This is a follow up on some comments left on the post announcing the Auto-login tool. The tool is only for PassPack users. This is under-the-hood explanation of how it works.
Updated on Aug. 1, 2007
A quick recap
The PassPack It! button will automatically log you into a website listed in your PassPack account. Unlike browser specific plugins, the PassPack It! button will work regardless of what browser you are using. In essence, it’s a hyped-up Bookmarklet.
Is the button user specific?
Yes. Only you can use your button. Someone else’s button won’t work for you, you must use your own.
You can install it on as many computers as you’d like. There are no limits. You also have the option of activating, or deactivating, all of your buttons worldwide.
Will PassPack track what sites I connect to?
No, we’re not interested in your browsing habits. The button works off a common database that stores the URLs of recognized websites and their relative structure. The database enables the button to know how to log in to a specific website – no information on who visits that link is stored.
For security purposes, we need to be able to track down anyone who attempts to abuse the system. To help us do so, we store information that may help us identify the account that registered PassPack the site using the teaching process. No data is saved however, on those who simply visit the site, or login to it. Teaching is optional.
Can I use it without opening PassPack?
No. You must click on either the Go There button in your PassPack Entry, or the Go gutton in your password manager list (more info here). Doing this sets off a complicated process (see next question) which will allow the Button to work only for the specified website, and only for you.
How does my data get to the website?
It’s a very sophisticated process, with a bunch of twists and turns to keep hackers out. I’ll outline that process here for you to give you the general idea, but know that this is a highly simplified explanation:
- You click through to the website from your PassPack account. Your browser makes an encrypted mini-pack and sends it, together with the URL for the website, over HTTPS to the PassPack server.
- The PassPack server temporarily saves this and attaches a 100 second timer to it – like all of your data, not even PassPack staff can read it.
- Simultaneously, but in a totally separate process, the link is opened in a new browser window – not directly though, first it passes (via HTTPS) through the PassPack server which does a little obfuscation so that the receiving website doesn’t know you clicked through from PassPack, let alone an open PassPack account.
- Nothing else happens at this point unless you click your PassPack It! button. Once you do, a bit of Javascript is inserted directly into the webpage that you want to log into. There is an exchange with the PassPack server (via HTTPS) and if the URL is activated and the 100 seconds have not expired, then it gets the encrypted mini-pack and the instructions on how to fill in this particular website’s login form. Using Javascript, the button fills in and submits the form for you.
- From here, the website takes over as it normally would, acting exactly the same way as if you had manually typed in your user and password and pressed “log in”.
Technorati Tags: PassPack, password manager, passwords, login, identity, lifehack, bookmarklet, autologin
I thought it was simpler.
it reminds me of that login through proxy mechanism we somehow talked about.
I thought it was mostly client side but now I recognized that server side is dominant.
@Delta Pi
Well, I suppose that’s good that you thought it was simple – that means that it must be fairly simple to use. :)
Yes, this looks complicated and (always) requires two clicks – “Go there” and the “Smart Button”. I don’t feel that this post justifies completely the two clicks. You mention that the page is opened “[…] through the PassPack server which does a little obfuscation so that the receiving website doesn’t know you clicked through from PassPack […]”. What more does the two clicks add than removing the referer header (which can be done by browser plugins or proxies)?
I also just noticed that you have gotten a new competitor – http://www.clipperz.com/ – which offers “Direct Login” which is simpler (it’s seems) and requires just one click. What is better/more secure with the “Smart Button”? And maybe you could say something about why PassPack is better than Clipperz – if you are? The technical solutions look very similar …
Happy Easter from Norway!
Hello Hans,
You’ve asked many good questions. I will work on some detailed replies for you and I’ll post links here.
A quick note on clipperz, they’ve been around for a while. They’ve recently launched a new version so they are doing some publicity on our coat-tails. I’ll prepare a full comparison for you though. There are quite a many similarities, and just as many differences.
Thanks and let me know if you have any other questions in the meantime.
Tara
@Hans
I just wanted to let you know that we’ve published the comparison with Clipperz here:
https://passpack.wordpress.com/2007/04/10/passpack-and-clipperz-the-difference/
On the Smart Button, based on the first round of user testing, we’re making many changes. The basic functionality remains the same, but I’d like to refrain from further explanations until development has settled down a bit. I *will* however answer your questions once that happens.
Cheers,
Tara
UPDATE – AUG. 14, 2007
The publically released version of PassPack’s Auto-login fully complies with Host-Proof Hosting, and is no exception to PassPack’s general security. Here’s how it works.
The information previously contained in this comment is no longer valid and has been removed as it was causing some confusion.
UPDATE – AUG. 14, 2007
The publically released version of PassPack’s Auto-login fully complies with Host-Proof Hosting, and is no exception to PassPack’s general security. Here’s how it works.
The information previously contained in this comment is no longer valid and has been removed as it was causing some confusion.
Thanks for the response. I have mixed feelings about this issue. I’m currently trying out both PassPack and Clickerz, and I see how you would like to improve on the way that Clickerz handles this – there is clearly room for improvement, and maybe a browser extension is the way to go.
Ideally, I would like to be able to store information for 5-10 years without worrying about its security; 10 years is a long time online and companies change as they grow. It’s not so much that I don’t trust PassPack – I don’t trust the system. It seems like the greater threat isn’t that PassPack would make copies of my data but that having this sytem architecture reduces the barriers to hackers obtaining my data.
I guess my suggestion would be to step back from the web interface a bit. The service you provide would be useful in many more contexts than a web page. I would LOVE to see a well-documented public API and SDK’s in a few languages (C, Python, maybe Java). This would allow PassPack to be integrated directly into other software. I could see PassPack being developed into an OSX Keychain plugin or being used to provide access to encrypted partitions on thumbdrives or storing SSH keypairs. I use three computers on a daily basis – maintaining consistent security policies between the 3 is a PITA – I would love to be able to connect all three to PassPack and be done with it.
Which is to say i think a browser plugin would be an ideal solution ;)
It’s taken a lot (make that TONS) of discussion and tweaking to get to this point. It really is about being able to offer a solution that will log you into as many types of websites as possible. It’s amazing at just how different two login forms can be. This tool covers a vast majority of them.
So, yes, you could say we have mixed feelings about it too. That’s why we’re going to inform users and let each person choose for himself. Of course, should we ever have any doubt as to whether or not it’s safe, we’d pull it – without blinking.
APIs: yes, on the radar. We’ve got quite a tight release schedule planned, and the API is actually quite a ways along. There are many big twists and turns that need to be made before we get there. But we’ll get there.
Keep those suggestions coming. It’s refreshing. :)
i’m not seeing the following addressed and have had problems before: Typepad – multiple accounts, same login address, requires different username and different pw for each account / i do not use the save cookies option so it always asks for the login info / but: does passpack handle multiple auto logins for same login addin address for same passpack user account? [i now have 3 different manual account logins for the typad login address, and they work fine / my fear is that passpack might assume that one login address has only one login for the passpack user /which would then autolog into a fixed typepad account of mine, and thus auto login for typepad would not work //
NOTE: blog does not print properly on ie6; wish it would
@Michael
If you create a different entry in your PassPack account for each typepad login, then you should have no problems using the auto-login.
Did that answer your question?
On IE6: Thanks for the heads up.