All posts in “OpenID”

New Features From the Suggestions Box

While we work on the upcoming mobile release, I thought I’d reach out and ask for your thoughts on a few other ideas from the suggestions forum. Like ‘em? Vote ‘em!

Pre-populated Accounts

Having a hard time getting staff on-board? This idea is for creating shared accounts for them, from inside your paid administrators account. No more waiting for replies to invites.  Vote for it here.

(tip: Download the Getting Started Guide for Administrators PDF)

Suspicious Activity Alerts

Get an email or sms when someone logs in from outside a designated IP range. Vote for it here. If you like this, you might also like the Logs & Audit trail idea.

Password Reminders

Set an email alert when it’s time to change a password or for other “things to do regarding this entry”. What do you think? Let us know how you would use a feature like this.

Account Beneficiary

Delegate a person (or people) that can recovery your account in the event you get abducted by aliens. A fancy alternative to saving a print-out of your Passpack login. Vote for it here.

Passpack OpenID Provider

So you have some OpenID accounts, each with it’s own password, which are stored in your Passpack. Cool. If Passpack were an OpenID provider, would that save you some clicks? Vote for it here.


Now you folks go off and vote. It’s head’s down working on the mobile version for me. Coming soon to a smart phone near you.

Passpack's Whitelist…It's Unanimous

We previously mentioned our thoughts on Passpack and OpenID. The feedback was almost unanimous. You as users all seemed to be opposed to the idea of having a Passpack whitelitst for OpenID providers.

Just for clarity’s sake, the idea only came into our heads because we were trying to keep consistent with level of security we like to offer Passpack users.

So What Is Our Take On the Issue Now?

We have decided that the OpenID providers that work well with Passpack will be presented on the Passpack Sign In Page.

*An important note – we have verified that logging in with a delegated name from one of these providers should be no problem.

But We Don’t Want To Limit You

As we have always stressed – your Pack is yours. Login with whichever OpenID you prefer but there are 2 things I would like to point out:

1. If you try to login to Passpack with any OpenID provider that has been submitted to PhishTank as a suspected phishing site, Passpack will warn you.

2. Even if you don’t see an icon for your preferred OpenID provider, you can still use it at your discretion by clicking the appropriate icon.

Let us know what you think!

What Is Passpack Up To Now?

The Passpack office is buzzing like a busy bee with all its new additions and if you have been following the blog, you probably know what’s keeping us so busy. Here’s a rundown on what’s been going on and what you can expect.


It’s coming. Francesco, Giuseppe and Grzesiek are working hard on giving OpenID the final touches it needs. So sit tight because it will be up and running in no time.

As for all the talk on which OpenID providers will be on the “whitelist” – it’s pretty clear from the past post that you all have blacklisted the idea of a whitelist. And with very good reason. We’re thinking this over and we’ll talk more about this in another post.


We have been hinting here and there about Passpack Mobile and I am going to hint again. We tried once before but incompatible mobile browser capability prevented us from releasing a Mobile version. Beta 6 gave Passpack the necessary foundations to grow as an application and be able to implement more features – one of which is mobile.

When can you expect it? – Now why would I ruin the surprise by answering that…


What’s this you say? We haven’t talked much about sharing but here is another morsel of fun – Tara, Laura and Gianluca are currently setting up the user interface needed for sharing

What Else?

There are tons of things on our ‘to do’ list and this is just a taste of what’s to come. Our main focus at the moment is getting OpenID ready for you, but keep your eye out for the rest…and more…

A Question For Passpack Users With OpenID

We have linked to a few of the common threats OpenID poses and will talk more about them in the future. Now, I’d like to address one in particular, which has inspired this post and brought up a very important issue regarding Passpack’s support of OpenID.

Let’s have a look at the problem…

Here’s What Should Happen:

You type your OpenID into Passpack. Passpack directs you to a 3rd party – your OpenID provider. Your OpenID provider authenticates that you are who you say you are and then redirects you to the Passpack Anti-Phishing Welcome Message Page. You verify your welcome message, click on the black box and then you are asked to type your Packing Key.

Here’s What Could Happen:

(*For all intents and purposes, we will call the Provider in this example “Malicious Provider”)

You type your OpenID into Passpack. Passpack directs you to a 3rd party – your OpenID “Malicious Provider”. Your OpenID “Malicious Provider” realizes who you are and where you would like to login to – in this case Passpack. The “Malicious Provider” then redirects you to a fraudulent copy of the Passpack Anti-Phishing Welcome Message Page (so you would not see your anti-phishing message). Let’s say you somehow don’t notice that you’re missing your anti-phishing message or perhaps you have’nt set one up yet (set it up!) – so you click on the black box. Then you type in your Packing Key and in doing so you have just unknowingly given it to the “Malicious Provider”.

Always, always, always check your anti-phishing welcome message. It is there to protect you. If you do not see it immediately CHECK THE URL and make sure it is If either one or both of these do not match up, follow the steps on this page.

How Can This Risk Be Avoided?

First off, it’s important to emphasize that before creating an OpenID account, you should always do your research, check implemented security features, and if all this is not common practice for you – go with the brand you know.

It is probable that a single user will end up with various OpenIDs from multiple providers, some well known and some not.This is where things get tricky. With the growing number of OpenID providers, phishing scams are an immediate concern. It will become more and more difficult to understand the intentions of lesser known providers.

If you want to login to Passpack (or any site for that matter)  with a lesser known OpenID provider and that provider is actually a Phisher, you can find yourself in a difficult situation. (I by no means intend to imply that lesser known providers are Phishers. This is purely an example of a possible security concern and I use the lesser known sites as a prime example only because it is more difficult to verify their credibility.)

