Passpack experienced an unexpected outage during our daily backup operation early this morning, which has now been resolved. If you experienced issues with logging in and have not tried again, please do so as you should be able to login. We have been responding to the high volume of support email this morning. If users experience issues of any kind, please do contact support using the form or email to report them as customer support emails take the priority over any social media. If for any reason the support form is inaccessible, please note that a direct email may be sent to firstname.lastname@example.org. We apologize for any inconvenience you might have experienced.
On Monday, April 7th the Heartbleed bug was announced by OpenSSL. Heartbleed is a vulnerability in the OpenSSL cryptographic library, you can get details at http://heartbleed.com/
Was Passpack vulnerable?
Passpack utilizes OpenSSL and we were vulnerable to this bug. Our systems were updated this morning April 8th, new SSL Keys were generated and new SSL Certificates requested and deployed. So Passpack is no longer vulnerable, we have also had a feature called “perfect forward secrecy” enabled on our SSL connection for some time which eliminates the ability to decrypt traffic retroactively.
What should I do?
Since roughly 2/3 of the internet was also affected by this vulnerability we also recommend that you consider changing your passwords at other sites as they were likely vulnerable to the same attack.
We will be upgrading our web servers to support the latest security standard, TLS 1.2, this Saturday between 8:00PM and 9:00PM MST. We will be performing a rolling upgrade of the server software which should avoid any disruption of service, but we want to make everyone aware of the time in case there are any issues.
Welcome to 2014
The Passpack Team has been working very hard the last two quarters of 2013 to make this year the best year yet for our users and team. We are excited to welcome 2014 with a brand new look and feel for the web site, and we also have a few announcements.
Since 2006, Passpack has grown organically, amassing a huge trove of industry and product knowledge, which can be found in blog posts and the online help center. Moving the knowledge base and help center to a more modern application will take some time. We are, however, working to keep it to a minimum and hope to have it completed within the next few weeks. We hope you will like the new look and feel.
The Next Generation of Passpack
We acquired Passpack in July of 2013. It was our intention at that time, to rapidly bring improvements to our customers. Our team set to work assessing the state of the Passpack application, and digging through the feedback and support databases to see what our users had asked for, and where we could make improvements. That was challenging. We love a challenge. We then set about building it, and that has also been very challenging! Good thing we really love a challenge. In the coming weeks we will be announcing a Preview Program so that we can get our users feedback in an effort to be sure that we don’t miss opportunities to build and implement the features they need and want.
The number of improvements is rather large, so we will make a dedicated announcement separately; a few of the major features in the coming version will include Native Mobile Applications and Native Browser Extensions for all major platforms. The team and group features are both simpler to use and much more powerful. We’re pretty excited about it, and we hope you are too.
We love to hear from you
We have been very quiet while we were working on the completion of this new release, but you will be hearing much more from the Passpack Team in 2014. Over the last six months if you have needed support or had a question, you’ve probably interacted with one or all of the team, and while we’re happiest when things work for you exactly as they should or are as easy to use as we’d all like them to be, we want you, our users to know that if you need support or just have a question about the company, our team is here for you. We believe that we have a great product, and that we have great people using it. We enjoy interacting with all of you, and value your feedback too.
Here’s to a great 2014, everyone!
Best Regards and Warm Wishes,
The Passpack Team
Since Yesterday, PayPal is not sending us confirmation notification of the payments. So the system is unable to update the status of the accounts. We could do this manually, but when PayPal will solve the issue, it will probably send all the notifications and this could create worse issues. So, we are waiting for a while. If nothing happens, we will fix the updates manually.
UPDATE, Jan. 29. The strategy worked because PayPal sent all the notification at one moment, and all the accounts have been upgraded correctly.
Your attention, please.
The new Adobe AIR, on some Operating Systems, resets the Encrypted Local Storage where the local Passpack Desktop data are stored. So, please, before upgrading to the new Adobe AIR, do a backup of your local data from “tools > backup” so that, if the data will be lost after the upgrading, you can restore it.
If your data is lost, the only way to recover it is to restore the status of your operating system to a restore point before the upgrade to the last Adobe AIR. Some users were able to recover all the data this way. After recovering the data, please, backup the entries before upgrade again and restore the entries after restarting the account.
The biggest problem with the mobile version of Passpack is typing a long Packing Key. People often type the wrong one and have to repeat the process. That’s painful on a touchscreen keyboard.
So, I have just released a solution that solves this problem: a 4 character PIN that substitutes your Packing Key. This PIN is device specific, in other words, you set up a different PIN for each phone and tablet.
It works in a very simple way:
- your Packing Key is encoded using a randomly generated key
- the random key is stored in the local storage of the broswer on your device
- the encrypted Packing Key is send to the our server with the PIN
Next time you login to Passpack on that device, you’ll be asked for the PIN instead of the Packing Key. You have 3 attempts to type the correct one. At the third mistake the PIN will be deleted and yo’ll need to type the Packing Key as usual.
When used with the Remember me option, this is a great time saver!
Managing PINs and devices
From the Settings page, you can see what devices you have already activated and, possibly, remove them.
This is particularly important if you lose your mobile device.
Initially I was thinking to use a numeric touchpad, like the kind many apps use for PIN numbers. But the risk is that you could be tempted to use the same numeric PIN that you use to access your device – and that would be bad. We don’t want anyone who can enter your device to be able to enter your Passpack account as well.
For this reason, I decided to allow a text PIN. This way you have a really better PIN since you can use everything, included international characters. For example, your PIN can be a string like arfk or xsTT but you can also decide to use a crazy strong PIN like Aò高8 that would be impossible to be guessed in three attempt. This strongly increases the security as compared to, for example, an ATM PIN.
Note. The quick PIN system needs an HTML5 browser to work. If your browser is not compatible, you won’t see the option to activate the PIN.
A pratical example
- Bob accesses his personal account (good!). Instead Alice and John access the same company’s account (bad!).
- Alice invites Bob.
- Before Bob has a chance to see the invitation, John checks for updates. The system finds a request for exchanging keys that is related with his current account (that Alice is also accessing, remember), elaborates the keys and delete the original RSA-encrypted keys for security purposes.
- When Bob checks for updates he finds the invite, but the system is not able to generate its own keys because the original keys have since been removed.
- The result is that Alice has invited Bob, but Bob can not see or accept the invitation because the exchange keys are bad.
How to fix the issue
- Be sure that you have the latest Passpack version (logout and reload to be sure)
- If you have tried to exchange secure messages with the user, delete all those messages and ask the other user to do the same
- From the People tab delete the invited user
- Ask the other user to press their check for update button to verify that there aren’t any invitations from you
- Invite him again
If you have any issues please open a support ticket.
We’ve been using UserVoice for a while to manage user feedback.
UserVoice is a great service to collect suggestions and ideas. It worked very well and now we know what is important for our users. But there are a lot of minor suggestions that are also important which remain without an answer. And, in many cases, people ask for a feature that already exists. If there were a live conversation, some other user might be able to quickly answer: “Hey Joe, you can already do this.” Instead, there is no live converation and everyday someone adds a suggestion that risks getting lost. This is not good.
So, in the next weeks, we will try to limit the UserVoice forum to big suggestions and we will move the everyday feedback towards our Facebook page. Why Facebook? Because it is easy and social and solves the “conversation” problem. Of course, please don’t consider it a support page and especially don’t write any sensitive information. If you need customer support on your account, please open a support ticket instead and we will help you.
The Passpack Facebook page would like to be a place where you can start conversations with us and with other users about best practices, ideas, issues, etcetera.
What do you think?