Service Outage 7-7-2015

Early this morning we experienced an internal connectivity issue. This affected the ability to use your Packing Keys on all servers. There were no security issues and no data was compromised.

We apologize for the delay in responding to customers here and on social media. The internal issue did not send out alerts to our operations team or customer support team and was initially localized geographically. We began working on the issue and shared the information at the earliest opportunity.

Again we apologize for the delay and we will be working on getting more timely information out to our customers going forward.

All systems are now back online.

If you have sent a request to customer service they are answering as quickly as possible.

Unscheduled Outage Update

Passpack experienced an unexpected outage during our daily backup operation early this morning, which has now been resolved. If you experienced issues with logging in and have not tried again, please do so as you should be able to login. We have been responding to the high volume of support email this morning. If users experience issues of any kind, please do contact support using the form or email to report them as customer support emails take the priority over any social media. If for any reason the support form is inaccessible, please note that a direct email may be sent to We apologize for any inconvenience you might have experienced.

Heartbleed Vulnerability Update

On Monday, April 7th the Heartbleed bug was announced by OpenSSL. Heartbleed is a vulnerability in the OpenSSL cryptographic library, you can get details at

Was Passpack vulnerable?

Passpack utilizes OpenSSL and we were vulnerable to this bug. Our systems were updated this morning April 8th, new SSL Keys were generated and new SSL Certificates requested and deployed. So Passpack is no longer vulnerable, we have also had a feature called “perfect forward secrecy” enabled on our SSL connection for some time which eliminates the ability to decrypt traffic retroactively. 

What should I do?

Sensitive data that is sent to Passpack is encrypted with a key that is not transmitted to our servers so your data is never transmitted over SSL unencrypted. While Hearbeat is a serious issue, your stored data would not have been affected. There is a concern that a Man In The Middle attack could have masqueraded as Passpack and served malicious Javascript back to users and compromised their Packing Key. While we do not have any evidence that any customer data was compromised, after analyzing the issue we feel it is better to err on the side of caution and recommend changing your Packing Key and we also recommend enabling two factor authentication on all accounts.

Since roughly 2/3 of the internet was also affected by this vulnerability we also recommend that you consider changing your passwords at other sites as they were likely vulnerable to the same attack.

Scheduled Maintenance Saturday 8PM MST

We will be upgrading our web servers to support the latest security standard, TLS 1.2, this Saturday between 8:00PM and 9:00PM MST.  We will be performing a rolling upgrade of the server software which should avoid any disruption of service, but we want to make everyone aware of the time in case there are any issues.

Welcome to 2014

Welcome to 2014

The Passpack Team has been working very hard the last two quarters of 2013 to make this year the best year yet for our users and team. We are excited to welcome 2014 with a brand new look and feel for the web site, and we also have a few announcements.

Since 2006, Passpack has grown organically, amassing a huge trove of industry and product knowledge, which can be found in blog posts and the online help center. Moving the knowledge base and help center to a more modern application will take some time.  We are, however, working to keep it to a minimum and hope to have it completed within the next few weeks. We hope you will like the new look and feel.

The Next Generation of Passpack

We acquired Passpack in July of 2013. It was our intention at that time, to rapidly bring improvements to our customers. Our team set to work assessing the state of the Passpack application, and digging through the feedback and support databases to see what our users had asked for, and where we could make improvements. That was challenging. We love a challenge. We then set about building it, and that has also been very challenging! Good thing we really love a challenge. In the coming weeks we will be announcing a Preview Program so that we can get our users feedback in an effort to be sure that we don’t miss opportunities to build and implement the features they need and want.

The number of improvements is rather large, so we will make a dedicated announcement separately; a few of the major features in the coming version will include Native Mobile Applications and Native Browser Extensions for all major platforms. The team and group features are both simpler to use and much more powerful. We’re pretty excited about it, and we hope you are too.

We love to hear from you

We have been very quiet while we were working on the completion of this new release, but you will be hearing much more from the Passpack Team in 2014. Over the last six months if you have needed support or had a question, you’ve probably interacted with one or all of the team, and while we’re happiest when things work for you exactly as they should or are as easy to use as we’d all like them to be, we want you, our users to know that if you need support or just have a question about the company, our team is here for you. We believe that we have a great product, and that we have great people using it. We enjoy interacting with all of you, and value your feedback too.

