The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
TechInterview.org
CityDesk
FogBugz
Fog Creek Copilot


The Old Forum


Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

Thanks God. My Password Problems Has Gone.

Today, I tried http://www.passpack.com/. Actually, I've knew it from long time ago but haven't try it. Today I tried the service and it really helps me. Now, I can manage my password much more easily.

What do you think about putting our password online? (Of course I don't put my "critical password" in passpack.)

By the way, it looks like http://www.clipperz.com/ is another passpack alternative. But I'm not sure about its security.
Passworder
Friday, May 11, 2007
 
 
Online password services are ok, as long as you are ok with them knowing your passwords and you trust them not to leak them out or get hacked.
I forgot my posting name.
Friday, May 11, 2007
 
 
hmm plugging one site and subtly suggesting the competition is insecure. smells like spam to me.
jk
Friday, May 11, 2007
 
 
An offline solution is much better.

Don't trust an unknown person!

Look for AnyPassword in Google.
DaVinci
Friday, May 11, 2007
 
 
@jk: I'm not passpack developer/owner. I'm their new user. I just found this is very interesting because I do have many many problems with password management.
Passworder Send private email
Friday, May 11, 2007
 
 
Recently I've been using an offline one called KeePass.
SM Send private email
Friday, May 11, 2007
 
 
+1 for jk

very fishy
hm
Friday, May 11, 2007
 
 
Ah sometimes I think I have to remember more passwords than no of my friends names.

Best place to keep psswords is your brain but problem occurs when they expire and you need to change them.

I got a Databank Watch 100m waterproof and so never remove it from wrist.

Hence keep them feeded inside them.
Easy to update too.
kooldudeno1@gmail.com Send private email
Friday, May 11, 2007
 
 
Why not 1 login/password to rule them all? It's been fine with me so far.
Joe Send private email
Friday, May 11, 2007
 
 
I have PasswordSafe (http://passwordsafe.sourceforge.net/) which was created by Bruce Schneier's Counterpane Labs, installed on a USB drive I carry on my keychain.  I would not trust an online password service at this time.
Chris Norris Send private email
Friday, May 11, 2007
 
 
There is this thing called http://kesto.org - it uses client-side JavaScript to encrypt and decrypt passwords. This way you don't have to trust the server or communication channel at all. It doesn't even use https. You do have to trust their JavaScript though.
Branimir Dolički Send private email
Friday, May 11, 2007
 
 
praise the lord!
zealot
Friday, May 11, 2007
 
 
Smells like spam to me too.

But in any case, all your high-tech solutions can't beat a piece of paper and a pencil.  Stick it in your wallet and you're done.
xampl Send private email
Friday, May 11, 2007
 
 
I doubt God wrote that website.
Sibon
Friday, May 11, 2007
 
 
"Why not 1 login/password to rule them all? It's been fine with me so far."

Can you trust every site owner, admin, or disgruntled employee who can access the password list not to try your username/password combination at another site? 

Or there's the problem that if one site leaves its passwords vulnerable to theft, etc. Using multiple passwords really minimizes the amount of potential damage in this case.  If you work in this industry, you should know how much non-security is running amok.

That said, I don't use a different password for EVERY single site that requires one -- I'll use one or two for the kind of sites where I'm not concerned that much about security (web forums, etc), and other various ones for retail stores that have my credit card info, banks and all of that stuff.  But there's just too many bad things that could possibly happen with a single password...

Hence the password manager.  After piling up passwords for so many years, I just can't contain them in my head anymore.  Hence the need for a password manager. Of course, one could also argue that having all of them in the same place is nearly as insecure as using the same password everywhere...

But certainly I feel safer with an offline solution rather than one that uses a website.
SM Send private email
Friday, May 11, 2007
 
 
Write them on your arm with indelible ink, and wear short-sleeved shirts.
Stephen Jones Send private email
Friday, May 11, 2007
 
 
my little finger print reader/wireless mouse i got from woot works great.

of course if im not on my machine, im hosed since i don't remember any username/password combinations anymore.
Yo!
Friday, May 11, 2007
 
 
It only works on your little finger?
Unregisteratenated
Friday, May 11, 2007
 
 
Hello All,
I'm Tara over at PassPack.

@Passworder
Thanks, I'm glad you decided to give us a try. Let me know if you need any help with anything - you can grab my email adress off the contacts page on the website. Yes, Clipperz is also an online password manager - no worries they're secure as well.

@ I forgot my posting name.
RE: "Online password services are ok, as long as you are ok with them knowing your passwords and you trust them not to leak them out or get hacked."

Actually, PassPack doesn't know your passwords. Your passwords are encrypted *in the browser* before being sent to the server. All we receive is an encrypted pack of data, without the decryption key. So not even we can read what's stored on our servers - PassPack can't read your passwords. If we leak anything (which we don't), it would be encrypted gibberish.... no passwords.

Here's how it works:
 http://passpack.wordpress.com/2006/12/14/password-security-packing-keys/
(that's a non-technical post, contact me if you'd like more detailed info)

@JK
RE: "smells like spam"
I'm the the only evangelist for PassPack, and I didn't start this thread. Passworder is probably just one of our clients like he says he is. Our accounts are free, so no affiliates program, and no reason for anyone to push our product unless they truly like it. It's pretty common for people to post about both PassPack and Clipperz (which is also secure), usually they always express a preference.

@SM,  Chris Norris
There are plenty of great offline solutions. An online password manager is useful when you need portability - without lugging around the USB drive which can be lost/stolen, dropped in a puddle, forgotten at home, etc.

@ Branimir Dolički
Interesting. They should use HTTPS though. It's true that the data sent is encrypted and can't be read, but without HTTPS, they are open to a man in the middle attack. That means that a smart hacker can put himself between you and the server - and replace his *own* javascript in place of theirs, which would (of course) not do any encrypting and just grab all of your passwords in clear text. HTTPS must be in place to avoid this - it's a certification that tells your browser "this code is coming from where it should be".

Cheers,
Tara
PassPack Founding Partner
Tara Kelly (PassPack) Send private email
Saturday, May 12, 2007
 
 
just store them all in your yahoo email account in a draft with links.
username
pass
link.

Saturday, May 12, 2007
 
 
Storing your passwords in you email account is not safe. Your emails are not encrypted, rather they are stored in plain text on (in this case) Yahoo's servers.

Anyone can just take a peek and you're fried. The major players - like Yahoo and Google, etc - are big and important sites, sure, but they don't have any programs in place for password management.

It's just as easy to use a password manager to store and look up your passwords as it is to use your webmail - only it's *much* safer.

Please be careful.
Tara Kelly (PassPack) Send private email
Saturday, May 12, 2007
 
 
Why store all of your passwords in one big text file, then encrypt it using PGP? Then all you have to remember is your PGP keyphrase
Encryptor
Saturday, May 12, 2007
 
 
Just email them to your Yahoo or Gmail account. Just as safe.
Stephen Jones Send private email
Saturday, May 12, 2007
 
 
@Encryptor
Password managers are programs that give people who don't even know what "encryption" is, a safe place to store their passwords.

@Stephen Jones
Sorry, please read two comments up - that's not safe at all.

Email is not safe. Email is not encrypted. Storing passwords in your email is a disaster waiting to happen.

Plus Google has been know to leak password in the past - not from gmail, but still it makes the point:
http://passpack.wordpress.com/2007/01/23/confirmed-googles-password-leak/

Cheers,
Tara
Tara Kelly (PassPack) Send private email
Tuesday, May 15, 2007
 
 
Dirk
Sunday, May 20, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz