the Web. When I joined PasswordBox, I thought of about 20 sites right off the bat, from my bank to Amazon to my photo-sharing site (Flickr) to my heath plan’s billing portal.
Before they’re uploaded to PasswordBox’s cloud servers, the credentials for each account are encrypted on your computer using the AES-256 algorithm, which is approved by the NSA for encrypting top-secret documents. Your master password, which is used as part of the encryption key, never leaves your computer.
That’s called a “zero-knowledge” architecture. PasswordBox doesn’t get a copy of the key it would need to decrypt your stored credentials, so it couldn’t snoop on your data even if it wanted to. Neither could the NSA, for that matter, unless they’ve got quantum computers they aren’t telling us about. (The only downside of the zero-knowledge approach is that if you forget your master password, or if someone else obtains it, you’re screwed. So you do still have to remember one password—and you need to make it a strong one, and then be careful with it.)
PasswordBox designed its system to be simple and unobtrusive. In Chrome, the browser I use, the program takes over the new-tab screen and shows big icons that allow you to log in to any of your saved accounts with one click.
“We built a product that my mom can use,” says Daniel Robichaud, PasswordBox’s co-founder and CEO. “The only thing she knows is that there’s something that remembers her password, and she clicks on the big buttons, and it works.”
Despite its simplicity, PasswordBox offers a few useful features that set it apart from other password managers. There’s a password generator that can suggest strong passwords, up to 26 characters long, to replace your flimsy old ones. There’s a feature that lets you temporarily share a password with a friend, family member, or coworker who’s also using PasswordBox (which sounds to me like an easy, though potentially illegal, way for families to split access to a single Netflix or HBO Go account).
The “Legacy” feature lets you choose who should have access to your accounts in case you’re obliterated by a meteorite; it involves a second master password that’s transferred from your computer to your caretaker’s computer after they present PasswordBox with a valid death certificate. Robichaud—who’s a graduate of Montreal’s HEC University, runs a Montreal venture firm called Neotech Capital, and has started three previous companies in the mobile and media markets—says the legacy feature has become PasswordBox’s best viral marketing mechanism, since the person you designate as your caretaker has to sign up for the service too.
PasswordBox also offers free apps for iOS and Android devices that sync up with your desktop browser. It’s got an identical start screen, and clicking on the buttons will bring up the same sites inside an in-app browser. If you do use the PasswordBox mobile app, it’s a good idea to protect your data from thieves by setting up a PIN for the app, or your phone, or both.
There are a couple of limitations to PasswordBox. Its system for recognizing login pages and supplying credentials doesn’t yet work with every site on the Web—but it’s up to about 95 percent, Robichaud says.
If you’re totally dependent on PasswordBox to remember your long, strong passwords, you won’t be able to get into your e-mail or other basic services from any computer other than your own. Unless, that is, you’ve got your smartphone with you—in which case you could look up your password in the PasswordBox app and type it manually. (But Robichaud says you should never do that on a public computer, since there’s a risk that keylogging software might be installed.)
And PasswordBox doesn’t work as a key to all your password-protected mobile apps, although the company is developing workarounds for that, such as the ability to copy a password into your device’s clipboard. (PasswordBox app can also launch certain third-party apps, such as Dropbox and Evernote, directly.)
Why is it safer, in the end, to put all your eggs in one basket by having a master password? It’s a legitimate question. The answer is that creating unique, strong passwords for every site you use, then handing them over to a management program like PasswordBox, is a vast improvement over what most people do, since the damage from a hacker attack at your bank or your credit-card company will then be contained to the site that was hacked. You do need to make sure that your master password is strong, and that you never, ever write it down. The overall improvement in security comes from having to memorize just one good password, so it’s less tempting to have six weak ones and keep reusing them.
It’s safe to say that most corporations will push their employees to adopt more secure passwords over time, and that they’ll shell out for one of the many “single sign-on” systems available from enterprise software providers to ensure compliance. But how large is the potential market for a consumer-oriented password management service, especially as giants like Apple soup up their own login systems? (Apple, for example, has said that the next version of OS X will include a cloud-based password management system called iCloud Keychain.)
Robichaud says he isn’t too worried about how his bootstrapped startup will compete with big players like Apple, Google, Facebook, and Microsoft. They’ll never agree to common identity standards, he predicts, thus leaving an opening for a smaller company to build a system that integrates with all of them.
“Our long-term objective is to become the single sign-on for consumers—the neutral party that identifies you everywhere,” Robichaud says. “People need to have strong passwords everywhere to be protected, and there is no way people can remember strong passwords. This is why I’m sure we are in the right market at the right time.”
