Thanks to our faithful beta testers*, the new release of Passpack Desktop is ready for you to download and install.


(instructions & FAQ here if you need them)

What’s New?

  • Many of your favorite features from
    • bulk entry management
    • see your people tab (read only)
    • click icons to copy content from your list
    • updated entry window
  • Offline only entries clearly marked with “local” tag.
  • Sync and view shared passwords [hooray!]
  • Sync tags and favorites settings from online (optional)
  • And the ever-important: shiny black chrome

Passpack Desktop is Your Best Backup

Should you ever get stuck without an internet connection – you’ll be really happy you have a copy of all your important passwords in your Passpack Desktop.

So install it now.

If you have never installed Passpack Desktop before, or do not know how to synchronize it, it’s pretty easy. Just read the instructions here.

* Two notes for beta testers: (1) Just go to Tools > Downgrade to stable version and your Beta version will be upgraded to the latest stable release. (2) Thank you!!!


  1. Reedy

    Just installed it, and it contains my current password entries, but when I tried to sync with, I get an error message ‘Sorry, the Passpack server refuses to speak to you (that isn’t nice!). Usually this happens when your login credentials for Passpack online and offline don’t match. If you have changed your User ID, Password or Packing Key online, you’ll need to do the same in your Passpack Desktop in order to use the synchronize feature.’
    I havn’t changed any of my details, why am I getting this error message. My old Passpack Desktop worked fine.

    • @Reedy
      Hm. This shouldn’t happen. Can you try uninstalling your Desktop and reinstalling it? Alternatively try actually changing the password in both systems and see if it’ll sync.

      Let me know how that goes.

  2. Reedy

    OK. Have gone through ‘Add – Remove Programs’ and removed Passpack Desktop. Rebooted, and downloaded PasspackDESKTOP_2-0-1.air and installed. The app starts immediatly following installation, and suprisingly is already showing my account name on the ‘Packing Key’ screen – before I have even entered any details whatsover. How did it know my account name?
    If I enter my packing key – I can see my passwords.
    If I try and sync – I get the same error message as before.

  3. Reedy

    Re-started Passpack Desktop, entered packing key, and went to Account/delete local account, and followed the prompts.
    Passpack then asked for my username/password, followed by packing key.
    The app then synced OK, and have also tried syncing via the menu, and it works great.

  4. Francesco

    Removing an Adobe AIR application, the “encrypted local storage” associated to the application isn’t deleted. So, when you reinstalled Passpack Desktop, you reloaded your previous status. It’s normal.
    But, if your local account is disaligned with the online account you will experience the same issue.
    Deleting the local account and restarting is the perfect solution.

  5. fungogh

    hey guys,
    after the install completes am getting the following error message: “The installation of this application is damaged. Try re-installing or contacting the publisher for assistance.”
    I performed MD5 checksum comparison – is OK. Re-downloaded, reinstalled the .air file…same. Am running Air 1.5.3 and various Air apps are running well on the PC, I even freshly downloaded and installed some to be sure. Everything is executed with elevaed privileges. Using Win 7 Enterprise 32-bit.
    Any suggestions?

  6. Gershon

    how do I install this on my Mac?

  7. fungogh

    1.) get Air for Mac:
    2.) download & install passpack .air binary

  8. MIke W.

    i keep getting The installation of this application is damaged. Try re-installing or contacting the publisher for assistance any ideas

  9. Thx passpack. You make life easier.

  10. New version is great! Thanks. I have encountered one reproducible bug however.
    Mac OS X 10.6.2
    Adobe Air
    Passpack 2.0.2

    When I go to shutdown, it automatically halts (putting up dialog box indicating that Passpack halted the logout/shutdown) the shutdown and I have to do it again.
    Tried it with another Air application and this does not happen.

  11. Hi, I have pointed in my ( one fundamental flaw of your service. How do you plan to address that flaw?

  12. Francesco


    I read your post. You say:

    “The problem is that most of the code that decrypts your sensitive data can be updated in few seconds without sending warnings to you. If someone compromises the host, he can modify the code they serve to send the key or the decrypted data back to him, and he can update the code again to behave normally whenever he wants.”

    If you use Passpack Desktop you can view and verify the Javascript code. But I suppose that you was referring to the online version. Theorically it is possible, but it is extremely difficult because our online code is continually monitored with procedures that stop the service if suspect code is found.

    After you say:

    “I would trust only a tool that: (1) is open source and (2) isn’t updated automatically”.

    I understand but I disagree.

    1. An open source application is more secure only if there is a large comunity that works on the code. If not, it is less secure because the only really interested in study all the code is someone that want to crack the application.

    2. A web application that is not automatically updated is less secure because if we discover a bug or a vulnerability, we want to update it immediately. If you want to verify the update, you could continue to use a bad version of the code. This is not safe. Also, in order to have advantage from the check of the code you must be capable to analize the code and understand that it is safe or not. Trust me, this is almost impossible. A code as Passpack (or LastPass) is too complex to allow this in acceptable times.

    IMHO, you have to trust the service provider. An auto-trust web application is pure utopia.

  13. @Francesco

    You said

    “our online code is continually monitored with procedures that stop the service if suspect code is found”

    I don’t know if those procedures are also hosted by your company but if it is the case, a person who compromises the code can also alter the procedures, and it will be in vain.

    There is a concern about a virtual attack to your company, or a Government Agency taking over your code, or some bad employee doing wrong things, etc. Because of all these things you can’t say that you are “host proof” when you really aren’t.

    The only solution for this dilemma that I see is that the code must be static and auditable.

  14. Francesco

    Hello Jader,

    Our monitoring is a mix of internal and external services.

    I understand your feeling, but Host-Proof Hosting most not be seen as the absolute security. It is simply a privacy pattern.

    If you compare an HPH system with a standard system you can easily see that (if the server security measures are the same) the first is more secure, because

    (1) if an attacker compromises the first, he must try to grab some data in real time, with the high risk that the monitoring services discover his actions

    (2) if an attacker compromises the second he can copy all the data, causing a disaster

    IMHO this is a huge difference.

    Static code is an unsafe solution because if we discover a vulnerability we have to update it immediately. With a static-audit solution this would not be possible. Also, a similar process is too expensive for a very small company like Passpack.

    In my idea a full HPH is possible only with the following process:

    1. Passpack updates a library
    2. An external authority checks it and publishes a checksum
    3. The browser, during upload, asks the authority for the checksum and verifies the code before activating it

    In order to make this real, all browsers must implement a protocol similar to SSL, not oriented to the domain, but to the code. Any other solution fails.

    We do our best to offer a good service, but we can not change the world (although we’d like to).

  15. Francesco

    Hi Jader,

    Just a consideration. In this post we were talking about Passpack Desktop.
    It is a perfect example of what you want. In fact, it is released with a checksum. You can verify it and you can audit all the code – because it is compressed but not-obfuscated Javascript.

  16. Hi Francesco,

    Have you seen LastPass product browser integration? If we could have this kind of integration with the security of Passpack Desktop it would be the best of both worlds.

Leave a Reply