All posts in “main”

Why we didn’t respond to your requests

Yesterday night, I discovered a bug in our support system. In a few words, the system didn’t read some users’ messages from the dedicated mailbox. Not all the messages, unfortunately, just some. Because some were arriving, everything seemed to be properly working.

Recently, I had noticed that I had asked some users for more details, but most of them didn’t answer. That was strange, but it seemed ok. Yesterday I received a message from a user that knows our help platform and suggested I check the system because maybe it could have been a problem with the mailbox. So last night I discovered that there was about one hundred messages archived as “answered” but really “unanswered” dating back months. Too bad :(

Today I tweaked the help system so that now it sends the support requests to a dedicated mailbox instead. We will use just email untill we will upgrade to another help system. Probably, for the most of those messages is too late to answer, but I will try to help, if it is still makes sense to reply.

I apologize for the inconvenience and I would like to thank the smart user that understood the problem and alerted me about missing messages. My primary focus is the Passpack application itself, this has to work as best as possible and it is my priority, so often I forget about checking up on the complex system of business tools that revolve around it.

So, if you didn’t received an answer from us in the last two months, you may receive one soon. Thanks for your patience.

New Home Page + 1 New Setting

To make life easier on you folks who go to the Passpack homepage in order to get to the login screen, we’ve added a login form right there for you.

We’re also testing a new home page design, so don’t be surprised if it looks different.

Since Passpack is a service offered via the browser, we’ve always battled with the distinction between “website home page” and “application home page”. Which one should you get when you simply go to Until now, that’s been the informational website.

But the scales have recently tipped, and the majority of folks now coming to Passpack already know about us (horray!). Our guess is that they want to head straight to the app  to either log in or sign up, instead of leafing through the informational pages. So today’s redesign is a test in that direction. We may keep playing with it – or not – in the coming days. Let’s see how it goes.

New Setting for Multiple Concurrent Sessions

Also pushed out today is a new option under Settings > Alerts. If you frequently receive the Operation failed because another session exists alert, then this setting may be for you.

But here’s the caveat: if you turn this alert off, and you don’t know what you’re doing, you could ruin your data. Yes, I just said you could ruin your data:

Passpack is built so that only one person should access one account at any given time. Should more than one account be open, Passpack will alert you and require that you establish a new session. This is an important security measure. It assures that an old version of your account does not override newly saved password changes from elsewhere. Additionally, it protects against people using the same account and overriding each other’s changes unknowingly, which may also sometimes cause corrupt or damaged data.

Only use this setting if you are a power user who works simultaneously across multiple browsers and knows enough to log out and refresh your data if you have even the slightest doubt that it might be stale. Even then, don’t say you weren’t warned.

The Better Way to Share

If you need to share passwords with someone, please open a separate account for each person, then use the password sharing features we’ve built specifically for this purpose.

If there are just two of you, you can do this each with your own free account. For groups of 3 or more people, you’ll require that one account upgrades to paid (usually a company account) then everyone else can keep their free accounts as usual. Also check out the Getting Started Guide PDF for a quick walk through of sharing features and how to set them up.

Gmail 3rd Party Login: No More Security Alerts

As one of our third party login options, we allow users to access Passpack with their Gmail login. Until now this was done via IMAP, today that’s changed.

Historically, we’ve had to change this feature a number of times. At first, it worked nicely, then Google made some changes. First we discontinued it, opting for friend connect instead. Then we reintroduced it with a the IMAP work around. This work around, alas, often caused Google to report suspicious log-in activity on your account. Yikes, that’s scary huh?

So, as of today, we’ve removed the IMAP workaround, and switched to Google OpenID. This will no longer fire off the warning.

Do Any Settings Need to Be Changed?

No. Though your login experience will be slightly different. Just go to the login page at as usual, press the Sign In with Gmail OpenID button, and Google will take care of the rest.

Make sure you use the same Gmail as always, otherwise it won’t work.

If you run into any troubles, just let us know.

Gawker Password Leak: Quickly Double Check for Reuse

There’s a lot of buzz around the Gawker Media leak of 1.3 million user accounts. If you use Passpack, you’re probably safe since you likely have unique passwords for every site.

From the the notice Gawker sent out (my emphasis):

This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site.

3 Quick Steps to Double Check

Here’s a quick way to double check your Passpack account, and make sure that your Gawker media password is not reused elsewhere.

  1. In your account, search for the names of any of the Gawker sites that you might have created an account and password for. Those are:
    • Lifehacker
    • Gizmodo
    • Gawker
    • Jezebel
    • io9
    • Jalopnik
    • Kotaku
    • Deadspin
    • Fleshbot
  2. Once you find an entry for one of these sites, copy the password.
  3. Paste the password into the search box now.

If no results are found: congrats! You’ve never reused the password and no other accounts are at risk. If you DO get a result, go change that password at the website, and make sure to record the new one in your Passpack entry.

Rinse and repeat for each one of the Gawker websites listed above.

If your business relies on protecting the access to your online accounts (and even “just” protecting your commenting cred accross the web), we highly recommend you take a moment to also do a more systematic check for weak passwords and change them.

