Passpack’s recent announcement of soon becoming an OpenID supporter sparked quite a few questions. One of those questions in particular requires a post to be answered – “How will Passpack support OpenID and at the same time prevent phishing?”
Passpack has always dedicated itself to ensuring full user security and privacy and it always will. We thought long and hard before deciding whether OpenID was right for us and our users. We specifically have users choose long and strong Pass Phrases and Packing Keys to eliminate unnecessary risks, so why would we choose to support OpenID, an authentication system with quite a few publicized flaws? Because we will not compromise Passpack security.
How Can OpenID Be Considered Risky?
OpenID has a long way to go before becoming a standard in sign-on and some say an even longer way to go before it is considered a secure protocol. As an authentication system OpenID is gaining notoriety, but on a security level it’s being closely scrutinized. Issues range from traditional phishing attacks to those targeted more towards the OpenID users. (Here is an excellent demo of how a man-in-the-middle attack can phish your OpenID account.)
Some worry also lies in attacks such as DNS Poisoning or Cross Site Scripting or CSRF. If these are concerns, or if these terms are unfamiliar, it’s a good idea to go with some of the more well-known brands that usually have measures to bypass such risks.
Here are a few that we like here at Passpack because of their high security standards:
Passpack’s Safety Lies In The Packing Key
Even if your OpenID account is ever somehow compromised, your Passpack account will never be at risk because of that. How can we ensure this? – Your Packing Key.
If you’re an OpenID user, you will be able to access your Passpack account by entering your OpenID instead of the usual UserID and Pass Phrase. Luckily, there is one step you will not be able to avoid. Your personally chosen Packing Key will ALWAYS remain necessary to “unpack” the info in your account. It is the key to decrypting each and every single one of your entries.
And remember all the same rules apply – NEVER enter your Packing Key unless you see your personal anti-phishing message (it’s a good idea to set one up if you haven’t yet). Keep this in mind, but not to worry there will be further posts on this and other potential risks…