Good Morning: Time to Change Your Button

For those of you who don’t know, Francesco and I are a husband and wife co-founder team.

We work a lot. “Always” might be the right word. Office hours are 10am to 8pm, then home for a quick dinner and back to work again. About 2am we hit the sack, exhausted. I usually need to read a few pages then doze off, nose in my book. Francesco falls straight asleep but… during the night he wakes up to… meditate.

Really folks, he does this every night. Thankfully, I’ve learned to sleep through it because it seems those in-between sleep moments are his most productive. Over breakfast he gives me a recap of his night-time musings.

But sometimes his thoughts are too noisy for his own head and he starts mulling around the house, turning on lights, dropping things. In short: he wakes me up. As soon as I get one eye half open, he’s already started talking.

Last night was one of those nights. At 4:30 am Francesco began a long, winding, detailed explanation of something extremely difficult to grasp, something about 1 Click Login and co-workers that hated each other and I can’t remember what else. Relieved of his burden, he promptly fell back asleep. I read a few more pages of my book.

This morning he was up early making changes to the Passpack It! button. I tried to stop him – really. But there was no chance of it. He quoted Bruce Schneier, he swore up and down on possibilities and plausibilities and then…. he changed the button.

So, lights on, everyone up! Time to reinstall you’re button. Up and at ’em troopers. Your current Passpack It! button will no longer work, you’ll need to reinstall a new one.

Sorry, You’ll Need To Reinstall Your Button

Passpack will prompt you to do so the next time you use Auto-login, but here are instructions in case you’d like to take care of that ahead of time:

  1. Delete your current button from your browser
  2. In your account, Go to Auto-login > Install My Button
  3. Reinstall your button

Too much work? Here’s a faster way to do it.

Questions? Fire away, we’re listening.

9 responses to “Good Morning: Time to Change Your Button

  1. What did he change? :)

  2. The new button doesn’t work for me. (Firefox Vista SP 0 and XP SP3)

  3. @Sanuil
    I’m writing a reply for you… just a moment.

    Sending you an email.

  4. I am having the same problem, although I have only tried it on a couple of sites. Facebook worked with the button perfectly before but now its not working since the update. (Safari 3.1.1, OSX 10.5.3)

  5. @Saniul
    He added an encrypted authentication token associated with the domain that lets the button authenticate itself to the server so that the server knows that it’s OK to reply with the encrypted login data. If the token is incorrect or missing, the server will ignore the login request.

    Just want to underline:

    The “login data” that the server replies with is now, has always been, and always will be, encrypted with a AES-256. So even if a fraudulent attempt were made (prior to last night’s change) the fraudster would have still found himself with an encrypted jumble that he would have had to brute force attack (which is considered “uncrackable”). But that bothered Francesco, so he put up this additional barrier so that a fraudster wouldn’t even get his hands on the encrypted data to begin with.

    Also, the attack that the fraudster would have to put together would have been fairly complex and aimed at a single person.

    I hope that makes sense :) I’ll see if we can’t get a detailed description of the process written for you.

  6. This is the part of PassPack that frightens me (from the “Terms and Conditions” page):

    Furthermore it is forbidden to store critical data such as, but not limited to, financial data or access data to financial institutions, or any data which, if lost, stolen or destroyed, could result in personal or public catastrophe.

    I realize this is just legal boilerplate, but it’s quite sobering anyway. Looking forward to the day that there’s a solution that doesn’t need the above caveat.

  7. @ibc
    I can understand that. Yes, it’s standard legalese, but actually we will allow financial data with the paid packages once they are ready.

  8. RE:
    that is a pretty good description, and it sounds like a good update. some advance warning would have been helpful in case of compatibility problems, but if any security improvements can be made it is generally nice to have them implemented quick as possible so… =P

  9. @tom
    Yes, I will attempt to make pre-notification in the future. :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s