Review: PassLocker is a simple but flawed password manager for OS X

These days, it seems that every single website I visit wants me to log in, no matter how trivial the service it offers. Of course, the most basic of cautions dictates that a different set of credentials are created for each site, least I wake up one morning to find out that my bank account was wiped clean because my favorite social network inadvertently leaked my password.

The ever-increasing complexity of managing logins has not gone unnoticed to software developers. Apps like 1Password provide comprehensive solutions aimed at making the storage and retrieval of security credentials easy and convenient, usually alongside other related features, like the ability to remember credit card numbers, digital keys to unlock software programs, and so on.

Unlike most of its competition, InnovationBox’s PassLocker (Mac App Store link) foregoes complexity and breadth. It favors a laser-like focus on the core task of storing and retrieving usernames and passwords, while attempting to provide an experience that is simple and easy to grasp.

For starters, PassLocker doesn’t have a traditional user interface. Instead, it runs quietly as an icon in OS X’s Menu, coming into play only when called upon. This is a smart move, since it allows the app to be readily available without needlessly cluttering your screen, Dock, or Application Switcher.

Credentials are created and retrieved using a simple process that is easy to learn and quick to use. Rather than attempting integration with every browser that a user could conceivably use, PassLocker offers built-in support for many popular sites, including Amazon, Paypal, Twitter, and Facebook; clicking on a password for these sites causes the default browser to launch and automatically log you into your account. For all other credentials, the only option that the app offers is to copy either the username or password; you can also reveal the latter—a feature that, in my opinion, unduly endangers your confidential information by exposing it to public view.

PassLocker supports synchronizing your passwords through iCloud. In my testing, this feature worked flawlessly, with passwords synchronizing across multiple devices nearly instantaneously. You can also export your password locker to a ZIP file, and send it via email as an attachment.

Login credentials are protected by a four-digit pin number that is set when you first launch the app. As is normal for software of this kind, forgetting your PIN means that you will have to completely reinstall the app and lose access to all your stored credentials. Luckily, if you opt to use iCloud sync and have a copy of PassLocker installed elsewhere, these will immediately be restored for you under a new PIN.

Speaking of protection, the app encrypts credentials using 256-bit AES—a standard that, despite a few potential flaws, is still widely considered to be safe. In fact, the reliance on a four-digit PIN is a much greater concern than the use of AES-256, since cycling through all ten thousand possible combinations—a process known as a brute-force attack—is fairly trivial with today’s powerful computers. PassLocker attempts to mitigate this issue by enforcing a 15-second cooldown period after three failed login attempts, making brute-force attacks a bit harder (but by no means impossible) to pull off.

Bottom line

The combination of low-price and ease of use make PassLocker a worthy candidate for users who are approaching the problem of password management for the first time and on a budget, but a sparse feature set and relatively insecure login mechanism conspire to limit its usefulness to all but the simplest of needs. PassLocker costs $5 and requires OS X 10.7 Lion.