We will be upgrading our web servers to support the latest security standard, TLS 1.2, this Saturday between 8:00PM and 9:00PM MST. We will be performing a rolling upgrade of the server software which should avoid any disruption of service, but we want to make everyone aware of the time in case there are any issues.
Welcome to 2014
The Passpack Team has been working very hard the last two quarters of 2013 to make this year the best year yet for our users and team. We are excited to welcome 2014 with a brand new look and feel for the web site, and we also have a few announcements.
Since 2006, Passpack has grown organically, amassing a huge trove of industry and product knowledge, which can be found in blog posts and the online help center. Moving the knowledge base and help center to a more modern application will take some time. We are, however, working to keep it to a minimum and hope to have it completed within the next few weeks. We hope you will like the new look and feel.
The Next Generation of Passpack
We acquired Passpack in July of 2013. It was our intention at that time, to rapidly bring improvements to our customers. Our team set to work assessing the state of the Passpack application, and digging through the feedback and support databases to see what our users had asked for, and where we could make improvements. That was challenging. We love a challenge. We then set about building it, and that has also been very challenging! Good thing we really love a challenge. In the coming weeks we will be announcing a Preview Program so that we can get our users feedback in an effort to be sure that we don’t miss opportunities to build and implement the features they need and want.
The number of improvements is rather large, so we will make a dedicated announcement separately; a few of the major features in the coming version will include Native Mobile Applications and Native Browser Extensions for all major platforms. The team and group features are both simpler to use and much more powerful. We’re pretty excited about it, and we hope you are too.
We love to hear from you
We have been very quiet while we were working on the completion of this new release, but you will be hearing much more from the Passpack Team in 2014. Over the last six months if you have needed support or had a question, you’ve probably interacted with one or all of the team, and while we’re happiest when things work for you exactly as they should or are as easy to use as we’d all like them to be, we want you, our users to know that if you need support or just have a question about the company, our team is here for you. We believe that we have a great product, and that we have great people using it. We enjoy interacting with all of you, and value your feedback too.
Here’s to a great 2014, everyone!
Best Regards and Warm Wishes,
The Passpack Team
Since Yesterday, PayPal is not sending us confirmation notification of the payments. So the system is unable to update the status of the accounts. We could do this manually, but when PayPal will solve the issue, it will probably send all the notifications and this could create worse issues. So, we are waiting for a while. If nothing happens, we will fix the updates manually.
UPDATE, Jan. 29. The strategy worked because PayPal sent all the notification at one moment, and all the accounts have been upgraded correctly.
Your attention, please.
The new Adobe AIR, on some Operating Systems, resets the Encrypted Local Storage where the local Passpack Desktop data are stored. So, please, before upgrading to the new Adobe AIR, do a backup of your local data from “tools > backup” so that, if the data will be lost after the upgrading, you can restore it.
If your data is lost, the only way to recover it is to restore the status of your operating system to a restore point before the upgrade to the last Adobe AIR. Some users were able to recover all the data this way. After recovering the data, please, backup the entries before upgrade again and restore the entries after restarting the account.
The biggest problem with the mobile version of Passpack is typing a long Packing Key. People often type the wrong one and have to repeat the process. That’s painful on a touchscreen keyboard.
So, I have just released a solution that solves this problem: a 4 character PIN that substitutes your Packing Key. This PIN is device specific, in other words, you set up a different PIN for each phone and tablet.
It works in a very simple way:
- your Packing Key is encoded using a randomly generated key
- the random key is stored in the local storage of the broswer on your device
- the encrypted Packing Key is send to the our server with the PIN
Next time you login to Passpack on that device, you’ll be asked for the PIN instead of the Packing Key. You have 3 attempts to type the correct one. At the third mistake the PIN will be deleted and yo’ll need to type the Packing Key as usual.
When used with the Remember me option, this is a great time saver!
Managing PINs and devices
From the Settings page, you can see what devices you have already activated and, possibly, remove them.
This is particularly important if you lose your mobile device.
Initially I was thinking to use a numeric touchpad, like the kind many apps use for PIN numbers. But the risk is that you could be tempted to use the same numeric PIN that you use to access your device – and that would be bad. We don’t want anyone who can enter your device to be able to enter your Passpack account as well.
For this reason, I decided to allow a text PIN. This way you have a really better PIN since you can use everything, included international characters. For example, your PIN can be a string like arfk or xsTT but you can also decide to use a crazy strong PIN like Aò高8 that would be impossible to be guessed in three attempt. This strongly increases the security as compared to, for example, an ATM PIN.
Note. The quick PIN system needs an HTML5 browser to work. If your browser is not compatible, you won’t see the option to activate the PIN.
