Passpack Online Password Manager: Security Overview

Security & Privacy |

U.S. government approved algorithm, plus
the Passpack Privacy Promise, equals Peace of Mind

Security Features

Anti-phishing protection
Disposable Logins
Scrambled Password Field
Offline Version (optional)
Password quality tester
Make personal backups
Strong password generator
Double Access login technique
Locks up when unattended
US Gov't approved encryption

Privacy Promise

Privacy is your right, protect it. The data you store on Passpack can not be read by anyone, not even by Passpack staff itself.

You have the right to request that all of your personal data be removed at any time. Please read the Privacy Promise - it's not just fluff, we mean it.

The "Pack" in Passpack comes from the bundle of locked up data inside your Account.

You can sign into your account, without exposing your Pack.

Passpack can't read what is in your pack.

It sends your pack to the browser, with the tools so you manage it.

Data Packing

Your data is encrypted on-the-fly before leaving your browser - that's the process we call Data Packing.

We use the AES algorithm, US government approved for classified information, to make sure that only you can decrypt it with your secret Packing Key can decrypt it.

Your Packing Key never gets sent or saved to the server, so not even Passpack staff knows it. As far as the world outside your browser is concerned, your Packing Key is a complete mystery. Without it, your data can't be read.

Disposable Logins (OTP)

A Disposable Login is a one time Pass and Packing Key combination: you use it once, then it's thrown it away.

Disposable Logins come in handy when traveling and you need to use a public computer.

With Disposable Logins, you can outsmart keyloggers. Even if your disposable Pass and Packing Key were to get "captured", it doesn't matter: they won't work again.

Backup & Offline Version

Passpack lets you save a personal, encrypted backup of all your entries. Don't trust the internet? Download the Offline Version to manage a local copy of your data.

Power Outages & Monitoring

Passpack resides in a disaster-proof data center with an un-interruptible power supply (in an extended power outage, if even batteries fail, a natural gas generator will take over). The data center is monitored both on-site and off-site, 24 hours a day. Data is backed up daily.

Anti-Phishing Welcome Message

A custom greeting, IP recognition and hand-eye training combine in a new technique that combats phishing.

Your custom welcome message is shown to you after every log in, but before inserting your Packing Key. So if you accidentally sign into a fraudulent site, you'll immediately notice that the welcome message is missing.

Thanks to the IP recognition, even if the phisher then attempts to log in to the real Passpack to glean your welcome message, he'll see nothing. Read more here.

Strong Pass Phrases

Passpack not only lets you use strong pass phrases, it measures your Pass and Packing Key while you type.

You can measure ALL your passwords this way - see which ones need changing!

Then use the built-in password generator to quickly make unique passwords for all of your logins. And why not? you don't have to remember them, Passpack does.

HTTPS Secure Connection

Only packed data is ever sent over the internet, and it is always sent over an SSL Secure Connection. Always connect to https://www.passpack.com.

Non-permanent Account Info

Your Password, Packing Key and even your User ID can all be updated anytime you want, and as many times you want. In fact, we urge you to do this from time to time. Just PLEASE always remember to make note of the new account information and store it in a safe place.

Summing it all up

With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (not even Passpack can read your data). If he's determined to crack this data, he'd have to crack the Packing Key of every single User, one-by-one, in order to reverse the packing process. To date, this type of brute force attack on AES is considered impossible. That makes Passpack an unattractive target.