31 responses to “PassPack Disposable Logins (OTP)

  1. One other option is to use Portable Apps (http://portableapps.com) on a USB drive. Still, disposable logins is a cool idea.

  2. @Abey
    Sure, there are plenty of applications that run off a USB drive, particularly password managers. The problem with these is that you aren’t always allowed to insert your USB drive in public computers. Then what?

    I’ve heard roboform users complain about this in the past.

  3. This is a really good idea – this will definitely be useful when I have to resort to public terminals.


  4. @Toby
    I’m glad you like it. Please try it out and let me know what you think. Is it easy to use? Is there anything confusing? Anything that could be improved?

    We thrive on feedback!
    Thanks to you,

  5. True. If you are stuck with a disabled USB drive then something like disposable logins is a good security precaution.

  6. Pingback: Nicola Mattina Blog » Blog Archive » PassPack: si lavora anche a Pasqua

  7. Great..

    I just played with it and liked the way it’s implemented. It’s nice to see you guys trying to make it as much secure possible in any way as you can. The Disposable Login is a real cool idea

  8. @Raghu
    I’m glad you like it. :) Thanks for the kind words.

  9. Pingback: More PassPack News | The Privacy Guy

  10. Your disposable login is a great idea! However, how about more logins that would:

    close the account for 1,2,3 .. days
    close off all unused disposable logins
    show last few attempted logins (date time)

    I’m not a glutton for memorizing yet more logins, but these are what I need when I travel to give me protection against theft and some confidence that my account is not being hammered on.

    Can do?

  11. @Carls
    Thanks, I’m glad you like it. And thank you too for the suggestions. Here’s a quick reply:

    >> close the account for 1,2,3 .. days
    Interesting. I’ll add that to the suggested features list

    >> close off all unused disposable logins
    There is a Delete button that will do this (only visible if you have unused logins available). Here’s a screenshot: Disposable Login – Delete Unused Logins

    >> show last few attempted logins (date time)
    We will be adding some logs items, but there is no timetable on that yet. I’ll add a note that this has been requested again.

    Thanks again and keep those ideas coming!

  12. If you use AES, how do you generate a OTP? Do you decrypt and then re-encrypt the data, so the user has a permanent and a temporary entry in your database?

  13. Hi Paul,
    I’m not sure if your question was to understand whether or not we are able to read your OTPs (we can’t), or if you are interested in knowing the technical details of how we accomplish this.

    The OTP is created in the browser (not the server) with AES encryption. The Packing Key is never sent to the server, OTPs do not have database entries per se and PassPack can’t “look up” your OTPs.

    The way the browser understands if a Packing Key is correct is that it attempts to decrypt the data. If the result has the expected format, then the key was correct. If not, the key was not correct. That basic procedure doesn’t change regardless of whether it’s the original Packing Key, or the disposable Packing Key.

    The technical details of how this all works is far beyond the scope of a blog comment. Now that we’re finishing up the server transfer, we’ll be able to dedicate more time to building a developers center. The specs on the OTP are one of the topics we’ll cover, as well details on the anti-phishing mechanism and more.

  14. @Tara:
    If the data is encrypted using AES, then only one key is able to decrypt it. From what I have been reading this one key should be the packing key. The OTP idea is great, but this makes me believe that the data is not actually encrypted using the packing key as the key to the AES algorithm. What happens? Is the packing key and OTP keys used to decrypt the real key? If this is the case, wouldn’t it be possible to determine the real key from memory when it is decrypted using a OTP?


  15. This is a great idea. I read about it on one of the Lifehacker comments on secure passwords while travelling and am signing up because of this feature!

  16. I also found your service from Lifehacker and think it’s great so far. I’ve definitely changed all my oft used passwords to secure ones already (although I don’t know any of my passwords now). One thing I have a question about is the maximum of disposable logins you can have at once. It seems like 3 might be too low a limit if you’re planning to be on vacation and use public kiosks for a while. I know that there are security concerns if you have a printout of all your disposable logins, defeating the purpose of all the other security features if the sheet is lost or stolen, but the megaparanoid geek in me would probably write the passwords on separate sheets of paper or something so you can’t lose them all at once. Other suggestions of keeping your set of disposable logins are also welcome.

  17. @Richard
    I think we’ll actually be setting the limit at 10 with the Beta 6 release.

    Thanks for the feedback – and welcome aboard!


  18. I like the disposable login idea, however, I would still like the option of using a USB key for a physical verification of the user. Ideally, this would be an option, so you could choose not to use it (when traveling or accessing computers where you can’t plug in the USB).
    This way, even if a computer had a key logger, without the USB key, you couldn’t access the account.

  19. I really like PassPack and would also gladly pay a usage fee for some extra features, I would very much like to see:

    – Physical and software OTP token and an option to have more than one per account (e.g. one for my and one for my wife) and an option to use a simple code+the otp
    – Software based offline version
    – time/infinate 3rd party limited access to items I choose

  20. @Dan
    The disposable logins will protect you from keyloggers – but yes, we’re looking into different two factor authentication options. Many people have asked for this.

    Great ideas. For sharing your account with your wife, that’s fine but you may also be interested in our Sharing feature (not yet released).

    I’d immagine that there would only be one token per account, but having sharing across two account would resolve that. You would each have your own account, own token, and share only what needs to be shared between you.