Friends Don’t Let Friends Reuse Passwords

Remind your friends and coworkers to choose and use a password manager (I don’t care if it’s Passpack or not – just get them set up and safe for goodness sake!).

Know a business owner who needs some guidance in getting set up? Send them a note and attach Passpack’s PDF Getting Started Guide.

They’ll thank you for it. Really, they will.

Known Issue Fix: Passpack Desktop

This is a follow-on fix to an issue previously marked as resolved. There is a specific use case in which Passpack Desktop was improperly syncronizing with, causing deletion of some entries.

We believed this bug to be fixed with the previous release of Desktop (2.1.3), but apparently the following use case was still not being handled:

In a situation where you had some new entries created in the online version, and others in Desktop, none of which had been previously synced – when running the sync function from Desktop, some Desktop entries would be deleted instead of properly uploaded to

A new version of Passpack Desktop (2.2.1) is available for download which should correct the error. To get it, open Passpack Desktop, and go to Tools > Check for new releases.

We believe this should fix things, however if you continue to run into deleted entries issues, please let us know ASAP.

For those of you who wrote into customer support – thank you for your help. You should be receiving emails from us shortly.

Passpack Style & Auto-login Updates

Sunday night a slightly restyled Passpack rolled out, along with a new Passpack It! button improvement, and a bunch of other stuff under-the-hood.


Perhaps the most visible of the changes. We’ve been steadily adding features for the past year without any re-designs, so we’re now working to declutter the interface a bit. Let in a little fresh air.

For the moment, we haven’t actually moved anything on the screen, we’ve just set the stage. Expect to see continuous tweaks over the coming weeks and months. And, of course, if we move something, we’ll let you know where it went [smile].

Auto-login, Reinstall Your Button

The most significant changes are here, with your Passpack It! button. If you haven’t been already, you’ll soon be prompted to reinstall it.

The new button will work on approximately 30% more sites thanks to some tweaks we made to the handling of websites using certain  jQuery plugins on their login form – previously they failed, now we support them.

If you’ve had problems training a login form in the past, you might want to try again now. We’ll continue to wheedle away at them too.

More Auto-login

Beyond the performance of the button, we were able to work in additional Host-Proof Hosting support to the auto-login process. In short, this explanation of a proxy server for key exchange now only applies to browsers that do not support HTML5 (aka: older browsers).

Bug Fixes

We had numerous minor improvements and fixes. Too many to list. But if you’ve written into help in the past month or so about a bug, have a look again. It may be fixed now (and if it isn’t we’re still working on it).

There are still plenty more coming too.

More Under the Hood Stuff

Behind the restyling is the beginnings of a complete CSS / HTML refactoring (aka: we’re cleaning up the code that runs the site, not just what you see on screen).

Down the line, this will chip away and load times and make Passpack everyday a little faster. Some people say it feels faster already. Maybe it is magic [smile].

Evolving Passpack's Privacy Model

Passpack’s job is to let you store and share private data (passwords) in way that not even we can see them on our server. While it sounds very straightforward, that definition has been in the making since Dec. ’06.

When we first launched Passpack, we equally stressed both data privacy & security and personal privacy & anonymity. It’s anonymity that is up for discussion today.

Currently Passpack’s architecture has some throw-back structures to these early beginnings. Moving forward, these residual elements make it increasingly complex to solve what should be simple problems for you.

We’re planning some significant changes to the architecture, which will allow us to get a move on with some of the important features you’ve been requesting. But before we do so, we wanted to let you know about what those changes are, and give you a chance to voice your opinions.

Shared Tags, Global Groups & More

First – I’m going to details the pros and cons here, and at the end of the post there’s a survey for you to express your thoughts.

Share / Transfer Tags

This is the feature request that first made us wake up and rethink our architecture. It should be an easy enough thing to do to allow you to tag an entry, share it, and have the tags shared along with the entry itself. And technically we could do it with the existing architecture, but to do so would take an enormous amount of time and effort… and really would just be just postponing the underlying issue: are we making our users’ lives harder than need be by obsessively over-encrypting?

Current state - All tags are HPH encrypted in a single monoblock. On the server, Passpack doesn’t know the names of your tags, nor which ones are used on which entries. All of that matching happens on-the-fly on your computer after you’ve logged in.

The change – We’d like to remove the encryption from tags. This will mean that we may know what tags you are using. But unless you’re doing something really odd like using your password as a tag, this shouldn’t actually compromise your password privacy.

Global Groups & Group Admins

Global groups would allow folks to know when they’ve been assigned to a particular group and who else belongs to it. Building on that would be the ability for an account owner to designate someone inside the group as an administrator with permission to manage sharing privileges on the owner’s behalf. Both are pretty basic in most collaboration systems. Both are not possible with Passpack’s existing structure.

Current state - Passpack’s server knows the sharing nicknames of the people you’re connected with. But it does not know the names of your groups, if you’ve renamed any of your people, or which people belong to which groups. Like with tags, all of that matching happens in real-time directly on your computer. Groups exist locally, in your account, as an organizational tool only. The server knows nothing of them.

