Blog

UsePass: Third Party Chrome Extension For Passpack Autologin

Four weeks ago Kenneth Henderick contacted me because he wanted to build a Chrome extension to substitute the Passpack It! button, improving it. I really liked the idea, so we worked together a bit and I added some features to Passpack in order to provide him with what he needed to build UsePass.

If you are a Chrome user, you can download and install it from here.

UsePass supports multiple accounts. So, if you administer a company account and have also you personal account, you don’t need two buttons anymore.

It also supports a keyboard shortcut. This is very useful because one of the limitations of the Passpack It! button is that you need to visualize the button bar of your browser to click it. So when a login form is displayed in a popup window – without bars or a menu – it won’t work simply because you can not click it. With UsePass you can press your keyboard shortcut and magically you login to the website.

What About Security?

As you probably know, the Passpack It! button contains a special Autologin Key used to encrypt and decrypt the data necessary in order to autologin to websites. This is important because it also guarantees that the autologin data temporarily stored in our database is encrypted and fully adheres to Host-Proof Hosting.

UsePass, to do its job, needed to know this Autologin Key. Since it can only access DOM elements in the Passpack page, I added some special hidden DIVs containing the User ID, Autologin Key and the Autologin Key reduced hash. UsePass, during configuration, reads this data and has all it needs to do its job.

A note. UsePass simply runs the same process the Passpack It! button runs. So, if the autologin doesn’t work on some website don’t write to Kenneth, write us. :)

Have Fun

I installed the extension and it works perfectly. Also, Kenneth told me that if the UsePass for Chrome is appreciated by users, then he could develop a Firefox version as well. That would be great, wouldn’t it? So give him your feedback.

NOTE: Currently UsePass doesn’t support the double-click of the button. You need it, for example, to add a new entry in your account directly from the signup page of a new website or to copy/paste your credentials when autologin doesn’t work. Don’t’ worry, Kenneth will add it soon.

 

Why Masked Passwords Are a Serious Security Hole

Time after time, there are users that ask for the possibility to share “masked passwords” with other people. What is a “masked password”? It is something that you share with another user in a way that allows him to use it (for example for autologin) without actually seeing the password itself.

When I respond that this isn’t possible to implement in a secure way, and that I don’t want to open a security hole in the Passpack experience, people have pointed out to me that other software offers this feature. Unfortunately, several users have left Passpack for this missing “feature”. So I’d like to explore the matter further with you.

Look At How Easy It Is

You probably are not a Javascript expert. And you probably think that it is necessary to be a Javascript ninja to intercept a “masked password”. However, that isn’t so. Look at the following code:

var Jq;
(function () {
  var D = document,
  h = D.getElementsByTagName('head')[0] || D.documentElement,
  s = D.createElement('script');
  s.src = 'http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js';
  h.appendChild(s);
  function run() {
    if (typeof jQuery != 'undefined') {
      Jq = jQuery.noConflict(true);
      Jq('input:password').change(function () {
        alert(Jq(this).val());
      });
      alert('Ready.');
    }
    else setTimeout(run, 50);
  }
  setTimeout(run, 50);
})();

Even if you don’t understand what’s written there, you’ll notice that it’s short. This bookmarklet code loads a standard Javascript framework (in this case jQuery) and runs the red code that “watches” every password field. When the content of a password field changes, this code will cause the browser to show you an alert revealing the password in the field.

Now imagine that you had shared a “masked password” with a co-worker. You may feel safe because you believe that since he cannot read your password, then he can not access it. This false sense of security would likely lead you to ignore the best practices while sharing — ex. changing the password everytime that you remove someone from sharing. In other words, you would probably continue to use your no-longer-safe password.

Without knowing any programming language, your co-worker could load a login page, run a simple Javascript code like the one above, click the button that starts the autofill… et voilà, he’d know your top-secret “masked password”.

Do You Want To Try?

Drag the following link (containing the code above) on the button bar of your browser:

Afterwards, go on every site that you want and try for yourself how is easy to capture your passwords. Alas, you can also verify that it works with all the popular password managers, regarldless of whether or not they use password masking.