A pratical example
- Bob accesses his personal account (good!). Instead Alice and John access the same company’s account (bad!).
- Alice invites Bob.
- Before Bob has a chance to see the invitation, John checks for updates. The system finds a request for exchanging keys that is related with his current account (that Alice is also accessing, remember), elaborates the keys and delete the original RSA-encrypted keys for security purposes.
- When Bob checks for updates he finds the invite, but the system is not able to generate its own keys because the original keys have since been removed.
- The result is that Alice has invited Bob, but Bob can not see or accept the invitation because the exchange keys are bad.
How to fix the issue
- Be sure that you have the latest Passpack version (logout and reload to be sure)
- If you have tried to exchange secure messages with the user, delete all those messages and ask the other user to do the same
- From the People tab delete the invited user
- Ask the other user to press their check for update button to verify that there aren’t any invitations from you
- Invite him again
If you have any issues please open a support ticket.
We’ve been using UserVoice for a while to manage user feedback.
UserVoice is a great service to collect suggestions and ideas. It worked very well and now we know what is important for our users. But there are a lot of minor suggestions that are also important which remain without an answer. And, in many cases, people ask for a feature that already exists. If there were a live conversation, some other user might be able to quickly answer: “Hey Joe, you can already do this.” Instead, there is no live converation and everyday someone adds a suggestion that risks getting lost. This is not good.
So, in the next weeks, we will try to limit the UserVoice forum to big suggestions and we will move the everyday feedback towards our Facebook page. Why Facebook? Because it is easy and social and solves the “conversation” problem. Of course, please don’t consider it a support page and especially don’t write any sensitive information. If you need customer support on your account, please open a support ticket instead and we will help you.
The Passpack Facebook page would like to be a place where you can start conversations with us and with other users about best practices, ideas, issues, etcetera.
What do you think?
First things first: your data is safe.
Passpack runs on dedicated servers at a provider in Germany. Yesterday, that hosting provider was likely hacked into. Due to our application architecture, and the fact that we’ve completely isolated the servers from any access by the provider, Passpack has not been compromised. All user data is secure.
This announcement is simply because we believe in transparency.
Why Passpack was not affected
Fortunately I don’t trust anybody, not even our hosting providers (Passpack is, after all, built on the “Host-proof” Hosting pattern). As soon as our dedicated servers were delivered to us with the OS installed, the first order of operation was to make it so that our provider was completely unable to access our servers. Every default password was changed and (most importantly) the SSH setting only allows access via keys. Yes, that makes it more complex to handle eventual hardware problems, but it’s worth the trouble. Today, when I read the communication below, I knew it was the right choice.
This is the communication that we received today, like hundreds of others:
We were informed yesterday, Wednesday 5 October, about an improper access to our internal system.
As far as we can presently reconstruct, the attackers could have been able to access internal customer data on [our] administrative systems.
[...] To our present knowledge we have no information regarding data abuse from customers.
Unfortunately, it is not possible for us to exclude this possibility completely and we would therefore ask that you change all passwords on your [Provider] system immediately as a precaution.
[...] To ensure complete and transparent clarification, we shall shortly be reporting this incident to the regulatory authorities.
As always, we’ve taken follow-up security available to us for good measure. We immediately updated the credentials to login to the the online account manager. Nobody has accessed the account manager, or changed any settings.
My biggest concern was that with access to the provider’s account management system, though they couldn’t have accessed any user data, a hacker could have been able to reset a server: starting a new installation while deleting all the current data. Fortunately, they didn’t. And the access codes have all since been changed. As you can imagine, this would have caused an interruption in service until we’d have reconfigured everything and restored the data from our remote backups.
A secondary concern would be that they could have gotten physical access to the servers while putting it into maintenance mode. Also in that case, there’d have been a noticeable downtime. There wasn’t. Anyway, as you know, our data are useless without hacking the entire distributed system.
Since we had no problems or outages, I could have easily not informed anyone about this. But I believe that transparency is the most important thing for a service like Passpack. So now you know.
Have a good day, and let me know if you have any questions.
We will be performing a server maintenance next Saturday, September 24, from 8-9am GMT+1 (it was initially planned for 5-6pm PST). During that period, we will put the database in read-only mode. So, if you change something and you need to save it, you have to wait. When the operations will be completed you will save your data without problems.
We will move the system to new powerful servers. If everything will go like during the other migrations in the past, the most of the user will not have the perception of the transfer and all will seem as normal. He hope that also this time it will be so. For good measure, if you haven’t yet, please install Passpack Desktop to be sure that you have an offline backup of your data. This is very important because on the Internet it is always possible that a website is unreachable and you must have your passwords when you need them. Passpack Desktop solves this emergency case and using it is a best practice.