The change - We must first and foremost make the server aware of the groups you have created, and which people are assigned to them. This will reveal something about your organizational structure to Passpack, but will not compromise the privacy of your passwords.

More Flexibility in Entries

There are a bunch of suggestions in the forum which revolve around the concept of making entries more flexible. Things like customizing entries or storing things other than passwords would work perfectly fine with the system as-is. However some things, like setting reminders and tracking usage are inherently non anonymous, thus in conflict with the existing architecture.

Current state - The name, user id, password, notes, link and email of each and every entry are all HPH encrypted, in a single monoblock. If the entry is shared, Passpack knows the sharing nickname of all the folks involved, but that’s about it.

Also, the activity logs you see in your home page are not persistent. In other words, we can’t actually keep a running log.  Similar to the current approach with tags and groups, the changes in your account are deconstructed by the interface and  shown on screen as a notification on-the-fly. Once you log out, and log back in, that information is gone.

The change - We essentially want to split up the data between “needs to be encrypted” (password and notes) and “doesn’t need to be encrypted” (link and entry name).  While we could make some enhancements to entries now, it would be largely more scalable once we make this split. Also some items, like notifications, simply can’t be fixed unless we make this change.

Bonus: Customer Support

We often have folks writing in saying things like “hey I need help with the 5 entries that I shared with the group ABC.” or “the 10 entries for my tag XYZ” or simply “my Amazon entry”.  Alas, as of now, none of that information can help us locate your encrypted entries in our database. Usually, a lot of back and forth with the customer ensues to try and figure out which entries are the problem ones. It’s frustrating, or sometimes impossible and we’re literally unable to help.

The History of Passpack’s Architecture

For those who don’t already know, Passpack is Host-Proof Hosting (HPH). That means that not only is all your data encrypted, but it’s encrypted on your computer, before being sent to Passpack’s server for storage. The key to decrypt and read that data is your Packing Key, which never gets sent to the server at all. The net result is that Passpack only stores pre-encrypted data to which it does not have the key (aka: we can’t read your stuff).

That’s not changing. We are, and will always be a HPH company (heck, we’re HPH pioneers!). What is changing though is which data HPH gets applied to it, and why.

Striving for both data privacy and anonymity required us to apply HPH encryption to as much account data as possible. We jumped through amazing hoops to avoid accidentally finding out who our users were, or anything about them for that matter. But even back then, we knew a line needed to be drawn between reality and theory. We just chose to draw it in a different place than where it needs to be now.

Anonymity was a big request from our early adopter. Many early architectural decisions were based on their desire to keep their identity and activity on the web completely hidden. This was much more important to than, say, ease of use or convenience.

That was many years ago. Since then, Passpack has evolved into a collaboration tool used mostly by work groups and businesses. The large majority of these folks have a much bigger need for easy, convenient solutions, than they do for anonymity.

So… time to make some changes.

Tell Us Your Opinion

Ok, so I’ve laid it all out for you, Now tell me what you’re thinking with this super quick survey below.

Some News From The Hills

A couple of quick updates. Passpack Mobile got a mention in Inc magazine yesterday (wow!) and BizTechDay just published the video demo I did there a couple of weekends ago.

There were some interesting technologies demoing – check them out below:
(or go direct to Passpack ‘s 5 minutes of fame here)

On a side note, BizTechDay was fantastic! Edith does a great job of mixing quality speakers with an intimate sized event so that you get real face time with some pretty incredible people.

Hilights: Joan Barnes knocked it out of the park for me, with her rocky tale of a CEO going IPO, loosing herself, then finding herself again. And who can resist watching Dave McClure warn the entrepreneurs in the audience “Don’t bum rush me with your pitches when I get off this stage, or I’ll refuse to fund you just for not listening.”  Classic.

If you’re running your own company, I highly suggest you try and make the next event.

Making Credit Card Payments

Passpack uses PayPal to process our credit card payments. It came to our attention that many of you who’d like to pay by credit card, get set back by the login screen that appears during the payment process.

Have no fear, you do not need a PayPal login to upgrade your Passpack account. You may use any credit card.

Admittedly, PayPal does a terrible job of making this clear. In an attempt to sign up as many new users to PayPal as possible, they all but hide the link to simply make a credit card payment – without logging in.

Today we’ve added a few extra instructions to our purchasing process. Hopefully this will make paying easier for you. So if you’ve put off upgrading your Passpack account in the past, now is a good time to give it another try.

To upgrade, go to Account > Pricing and Packages inside your Passpack account.

Mobile Secure Messages: Check!

Continuing in our promise to keep delivering on Passpack Mobile, today we’ve rounded out the final features for Secure Messages.

You now have complete control of your secure messages. Beyond the sending and receiving that was already available, you now also have the ability to reply-to a message, add it to your favorites, or delete it entirely.

For tighter screen optimization, the message composing box appears only after you’ve actually selected a recipient from the send to selector. And finally, we’ve made reading the messages a little faster by removing the show/hide option on mobile (who needs the extra tap?). We’ll likely be propagating these last two tweaks to the standard web interface as well.

So now you’re fully equipped to replace texts with secure messages whenever you’re sending really sensitive information. Enjoy the privacy!