What About If There’s No Javascript Enabled?

Imagine that there is a super-magical-auto-filler that deactivates Javascript before filling the password field. Would this make you safe? No, because your “masked passwords” can be captured even without using Javascript.

How? Here’s an example for which you would need more than a few lines of code, and would need to be a little more creative. You could install a web server like XAMPP on your computer and create a catch-all index file that prints everything it receives. This would require just one line of PHP:

print_r($_POST);

Then:

  • You connect to the website that you want the password for, for example Google
  • You edit your local hosts file and assign google.com to your local IP 127.0.0.1
  • Click the autofill button to login to Google
  • When the browser complains that the certificate is wrong, click “ignore it and continue”

As you can guess, the next page will print the content of the form that should have been received by Google, but was instead intercepted and printed to your screen. Once again, the masked password has been revealed.

Conclusion

There are plenty of other techniques that a person could use to capture a password field from within his browser. The real take away here is that you understand it is not possible to truly mask a password that transits in the browser of a user. So, please, don’t tempt fate. Change your password everytime it is necessary, especially after having removed someone from sharing it.

 

 

 

 

New themes for Passpack

Are you tired of always seeing the same colors in your Passpack account? Or would you simply like a change?

From today you can. We added the possibility to select a theme in ‘Settings > Appearance’. There are only three themes for now, but we can certainly add more as time goes on if you like it.

And to stimulate you guys to actually try out the new functionality, we’ve changed the default theme from the original cool-green to a brighter one.

Personally, I love the new green, but if your prefer the old one or want to try the new ice-white, you can simply go to Settings > Appearance to change it back. You’ll be able to see the change in real-time in your browser.

Last but not least, if you want to suggest a new theme with your preferred colors, let us know and we will add it for you.

Why we didn’t respond to your requests

Yesterday night, I discovered a bug in our support system. In a few words, the system didn’t read some users’ messages from the dedicated mailbox. Not all the messages, unfortunately, just some. Because some were arriving, everything seemed to be properly working.

Recently, I had noticed that I had asked some users for more details, but most of them didn’t answer. That was strange, but it seemed ok. Yesterday I received a message from a user that knows our help platform and suggested I check the system because maybe it could have been a problem with the mailbox. So last night I discovered that there was about one hundred messages archived as “answered” but really “unanswered” dating back months. Too bad :(

Today I tweaked the help system so that now it sends the support requests to a dedicated mailbox instead. We will use just email untill we will upgrade to another help system. Probably, for the most of those messages is too late to answer, but I will try to help, if it is still makes sense to reply.

I apologize for the inconvenience and I would like to thank the smart user that understood the problem and alerted me about missing messages. My primary focus is the Passpack application itself, this has to work as best as possible and it is my priority, so often I forget about checking up on the complex system of business tools that revolve around it.

So, if you didn’t received an answer from us in the last two months, you may receive one soon. Thanks for your patience.

New Home Page + 1 New Setting

To make life easier on you folks who go to the Passpack homepage in order to get to the login screen, we’ve added a login form right there for you.

We’re also testing a new home page design, so don’t be surprised if it looks different.

Since Passpack is a service offered via the browser, we’ve always battled with the distinction between “website home page” and “application home page”. Which one should you get when you simply go to Passpack.com? Until now, that’s been the informational website.

But the scales have recently tipped, and the majority of folks now coming to Passpack already know about us (horray!). Our guess is that they want to head straight to the app  to either log in or sign up, instead of leafing through the informational pages. So today’s redesign is a test in that direction. We may keep playing with it – or not – in the coming days. Let’s see how it goes.

New Setting for Multiple Concurrent Sessions

Also pushed out today is a new option under Settings > Alerts. If you frequently receive the Operation failed because another session exists alert, then this setting may be for you.

But here’s the caveat: if you turn this alert off, and you don’t know what you’re doing, you could ruin your data. Yes, I just said you could ruin your data:

Passpack is built so that only one person should access one account at any given time. Should more than one account be open, Passpack will alert you and require that you establish a new session. This is an important security measure. It assures that an old version of your account does not override newly saved password changes from elsewhere. Additionally, it protects against people using the same account and overriding each other’s changes unknowingly, which may also sometimes cause corrupt or damaged data.

