New tool - looking for feedback

Hello all,
I'm new to Major Geeks, so be gentle with me. I'm a founding partner (and designer and blogger and evangelist and [of course] avid coffee drinker) over at PassPack Online Password Manager.

Here's the link:
It's a free service and completely anonymous (no email)

https://www.passpack.com​

And here's the pitch:

PassPack Free Online Password Manager and Personal Vault. PassPack provides a secure place where individuals and businesses can store their passwords, links and private notes, protecting them from prying eyes and malware. The service is free of charge, anonymous and accessible via Internet.​

I know what your thinking: PASSWORDS?!? ONLINE?!? Yup, passwords online.

We use the Host-Proof Hosting pattern so that not even we can read the data hosted on the server. It gets encrypted in the browser before it gets sent over the wire. There's a general security overview here, and a blog post about how we serve up what we call a Pack of encrypted data.

What I get asked most often is "Why is it free?" PassPack is in beta, and we are currently offering only the free account. We will be adding commercial add-on services in the future though. These will be things like more space and extra features. But there will always be a free account.

If you're skeptical, I understand. No worries. But if anyone would like to try it out, I'm really interested in getting feedback. Also feel free to contact me directly, my email is listed on the contacts page: https://www.passpack.com/info/contact/

Thanks,
Tara

 

Hi, thanks for the quick reply. You hit on a key issue, this is the exact problem Host-Proof Hosting solves. It's the backbone of our system (not the whole thing, the backbone).

That's just it. PassPack data is encrypted *in the browser* with a key that never gets sent to, no less stored on, the server. What gets sent to the server is an encrypted pack - a solid block of encrypted data, without the key to unlock it. So if the system admin, or the security guard, or whoever walks off with the data, it's useless. We can't even read it.

Here's how it works (everything is SSL):

- When you connect to PassPack, you see the website and the system is loads to your browser. That comes over the Internet.

- When you sign in, you receive your encrypted pack. That also comes from the Internet.

- You can actually disconnect from the Internet at this point if you wanted to.

- Now you input your Packing Key (yes, we use a third key for extra security), the system that is already loaded into your browser, which then does all the work. Nothing else goes over the Internet at that point unless you need to save your data or make changes to your account settings. It's all run by the system loaded in your browser. It's javascript.

- Inversely, when you save your data, the browser wraps it all up, encrypts it and sends it to the server.​

Your Packing Key, never leaves your browser and it disappears from your browser's memory the moment you close it, refresh it or go to another page.

Only you, with your Packing Key, can decrypt that data. A security guard, or system admin, or a hacker that breaks in and physically steals data off the machine - can't decrypt without launching a lengthy (as in decades) brute force attack. The encryption is done with AES 128, with additional algorithms used for salting and hashing.

Here's a general introduction to how the Packing Key works: http://passpack.wordpress.com/2006/12/14/password-security-packing-keys/

Does that clear things up more?