Here’s to a great 2014, everyone!
Best Regards and Warm Wishes,
The Passpack Team

PayPal issue

Since Yesterday, PayPal is not sending us confirmation notification of the payments. So the system is unable to update the status of the accounts. We could do this manually, but when PayPal will solve the issue, it will probably send all the notifications and this could create worse issues. So, we are waiting for a while. If nothing happens, we will fix the updates manually.

UPDATE, Jan. 29. The strategy worked because PayPal sent all the notification at one moment, and all the accounts have been upgraded correctly.


The new Adobe AIR damages the Passpack Desktop’s Local Storage

Your attention, please.

The new Adobe AIR, on some Operating Systems, resets the Encrypted Local Storage where the local Passpack Desktop data are stored. So, please, before upgrading to the new Adobe AIR, do a backup of your local data from “tools > backup” so that, if the data will be lost after the upgrading, you can restore it.

If your data is lost, the only way to recover it is to restore the status of your operating system to a restore point before the upgrade to the last Adobe AIR. Some users were able to recover all the data this way. After recovering the data, please, backup the entries before upgrade again and restore the entries after restarting the account.

Quick PIN on mobile devices

The biggest problem with the mobile version of Passpack is typing a long Packing Key. People often type the wrong one and have to repeat the process. That’s painful on a touchscreen keyboard.

So, I have just released a solution that solves this problem: a 4 character  PIN that substitutes your Packing Key. This PIN is device specific, in other words, you set up a different PIN for each phone and tablet.

It works in a very simple way:

  • your Packing Key is encoded using a randomly generated key
  • the random key is stored in the local storage of the broswer on your device
  • the encrypted Packing Key is send to the our server with the PIN

Next time you login to Passpack on that device, you’ll be asked for the PIN instead of the Packing Key. You have 3 attempts to type the correct one. At the third mistake the PIN will be deleted and yo’ll need to type the Packing Key as usual.

When used with the Remember me option, this is a great time saver!

Managing PINs and devices

From the Settings page, you can see what devices you have already activated and, possibly, remove them.
This is particularly important if you lose your mobile device.

About security

Initially I was thinking to use a numeric touchpad, like the kind many apps use for PIN numbers. But the risk is that you could be tempted to use the same numeric PIN that you use to access your device – and that would be bad. We don’t want anyone who can enter your device to be able to enter your Passpack account as well.

For this reason, I decided to allow a text PIN. This way you have a really better PIN since you can use everything, included international characters. For example, your PIN can be a string like arfk or xsTT but you can also decide to use a crazy strong PIN like Aò高8 that would be impossible to be guessed in three attempt. This strongly increases the security as compared to, for example, an ATM PIN.

Note. The quick PIN system needs an HTML5 browser to work. If your browser is not compatible, you won’t see the option to activate the PIN.

Solved an issue with corrupted exchange keys

From time to time, we receive a ticket from a user who is unable to invite another user, because the recipient can not see or accept the invitation. I have tried to replicate this issue without success, so my workaround has been to manually delete the invitation from the database so that the two users can restart the process. Generally this worked.
The strange thing was that the problem was repeating always within the same teams. As you know, Passpack has been built to be personal and private. So the best practice, in any case, is that one user access one account. If more than one user accesses the same account, this can create unpredictable problems.

A pratical example

We have three users: Bob, Alice and John.
  • Bob accesses his personal account (good!). Instead Alice and John access the same company’s account (bad!).
  • Alice invites Bob.
  • Before Bob has a chance to see the invitation, John checks for updates. The system finds a request for exchanging keys that is related with his current account (that Alice is also accessing, remember), elaborates the keys and delete the original RSA-encrypted keys for security purposes.
  • When Bob checks for updates he finds the invite, but the system is not able to generate its own keys because the original keys have since been removed.
  • The result is that Alice has invited Bob, but Bob can not see or accept the invitation because the exchange keys are bad.

How to fix the issue

When I discovered this practice I finally understood what was causing the key corruption. So I’ve added a more sofisticated control to avoid the problem. But, since it is impossible to propagate a change to previous versions, it was necessary that all the involved users reload their Passpack page to have the latest version of the application. If not, the invitations may seem correct but the user will not be able to see any shared entries because his keys are not compatible with the current keys of the sharer.
If you are experiencing a problem with invitations or with users that can not see any shared entry you should follow these steps:
  • Be sure that you have the latest Passpack version (logout and reload to be sure)
  • If you have tried to exchange secure messages with the user, delete all those messages and ask the other user to do the same
  • From the People tab delete  the invited user
  • Ask the other user to press their check for update button to verify that there aren’t any invitations from you
  • Invite him again

If you have any issues please open a support ticket.