PassLocker is a simple but flawed password manager for OS X

These days, it seems that every single website I visit wants me to log in, no matter how trivial the service it offers. Of course, the most basic of cautions dictates that a different set of credentials are created for each site, least I wake up one morning to find out that my bank account was wiped clean because my favorite social network inadvertently leaked my password.

The ever-increasing complexity of managing logins has not gone unnoticed to software developers. Apps like 1Password provide comprehensive solutions aimed at making the storage and retrieval of security credentials easy and convenient, usually alongside other related features, like the ability to remember credit card numbers, digital keys to unlock software programs, and so on.

Unlike most of its competition, InnovationBox's PassLocker (Mac App Store link) foregoes complexity and breadth. It favors a laser-like focus on the core task of storing and retrieving usernames and passwords, while attempting to provide an experience that is simple and easy to grasp.

For starters, PassLocker doesn't have a traditional user interface. Instead, it runs quietly as an icon in OS X's Menu, coming into play only when called upon. This is a smart move, since it allows the app to be readily available without needlessly cluttering your screen, Dock, or Application Switcher.

Credentials are created and retrieved using a simple process that is easy to learn and quick to use. Rather than attempting integration with every browser that a user could conceivably use, PassLocker offers built-in support for many popular sites, including Amazon, Paypal, Twitter, and Facebook; clicking on a password for these sites causes the default browser to launch and automatically log you into your account. For all other credentials, the only option that the app offers is to copy either the username or password; you can also reveal the latter--a feature that, in my opinion, unduly endangers your confidential information by exposing it to public view.

PassLocker supports synchronizing your passwords through iCloud. In my testing, this feature worked flawlessly, with passwords synchronizing across multiple devices nearly instantaneously. You can also export your password locker to a ZIP file, and send it via email as an attachment.

Login credentials are protected by a four-digit pin number that is set when you first launch the app. As is normal for software of this kind, forgetting your PIN means that you will have to completely reinstall the app and lose access to all your stored credentials. Luckily, if you opt to use iCloud sync and have a copy of PassLocker installed elsewhere, these will immediately be restored for you under a new PIN.

Speaking of protection, the app encrypts credentials using 256-bit AES--a standard that, despite a few potential flaws, is still widely considered to be safe. In fact, the reliance on a four-digit PIN is a much greater concern than the use of AES-256, since cycling through all ten thousand possible combinations--a process known as a brute-force attack--is fairly trivial with today's powerful computers. PassLocker attempts to mitigate this issue by enforcing a 15-second cooldown period after three failed login attempts, making brute-force attacks a bit harder (but by no means impossible) to pull off.

Bottom line

The combination of low-price and ease of use make PassLocker a worthy candidate for users who are approaching the problem of password management for the first time and on a budget, but a sparse feature set and relatively insecure login mechanism conspire to limit its usefulness to all but the simplest of needs. PassLocker costs $5 and requires OS X 10.7 Lion.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitypasswordsInnovationBox

More about AES EnvironmentalAmazon Web ServicesFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Tabini

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place