11 responses to “Auto-login: Under the Hood

  1. I thought it was simpler.
    it reminds me of that login through proxy mechanism we somehow talked about.

    I thought it was mostly client side but now I recognized that server side is dominant.

  2. @Delta Pi
    Well, I suppose that’s good that you thought it was simple – that means that it must be fairly simple to use. :)

  3. Hans Nordhaug

    Yes, this looks complicated and (always) requires two clicks – “Go there” and the “Smart Button”. I don’t feel that this post justifies completely the two clicks. You mention that the page is opened “[…] through the PassPack server which does a little obfuscation so that the receiving website doesn’t know you clicked through from PassPack […]”. What more does the two clicks add than removing the referer header (which can be done by browser plugins or proxies)?

    I also just noticed that you have gotten a new competitor – http://www.clipperz.com/ – which offers “Direct Login” which is simpler (it’s seems) and requires just one click. What is better/more secure with the “Smart Button”? And maybe you could say something about why PassPack is better than Clipperz – if you are? The technical solutions look very similar …

    Happy Easter from Norway!

  4. Hello Hans,
    You’ve asked many good questions. I will work on some detailed replies for you and I’ll post links here.

    A quick note on clipperz, they’ve been around for a while. They’ve recently launched a new version so they are doing some publicity on our coat-tails. I’ll prepare a full comparison for you though. There are quite a many similarities, and just as many differences.

    Thanks and let me know if you have any other questions in the meantime.
    Tara

  5. @Hans
    I just wanted to let you know that we’ve published the comparison with Clipperz here:
    https://passpack.wordpress.com/2007/04/10/passpack-and-clipperz-the-difference/

    On the Smart Button, based on the first round of user testing, we’re making many changes. The basic functionality remains the same, but I’d like to refrain from further explanations until development has settled down a bit. I *will* however answer your questions once that happens.

    Cheers,
    Tara

  6. UPDATE – AUG. 14, 2007

    The publically released version of PassPack’s Auto-login fully complies with Host-Proof Hosting, and is no exception to PassPack’s general security. Here’s how it works.

    The information previously contained in this comment is no longer valid and has been removed as it was causing some confusion.

  7. UPDATE – AUG. 14, 2007

    The publically released version of PassPack’s Auto-login fully complies with Host-Proof Hosting, and is no exception to PassPack’s general security. Here’s how it works.

    The information previously contained in this comment is no longer valid and has been removed as it was causing some confusion.

  8. Thanks for the response. I have mixed feelings about this issue. I’m currently trying out both PassPack and Clickerz, and I see how you would like to improve on the way that Clickerz handles this – there is clearly room for improvement, and maybe a browser extension is the way to go.

    Ideally, I would like to be able to store information for 5-10 years without worrying about its security; 10 years is a long time online and companies change as they grow. It’s not so much that I don’t trust PassPack – I don’t trust the system. It seems like the greater threat isn’t that PassPack would make copies of my data but that having this sytem architecture reduces the barriers to hackers obtaining my data.

    I guess my suggestion would be to step back from the web interface a bit. The service you provide would be useful in many more contexts than a web page. I would LOVE to see a well-documented public API and SDK’s in a few languages (C, Python, maybe Java). This would allow PassPack to be integrated directly into other software. I could see PassPack being developed into an OSX Keychain plugin or being used to provide access to encrypted partitions on thumbdrives or storing SSH keypairs. I use three computers on a daily basis – maintaining consistent security policies between the 3 is a PITA – I would love to be able to connect all three to PassPack and be done with it.

    Which is to say i think a browser plugin would be an ideal solution ;)

  9. It’s taken a lot (make that TONS) of discussion and tweaking to get to this point. It really is about being able to offer a solution that will log you into as many types of websites as possible. It’s amazing at just how different two login forms can be. This tool covers a vast majority of them.

    So, yes, you could say we have mixed feelings about it too. That’s why we’re going to inform users and let each person choose for himself. Of course, should we ever have any doubt as to whether or not it’s safe, we’d pull it – without blinking.

    APIs: yes, on the radar. We’ve got quite a tight release schedule planned, and the API is actually quite a ways along. There are many big twists and turns that need to be made before we get there. But we’ll get there.

    Keep those suggestions coming. It’s refreshing. :)

  10. i’m not seeing the following addressed and have had problems before: Typepad – multiple accounts, same login address, requires different username and different pw for each account / i do not use the save cookies option so it always asks for the login info / but: does passpack handle multiple auto logins for same login addin address for same passpack user account? [i now have 3 different manual account logins for the typad login address, and they work fine / my fear is that passpack might assume that one login address has only one login for the passpack user /which would then autolog into a fixed typepad account of mine, and thus auto login for typepad would not work //

    NOTE: blog does not print properly on ie6; wish it would

  11. @Michael

    If you create a different entry in your PassPack account for each typepad login, then you should have no problems using the auto-login.

    Did that answer your question?

    On IE6: Thanks for the heads up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s