8. Pingback: PassPack Password Manager | The Privacy Guy

  9. Pingback: PassPack - Online Password Manager with Packing Key

  10. Pingback: PassPack Your Passwords: Get Them Anywhere, Securely and Freely

  11. What are the character limits (the length and acceptable character sets) for the user name, password, and packing key?

  12. Hi Bob.
    Here’s some info…

    Character set:
    The full UTF-8 character set is fine for all three.

    Maximum Lengths:
    User ID: 32 characters
    Pass: 32 characters
    Packing Key: 64 characters

    Minimum Lengths:
    User ID: 2 characters
    Pass: 64 bit (quality)
    Packing Key: 80 bit (quality)

    You’ll notice the minimum requisites for the Pass and Packing Key aren’t expressed in number of characters, but rather a quality rating.

    How quality ratings work

    Let me know if you have any other questions.

  13. Hello,

    I have got a question for you :

    what is the most important ? The packing key or the password ?

    I explain : by comparing my password and my packing key, I noticed that the PWD quality is better than the PK one (110/83).

    I suppose the PK is most important (the real way to see my passwords). Do you advice me to change this ?


  14. @szdavid
    The Packing Key is absolutely, positively the most important.

    The easiest way to make a good one is to use a sentence. For example:

    My 1st phone number was hard to remember.

    That’s easy to remember, easy to type, yet scores 154 quality. Non-english languages are usually easier to score higher with since they use accented letters. Here’s an Italian sentence:

    Mi è difficile ricordare il numero di telefono.

    That scores a 188 quality.

  15. Hi, thank you so much for the answer and having tell me by email.

    Okay, so I will change my packing key.

    The problem with letters with accents such as éèê,… is when you are abroad : difficult to get these characters


  16. @szdavid
    You’re quite welcome.

    When you’re traveling, you can also try using Disposable Logins:


    Those don’t use accented letters :)

  17. Hi,

    I had a few questions regarding the unpacking of data. How does the unpacking work? When I enter the packing key, what happens? Does my packing key leave the browser in plain text (albeit over HTTPS)? If it doesn’t, how does the process work?



  18. Hello Pritesh.
    The Packing Key *never* leaves the browser. The Packing Key is used by the application in your browser window to encrypt your passwords. Once that’s complete, then the encrypted pack gets sent to the server for storage – but not the packing key.

    When you sign in (User ID and Pass), PassPack sends the encrypted pack back to your browser. This you is when you are asked to insert your packing key.

    Again, the Packing Key doesn’t get sent to the server, it’s only used by the browser to try and unpack your data:

    * If the result is nonsense, then it knows that the Packing Key was incorrect and tell you so.

    * If the result makes sense, then it knows the Packing Key was correct and shows you your passwords.

    Does that help? Let me know if something isn’t clear.


  19. Rob Gardner


    When the packing key is used to encrypt and decrypt data on the client, is the AES algorithm used, or is that just on the server side? If not, what strength encryption algorithm due use prior to transmitting data down the wire?


    Rob Gardner

  20. Hello Rob,
    Yes, we use a Javascript implementation of AES-256 in the browser:


    You can find a list of all the libraries we use here:



  21. Hello,

    I just tried the Passpack it tool and it’s really neat. Good stuff guys! Just wondering how it logs me in without asking to enter the packing key though, is the packing key stored in a cookie as that seems to be the best bet. If it’s saved in a cookie, when does the cookie expire? How safe is it?

    It’s really neat, but is it safe?



  22. Hello Pritesh,
    Thanks, glad you’re enjoying PassPack (I love hearing that).

    The autologin does not use cookies, nor does it store your passwords in the button. It’s in full compliance with Host-proof Hosting, which means that even during auto-login, not even PassPack is able to intercept or read your login information.

    There’s some more info here.

    Read throguht that artcile, then let me know if you have any more questions. I’ll be happy to answer.


  23. Hello,

    I’m confused about something. You say

    “The Packing Key is not saved anywhere. ”

    and then

    “Once the Packing Key has been correctly entered, it is temporarily stored in your browser’s memory.”

    This seems like a contradiction?

    And once the passwords are unpacked, where are they stored? I’m guessing they’re stored in Javascript variables so you don’t need cookies since you’re doing everything with AJAX?



  24. Hi Jerry,
    Yes, everything is maintained in Javascript variables for the time that your pack is “open”.

    “The Packing Key is not saved anywhere.” — Once you sign out, or lack up your account, it’s removed from memory, not saved in a plugin, file or cookie. It’s never sent to the server either.

    I hope that makes sense. Let me know if you’d like me to clear that up further for you.


  25. Pingback: PassPack, la gestion de vos accès en ligne | Szdavid's Blog

  26. Tara, You say “These cookies expire as soon as the browser window is closed” in your Jan. 10th exchange with @joe.

    Now that tabbed browsers are normal, does the cookie expiration linger after a tab is closed even if no other tabs remain connected to the same domain with an ongoing need for the same cookie?


  27. Wow I stumbled across this service while looking for a way to save passwords at work. As bookkeeper I won’t be able to use this service for work but decided to give a shot at home. I’m feeling pretty dumb since I have spent the last couple hours reading help files and tutorial videos just to understand some basics. In the past, to access my 150+ passwords remotely, I would keep a password encryption program in Briefcase and download it where I needed it. That didn’t work at cybercafés and libraries. This service would work anywhere and seems safer and maybe after more reading I might actually be able to use it without bringing a manual along. One would think after working as tech support for 7 years I’d get it quickly but I didn’t. It looks like it has some nifty possibilities. It’s after 1 AM and had no luck with PassPack Offline Version so I will save that for another day.

  28. I want to ask that how can i confirm that my packing key is not leaving my browser and everything is being implemented on client side. If everything (all encryption and decryption) is done on client side then how it is safe. Hackers can hack the client side code if any intruder is working on my pc.

  29. Pingback: Host-Proof Hosting « Passpack Blog

  30. I am a bit puzzled as to why you need to bother your users to choose and remember a password? Could that not be, too, derived from the “packing key passphrase” as in, e.g. pass=Hash(userID, passphrase)? (just an example; many alternatives are possible here).

    (of course calculated by code on the client side, just to be consistent with your “HPH” approach)


  31. Pingback: How Passpack and OpenID can complement each other? « Passpack Blog

  32. Pingback: Passpack Security Just As Strong With OpenID « Passpack Blog

  33. Good information. Lucky me I discovered your site by chance (stumbleupon).
    I’ve bookmarked it for later!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s