This morning a smart user alerted me about a security issue in using Google/Gmail to access to the Passpack account.

I analyzed it and I discovered that Google has changed how Gmail authentication works, causing the library we use to fail. As result of this, we are preparing to support Google Friend Connect. In the meantime, it will not possible to create new accounts via Google or Gmail, but only to access to existing ones.

How the interface changes.

Instead of two fields, the Gmail address and the Password, you will only have one: the Gmail address. Please note that this will work only with existing accounts and it will not possible to create new accounts via Google/Gmail.

gmailaccess

And about security?

When you type your Gmail address, Passpack will check if it exists and that a Passpack account is associated to it. If so, you will be asked for your Packing Key. As you probably know, only if the hash of the Packing Key is correct you receive your encrypted data. So the first step is just a way to recognize who you say you are. The second, the request of the Packing Key, guarantees the security of the access. Also, if you didn’t set a Welcome Messsage, in order to safeguard your privacy, the welcome screen will show your Gmail email address without the “@gmail.com” suffix instead of your Passpack ID.

The next step.

Once the Google Friend Connect support is ready, you will be able to associate it to your account. UPDATE Google Friend Connect is ready. Please follow these instructions to associate it to your account. You should also remove the current Google/Gmail association as we will phase it out quickly.

12 Comments

  1. Glenn

    I’m sorry but I’m confused as to what I need to do. So I just googled ‘Google Friend Connect’ and added Passpack as a site but this doesn’t make much sense to me. Could you please create a step by step guide on what you would like us to do so that we can use open id with google and your site. I’ve only associated my gmail account with my account and would be totally lost if I was locked out. Long long until you will turn this off? Should I use my yahoo id and associate that with my account as well?

  2. Hi Glenn,
    Sorry the instructions weren’t clear. I’ll write up a step-by-step in the knowledge base and post the link here when it’s ready.

    Tara

  3. Colum

    Tara,

    Was there any chance of a security breach with this failure?

    Colum

  4. Francesco

    Passpack uses a two-factor approach. In order to sign in, a user must authenticate herself (the 1th factor) via the standard sign in or via 3rd Party Auth (Gmail, Facebook, etc.). After authentication, she has to type the Packing Key that decrypts the data and, before this, acts as a 2nd factor allowing the user to load the encrypted data.

    Currently, the Google/Gmail sign in doesn’t authenticate the user, it limits its action to recognize her. This undoubtly reduces the level of security, but a good Packing Key guarantees a strong level of security in any case.

    I suggest to all the Google users that uses Google/Gmail to sign in Passpack to:

    1. Connect to Passpack as usual.
    2. Associate a new Google Friend Connect to the account.
    3. When the association is complete, and you are in your account again, delete the association with the old Google/Gmail sign in.

    In the next days, we will add a standard Two-factor Authentication. Initially, it will work only (and specifically) with the Google/Gmail sign in, in order to elevate again the level of security.

  5. Francesco

    @all
    Read the next post on this blog for more info: http://bit.ly/2KoZJL

  6. Amo

    Hello,

    What I don’t like about Google Friend Connect, it means you have to have a blog/site to have an “account” ! And I don’t use the other social services and I don’t want to create a whole new Yahoo address just for Passpack….so what do I do ?

    Thank you.

  7. Francesco

    @Amo

    If you don’t like GFC, you can always access using your standard Passpack sign in.

    If you haven’t one, you can go to the tab “Account”, click on “Set a User ID” e choose it.
    After, click on “Set a Password” and proceed. Now you have also a standard Passpack sign in.

    In the following, you can use both of them to connect to your account.

  8. Amo

    Hello Francesco,

    Thank you for the reply. Yes, I guess that is a good option.

    Do you want me to delete the current Gmail login association?

    Will Passpask continue to use Gmail at all ? I suppose if “yes”, then you are re-doing the security all over again, and at a later time we can re-associate our Gmail accounts ?

    Thank you.

  9. Francesco

    Hi Amo,

    If we will find a new way to access and verify the GMail account without GFC, we will surely add again the full access via GMail. But it depends from Google. If they want that people migrate towards Google Friend Connect, we can do nothing.

    In my case, I have disassociated my Gmail from my Passpack account, and now I am using GFC. I didn’t have issues and all works perfectly. I didn’t had need other.

    As you can imaginate, I associated to my Passpack account all the available 3rd party auth. It is important have at least a second active sign in, because if the principal is unreachable we have another chance.

  10. Amo

    Dear Francesco,

    Thank you for your reply. You are totally right on the fact to have a second option to sign in to Passpack.

    I am very pleased with your service.

    I look forward to your desktop version! Will it be sort of like 1Password ? 1P is neat, but you can’t access from anywhere in the world, from any computer — thus my dedication to Passpack.

    Thank you again and good luck with your work!

    Amo

  11. Francesco

    Hi Amo,

    Passpack Desktop is a free installable application, based on Adobe AIR technology, that works on Mac, Windows and Linux.

    It borns to back up the online data, so that if, for example, Passpack is unreachable for some reason, you have your data always available in your PC.
    To do this, Passpack Desktop can synchronize the online and offline data.

    But, you can use the program as stand-alone, without limitation.

    Currently, the Deskop app is not updated to Passpack 7 and doesn’t support shared entries. But I am working on it to align it to the online version ASAP.

Leave a Reply