PassLocker is a simple but flawed password manager for OS X

These days, it seems that every single website I visit wants me to log in, no matter how trivial the service it offers. Of course, the most basic of cautions dictates that a different set of credentials are created for each site, least I wake up one morning to find out that my bank account was wiped clean because my favorite social network inadvertently leaked my password.

The ever-increasing complexity of managing logins has not gone unnoticed to software developers. Apps like 1Password provide comprehensive solutions aimed at making the storage and retrieval of security credentials easy and convenient, usually alongside other related features, like the ability to remember credit card numbers, digital keys to unlock software programs, and so on.

Unlike most of its competition, InnovationBox's PassLocker (Mac App Store link) foregoes complexity and breadth. It favors a laser-like focus on the core task of storing and retrieving usernames and passwords, while attempting to provide an experience that is simple and easy to grasp.

For starters, PassLocker doesn't have a traditional user interface. Instead, it runs quietly as an icon in OS X's Menu, coming into play only when called upon. This is a smart move, since it allows the app to be readily available without needlessly cluttering your screen, Dock, or Application Switcher.

Credentials are created and retrieved using a simple process that is easy to learn and quick to use. Rather than attempting integration with every browser that a user could conceivably use, PassLocker offers built-in support for many popular sites, including Amazon, Paypal, Twitter, and Facebook; clicking on a password for these sites causes the default browser to launch and automatically log you into your account. For all other credentials, the only option that the app offers is to copy either the username or password; you can also reveal the latter--a feature that, in my opinion, unduly endangers your confidential information by exposing it to public view.

PassLocker supports synchronizing your passwords through iCloud. In my testing, this feature worked flawlessly, with passwords synchronizing across multiple devices nearly instantaneously. You can also export your password locker to a ZIP file, and send it via email as an attachment.

Login credentials are protected by a four-digit pin number that is set when you first launch the app. As is normal for software of this kind, forgetting your PIN means that you will have to completely reinstall the app and lose access to all your stored credentials. Luckily, if you opt to use iCloud sync and have a copy of PassLocker installed elsewhere, these will immediately be restored for you under a new PIN.

Speaking of protection, the app encrypts credentials using 256-bit AES--a standard that, despite a few potential flaws, is still widely considered to be safe. In fact, the reliance on a four-digit PIN is a much greater concern than the use of AES-256, since cycling through all ten thousand possible combinations--a process known as a brute-force attack--is fairly trivial with today's powerful computers. PassLocker attempts to mitigate this issue by enforcing a 15-second cooldown period after three failed login attempts, making brute-force attacks a bit harder (but by no means impossible) to pull off.

Bottom line

The combination of low-price and ease of use make PassLocker a worthy candidate for users who are approaching the problem of password management for the first time and on a budget, but a sparse feature set and relatively insecure login mechanism conspire to limit its usefulness to all but the simplest of needs. PassLocker costs $5 and requires OS X 10.7 Lion.

Tags: passwords, security, InnovationBox

DDoS botnets already smarter, fiercer in 2014: Imperva Incapsula

READ THIS ARTICLE
MORE IN Data Protection
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get Powerful Protection for All of Your Mobile Devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.