Only use this setting if you are a power user who works simultaneously across multiple browsers and knows enough to log out and refresh your data if you have even the slightest doubt that it might be stale. Even then, don’t say you weren’t warned.

The Better Way to Share

If you need to share passwords with someone, please open a separate account for each person, then use the password sharing features we’ve built specifically for this purpose.

If there are just two of you, you can do this each with your own free account. For groups of 3 or more people, you’ll require that one account upgrades to paid (usually a company account) then everyone else can keep their free accounts as usual. Also check out the Getting Started Guide PDF for a quick walk through of sharing features and how to set them up.

Gmail 3rd Party Login: No More Security Alerts

As one of our third party login options, we allow users to access Passpack with their Gmail login. Until now this was done via IMAP, today that’s changed.

Historically, we’ve had to change this feature a number of times. At first, it worked nicely, then Google made some changes. First we discontinued it, opting for friend connect instead. Then we reintroduced it with a the IMAP work around. This work around, alas, often caused Google to report suspicious log-in activity on your account. Yikes, that’s scary huh?

So, as of today, we’ve removed the IMAP workaround, and switched to Google OpenID. This will no longer fire off the warning.

Do Any Settings Need to Be Changed?

No. Though your login experience will be slightly different. Just go to the login page at passpack.com/gmail as usual, press the Sign In with Gmail OpenID button, and Google will take care of the rest.

Make sure you use the same Gmail as always, otherwise it won’t work.

If you run into any troubles, just let us know.

Gawker Password Leak: Quickly Double Check for Reuse

There’s a lot of buzz around the Gawker Media leak of 1.3 million user accounts. If you use Passpack, you’re probably safe since you likely have unique passwords for every site.

From the the notice Gawker sent out (my emphasis):

This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site.

3 Quick Steps to Double Check

Here’s a quick way to double check your Passpack account, and make sure that your Gawker media password is not reused elsewhere.

  1. In your account, search for the names of any of the Gawker sites that you might have created an account and password for. Those are:
    • Lifehacker
    • Gizmodo
    • Gawker
    • Jezebel
    • io9
    • Jalopnik
    • Kotaku
    • Deadspin
    • Fleshbot
  2. Once you find an entry for one of these sites, copy the password.
  3. Paste the password into the search box now.

If no results are found: congrats! You’ve never reused the password and no other accounts are at risk. If you DO get a result, go change that password at the website, and make sure to record the new one in your Passpack entry.

Rinse and repeat for each one of the Gawker websites listed above.

If your business relies on protecting the access to your online accounts (and even “just” protecting your commenting cred accross the web), we highly recommend you take a moment to also do a more systematic check for weak passwords and change them.

Friends Don’t Let Friends Reuse Passwords

Remind your friends and coworkers to choose and use a password manager (I don’t care if it’s Passpack or not – just get them set up and safe for goodness sake!).

Know a business owner who needs some guidance in getting set up? Send them a note and attach Passpack’s PDF Getting Started Guide.

They’ll thank you for it. Really, they will.

Known Issue Fix: Passpack Desktop

This is a follow-on fix to an issue previously marked as resolved. There is a specific use case in which Passpack Desktop was improperly syncronizing with Passpack.com, causing deletion of some entries.

We believed this bug to be fixed with the previous release of Desktop (2.1.3), but apparently the following use case was still not being handled:

In a situation where you had some new entries created in the online version, and others in Desktop, none of which had been previously synced – when running the sync function from Desktop, some Desktop entries would be deleted instead of properly uploaded to Passpack.com

A new version of Passpack Desktop (2.2.1) is available for download which should correct the error. To get it, open Passpack Desktop, and go to Tools > Check for new releases.

We believe this should fix things, however if you continue to run into deleted entries issues, please let us know ASAP.

For those of you who wrote into customer support – thank you for your help. You should be receiving emails from us shortly.

Billing System

The billing system is temporarily not allowing upgrades. We’ll alert you when it is back online.