    On the software based offline version. We have the Google Gears Offline Version. That’s a start… we’ll evolve the offline version with time.

    Let me know if you have more questions– and keep the suggestions coming!


  21. I have been having fun……

    I thought last night “what other method could I use to write these OTPs down”? so I have come up with an idea.
    It is quite difficult to explain although it is a fairly simple idea.
    Have a look at the `starwheel` that I have just done with m$ publisher.
    [@Tara- If you like this jpg please put it on your server somewhere]

    Pick a start point on the outer wheel and remember (sorry!) the number next to it, now hand write each passphrase character going clockwise (or anti-clockwise, your choice!) around the outside of the star.
    Next, pick a start point for your packingkey. (This could be the same as the passphrase but would be much less secure) Now start hand writing each character (again, clockwise or anti-clockwise) (dont forget which way you go) around the inside of the star.
    There you have it.
    You will end up having a meaningless piece of paper to everyone else.
    All you need to remember (again sorry!) is, for example,
    `6 clock 9 anti`

    I know it’s not perfect but it is better than just printing the codes.

    Am I right in thinking that there are 32^32=1024 possibilities of reading your codes with this idea?

    Anyway I have tried it and it works fine. By all means print this starwheel out and have a go. The jpg is a little big and it could be shrunk a bit.

    -Underline any lower case letter.
    – Make sure you cross through a zero.

    -Use pictures instead of numbers.
    -Use a ships-wheel design instead of a star.

    I hope this helps anyone
    Have fun.


  22. What if you offered a SecurID service? That way you would need to enter your unpacking code + a token that is on an RSA SecurID that you carry with you. That way even if a keylogger discovered your packing key, it would only work until your token changes. (which is about every 30 secconds I believe). I know this service requires hardware on your end and the token that I would need isn’t cheap, but I would gladly pay for it.

  23. Should this article not also have an additional section titled “what disposable logins do *not* protect against”? – just to make the presentation a bit more comprehensive and fair.

    I say this because passwords (the ones people download from passpack *after* having logged in with the disposable login), are not really protected against spyware that is running on the public computer? For example, they could be ‘sniffed’ just before http requests leave the public computer.

  24. @anonymous
    Sure, we can prepare some more information. There’s an article Francesco has been bugging me to write about spyware/malicious plugin issues – looks like now is a good time to finally tackle that.

  25. Please forgive me for bothering again – a couple of quick questions: why exactly are those disposable logins 2×16 characters long? Has this something to do with the output length of the hash function you use to derive keys?

    I am also wondering whether or not knowledge of these disposable logins enable an attacker to perform offline dictionary attacks on the user’s pass or packing key… (after all, some code on the client must use these values in order to arrive at the same decryption key for the pack…).

    Perhaps I am completely wrong – just speculating :-)

  26. @anonymous
    No bother :)

    There are 2 disposable logins in each set because you need both the Disposable Pass and corresponding Disposable Packing Key to access the account.

    On the hash function – I’ll leave that to Francesco to answer, I’m not able to.

    And if an attacker knows discovers the an unused Disposable Login, there’s no need to run a dictionary attack, he can simple enter the account since he’s got, well, the login. If the Disposable Login has already been used, or has expired, no access will be granted.

    I hope I answered your questions.

  27. Pingback: Travelers - Check Your Browsers! « Passpack Blog

  28. Tara,
    Why not offer SecurID or Verisign tokens? For users that want to buy one for $5-$10, this offers ultimate security while traveling. This would also make my decision to go with Passpack instead of Verisign’s inferior PIP service. (Can you smell corporate?….)

  29. @Jed
    Hi – thanks for the tip. We’re actually planning a 2 Factor Authentication, though I don’t *think* that it’ll take the form of a physical token, but since many people have made that request, we’re considering it.

    If you have very specific needs, please contact me: tara@passpack.com

  30. Pingback: Getting Ready for Version 1.0 « Passpack Blog

  31. Ok, I was having some thoughts about OTPs or “disposable logins”. At the moment, as I understand it, a packing key password combination is generated which can be used once to access the account and data.

    The problem with this is that if someone gets hold of your disposable logins, which because of their randomness have to be kept in a physical form, they could gain complete access to your account.

    I can see that both the password and packing key are generated to make it so a keylogger would not be able to find out ANY of your details. The thing that I was thinking was, wouldn’t it be better to make a compromise between the information a keylogger could gather, and the power of the disposable logins? If the disposable login only consisted of EITHER a password OR a packing key, then there is still two part security. Something you know (the part that isn’t disposable, the key or the pass) and something you have (the disposable login which you have in physical form). Let’s say the disposable login that is generated is just a packing key. The keylogger would find out your account password, but they wouldn’t be able to do anything with it because they wouldn’t know your packing key. It would work the same way the other way round, I’m not sure which way would be more secure.

    Has this idea been thought about? Would it be more secure? Could it maybe be an option when making OTPs to either generate pass key pairs (as it is now) or to only make passwords/keys?

    I might be wrong with this but it seems to make sense. The way it is now seems to be putting all the eggs in one basket just to avoid a keylogger getting ANY information. This doesn’t seem necessary seeing as the one piece of harvested information that a keylogger would get would be useless without the other pass/key. If this is true then generating FULL (worryingly insecure if they fell into the wrong hands) password/key combinations seems like an unnecessary sacrifice to make just to stop a keylogger getting once piece of, on its own, useless information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s