PasswordBox: Unbreakable Passwords That You Don’t Have to Remember

PasswordBox: Strong Passwords That You Don’t Have to Remember

(Page 2 of 2)

the Web. When I joined PasswordBox, I thought of about 20 sites right off the bat, from my bank to Amazon to my photo-sharing site (Flickr) to my heath plan’s billing portal.

Before they’re uploaded to PasswordBox’s cloud servers, the credentials for each account are encrypted on your computer using the AES-256 algorithm, which is approved by the NSA for encrypting top-secret documents. Your master password, which is used as part of the encryption key, never leaves your computer.

That’s called a “zero-knowledge” architecture. PasswordBox doesn’t get a copy of the key it would need to decrypt your stored credentials, so it couldn’t snoop on your data even if it wanted to. Neither could the NSA, for that matter, unless they’ve got quantum computers they aren’t telling us about. (The only downside of the zero-knowledge approach is that if you forget your master password, or if someone else obtains it, you’re screwed. So you do still have to remember one password—and you need to make it a strong one, and then be careful with it.)

PasswordBox designed its system to be simple and unobtrusive. In Chrome, the browser I use, the program takes over the new-tab screen and shows big icons that allow you to log in to any of your saved accounts with one click.

“We built a product that my mom can use,” says Daniel Robichaud, PasswordBox’s co-founder and CEO. “The only thing she knows is that there’s something that remembers her password, and she clicks on the big buttons, and it works.”

Once you install PasswordBox, the new-tab screen becomes your "start" screen, showing one-click login buttons for your most important sites.

Once you install PasswordBox, the new-tab screen becomes your "start" screen, showing one-click login buttons for your most important sites.

Despite its simplicity, PasswordBox offers a few useful features that set it apart from other password managers. There’s a password generator that can suggest strong passwords, up to 26 characters long, to replace your flimsy old ones. There’s a feature that lets you temporarily share a password with a friend, family member, or coworker who’s also using PasswordBox (which sounds to me like an easy, though potentially illegal, way for families to split access to a single Netflix or HBO Go account).

The “Legacy” feature lets you choose who should have access to your accounts in case you’re obliterated by a meteorite; it involves a second master password that’s transferred from your computer to your caretaker’s computer after they present PasswordBox with a valid death certificate. Robichaud—who’s a graduate of Montreal’s HEC University, runs a Montreal venture firm called Neotech Capital, and has started three previous companies in the mobile and media markets—says the legacy feature has become PasswordBox’s best viral marketing mechanism, since the person you designate as your caretaker has to sign up for the service too.

PasswordBox also offers free apps for iOS and Android devices that sync up with your desktop browser. It’s got an identical start screen, and clicking on the buttons will bring up the same sites inside an in-app browser. If you do use the PasswordBox mobile app, it’s a good idea to protect your data from thieves by setting up a PIN for the app, or your phone, or both.

There are a couple of limitations to PasswordBox. Its system for recognizing login pages and supplying credentials doesn’t yet work with every site on the Web—but it’s up to about 95 percent, Robichaud says.

If you’re totally dependent on PasswordBox to remember your long, strong passwords, you won’t be able to get into your e-mail or other basic services from any computer other than your own. Unless, that is, you’ve got your smartphone with you—in which case you could look up your password in the PasswordBox app and type it manually. (But Robichaud says you should never do that on a public computer, since there’s a risk that keylogging software might be installed.)

And PasswordBox doesn’t work as a key to all your password-protected mobile apps, although the company is developing workarounds for that, such as the ability to copy a password into your device’s clipboard. (PasswordBox app can also launch certain third-party apps, such as Dropbox and Evernote, directly.)

Why is it safer, in the end, to put all your eggs in one basket by having a master password? It’s a legitimate question. The answer is that creating unique, strong passwords for every site you use, then handing them over to a management program like PasswordBox, is a vast improvement over what most people do, since the damage from a hacker attack at your bank or your credit-card company will then be contained to the site that was hacked. You do need to make sure that your master password is strong, and that you never, ever write it down. The overall improvement in security comes from having to memorize just one good password, so it’s less tempting to have six weak ones and keep reusing them.

It’s safe to say that most corporations will push their employees to adopt more secure passwords over time, and that they’ll shell out for one of the many “single sign-on” systems available from enterprise software providers to ensure compliance. But how large is the potential market for a consumer-oriented password management service, especially as giants like Apple soup up their own login systems? (Apple, for example, has said that the next version of OS X will include a cloud-based password management system called iCloud Keychain.)

Robichaud says he isn’t too worried about how his bootstrapped startup will compete with big players like Apple, Google, Facebook, and Microsoft. They’ll never agree to common identity standards, he predicts, thus leaving an opening for a smaller company to build a system that integrates with all of them.

“Our long-term objective is to become the single sign-on for consumers—the neutral party that identifies you everywhere,” Robichaud says. “People need to have strong passwords everywhere to be protected, and there is no way people can remember strong passwords. This is why I’m sure we are in the right market at the right time.”

Single Page Currently on Page: 1 2 previous page

The Author

Wade Roush is a contributing editor at Xconomy.

By posting a comment, you agree to our terms and conditions.

  • a

    Correction: Keepass Supported operating systems:
    Windows 98 / 98SE / ME / 2000 / XP / 2003 / Vista / 7 / 8, each 32-bit and
    64-bit,Mono(Linux, Mac OS X, BSD, …). http://keepass.info/download.html

    • http://www.xconomy.com/san-francisco Wade Roush

      Thanks — corrected now.

  • Erika J

    Hey, Wade–LastPass is free for the desktop/laptop versions. $12/yr is to add mobile (phone, tablet) support.

    • http://www.xconomy.com/san-francisco Wade Roush

      Noted and corrected! Thanks Erika.

  • Jorsh

    Intuitive Password should be mentioned. A cloud based password manager, very nice user interface!

  • Joost

    I am not comfortable with using a cloud based solutions. Various native KeePass clients are available for Linux, iOS, Android and legacy cellphones. KeePass supports two branches 1.x and 2.x. I chose the 1.x format and have been using KeePassX, KeePassJ2ME and MiniKeePass for a few years now. See http://keepass.info/download.html

  • Edie

    I can’t remember my master password for my Password Box app. How do I get a new one?
    Edie

  • Stephen Mugford

    I love PWB but I have found a glitch. Suppose you
    forget a password for a site. Maybe PWB is recalling it for you on your pc but
    you need also to log in to the site via (say) your smartphone. So, you send a
    request to the site and it sends one of those updater emails. You click on the
    link and, quick as a flash, PWB leaps in, whacks in a new password and sends it
    off. It also recalls it so you can log in fine from the PC. But since it didn’t
    show you what it was inserting (and you cannot view it in PWB for security
    reasons), you are still disabled on other devices. L Sure,
    when you KNOW this is the issue it is easy to remember to turn PWB off for a
    few minutes while you do the renewal business. But you need to know it. I
    didn’t. I spent an age at one point with very helpful folk at AMAZON (on an
    international line from Australia) as we patiently did a manual, remote fix
    because this glitch was interfering every time I tried to reset the AMAZON
    password … (They didn’t know either.) Then it happened with another couple of
    sites. Hmm, had to be inside my browser configuration I decided. So, patiently,
    I started turning off my Chrome extensions one by one and bingo—when PWB was
    off the renewal process worked fine.