Passpack’s Question To You

Passpack has decided to create an OpenID Whitelist (which we are still putting together). This means that we will only be accepting OpenIDs from certain providers. We know this may be an inconvenience to some of you, especially if you are using an alias OpenID, a work administered OpenID or just an OpenID that you have created for yourself.

For example, if Francesco were to try to login to Passpack with his OpenID, he too would be denied. So the question is:

What Would You As Our Users Prefer?
A. Passpack recommend and accept certain OpenID providers and allow no other providers.
B. Passpack recommend and accept certain OpenID providers and any others should be used at your own risk.
C. Other suggestions?

UPDATE: Some great ideas in the comments. Keep them coming!

Passpack Security Just As Strong With OpenID

Passpack’s recent announcement of soon becoming an OpenID supporter sparked quite a few questions. One of those questions in particular requires a post to be answered – “How will Passpack support OpenID and at the same time prevent phishing?”

Passpack has always dedicated itself to ensuring full user security and privacy and it always will. We thought long and hard before deciding whether OpenID was right for us and our users. We specifically have users choose long and strong Pass Phrases and Packing Keys to eliminate unnecessary risks, so why would we choose to support OpenID, an authentication system with quite a few publicized flaws? Because we will not compromise Passpack security.

How Can OpenID Be Considered Risky?

OpenID has a long way to go before becoming a standard in sign-on and some say an even longer way to go before it is considered a secure protocol. As an authentication system OpenID is gaining notoriety, but on a security level it’s being closely scrutinized. Issues range from traditional phishing attacks to those targeted more towards the OpenID users. (Here is an excellent demo of how a man-in-the-middle attack can phish your OpenID account.)

Some worry also lies in attacks such as DNS Poisoning or Cross Site Scripting or CSRF. If these are concerns, or if these terms are unfamiliar, it’s a good idea to go with some of the more well-known brands that usually have measures to bypass such risks.

Here are a few that we like here at Passpack because of their high security standards:

Passpack’s Safety Lies In The Packing Key

Even if your OpenID account is ever somehow compromised, your Passpack account will never be at risk because of that.  How can we ensure this? – Your Packing Key.

If you’re an OpenID user, you will be able to access your Passpack account by entering your OpenID instead of the usual UserID and Pass Phrase. Luckily, there is one step you will not be able to avoid. Your personally chosen Packing Key will ALWAYS remain necessary to “unpack” the info in your account. It is the key to decrypting each and every single one of your entries.

And remember all the same rules apply – NEVER enter your Packing Key unless you see your personal anti-phishing message (it’s a good idea to set one up if you haven’t yet). Keep this in mind, but not to worry there will be further posts on this and other potential risks…

If anyone is interested in following and/or contributing to making OpenID safer this is a good place to start.

How Passpack and OpenID can complement each other?

Passpack plans on contributing to the spread of OpenID by becoming a consumer! By the end of the summer you will be able to use your OpenID to login to your Passpack account.

You heard it straight from the horse’s mouth.

OpenID In A Nutshell

OpenID is an open source authentication system which allows websites to identify you with one personalized URL address, associated with one personalized password.

The idea is, once you sign up with one of the many OpenId providers (here’s a directory of providers), you’ll have one OpenID (replacing your standard username) – something like And one OpenID password.

In order to keep things flowing, you then keep all of the consumer websites (sites that accept OpenID) in that account and there you go – problem solved.

Why Use Passpack And OpenID?

Once you’ve got your brand new OpenID that you use, let’s say for work, and you open another one (maybe even with another provider) just for play. Passpack can help you with that. You will be able to store all of the logins to your various OpenID providers in your Passpack account.

Ok so now, let’s also consider this – at the moment there are many OpenID providers and somewhat less consumers. Where does this leave the OpenID-er? In a jam.

At some point you are probably going to find yourself with a mix of accounts – those that accept OpenID AND those that don’t. What do you do now? If you can’t realistically use only sites that support OpenID, you need to find a suitable solution. Passpack them all!

You will be able to make a special “OpenID entry” where you can store links to all the websites where you’ve used a particular OpenID and say ‘Hello’ to 1 Click Login again! This makes it easier than before to not only log into sites that support OpenID but more importantly to those that haven’t quite made the leap yet.

How Will OpenID Work With Passpack?

Here’s the rundown – so we know that Passpack securely stores your username, links, tags and of course passwords. And in order to access your info you need a Passpack User ID, a Pass and the ever so famous – Packing Key … You did know that right? If not, read this.

Well, if you are an OpenID user, you wouldn’t have a Passpack User ID nor a Pass anymore — just the Packing Key. And by “just”, I mean it no disrespect, considering the Packing Key is where your data begins its encryption process! So when you were to login to Passpack you would be asked for your OpenID, after that you would need to enter your Packing Key and you’re in! Easy as that.

So you’re in your Passpack account and you logged in with your brand new OpenID, now what? Passpack gives you the freedom of storing multiple logins under one OpenID entry. You still have the extra fun things like tags and anti-phishing systems and – don’t fret – 1 Click Login will be able to fill in your OpenID for you the same way it does your good ‘old passwords.

Why Would You Want A Password/OpenID Manager?

Because we don’t compromise security here at Passpack. Remember that your Packing Key is yours, only yours and not even we know it! And frankly, we wouldn’t really want to. All thanks to host-proof hosting.

So go ahead. Sign up with all the OpenID providers that your heart desires and rest assured that they will be safely encrypted along with your old friends (enemies?) – passwords.