Johnny can’t encrypt. It’s no use. . . . This is what has been said repeatedly about mere mortal users and encryption, which forever has been the domain of black chambers and mathematical geniuses. Scores of companies have tried to get around this problem by hiding encryption in their servers, far away from users’ eyes.
And yet, studies have shown that this creates another problem: if I can’t see any of the encryption, how can I relax and be sure that this message where I’m risking my career, maybe my life, is truly away from prying eyes? Just because the software tells me to relax?
PassLok does not hide encryption from users, and it tries hard to make it accessible. This is why the next step in its development is so important. PassLok for Email is a new Chrome extension that adds PassLok encryption to regular web-based email apps. Its beta, which supports Gmail, Yahoo, and Outlook online, has just been released for public testing.
Maybe you received an email that says it was encrypted by PassLok, or maybe you heard about it and want to try it out. In either case, your first contact with the app is likely to be the PassLok landing page at https://passlok.com. There you will see a number of links for the different flavors of PassLok. The one that takes you to PassLok for Email is this one. When you click it, you end up at the Chrome store, ready to add the extension if you are using the Chrome browser.
After you add it, go to your email page (reload it if it was already loaded so the extension can also load). You will see that the Compose window now includes the PassLok logo (orange key) near the bottom. Same for Reply windows. You write the recipients and subject normally, but now you want to click the PassLok logo before entering your confidential message (otherwise the server will get your message, as a draft, as soon as you begin typing).
A new window pops up where you can type your message. The email server won’t see any of its contents. Chances are you have not had any prior contact through PassLok with any of the recipients. If so, you will see an Invite button so you can establish contact with them. Otherwise, you will see a button labeled Encrypt. The difference is that Invite produces first-time invitations that are not really secure, whereas any message after that is secure. When you are done typing and click any of these buttons, a popup asks you for your special Password for PassLok.
Now you need to pause a bit because this step is very important. PassLok won’t store your Password or send it out anywhere at all, so you must remember it. Fortunately, unlike so many programs and websites out there PassLok won’t force you to include capitals, numbers, special symbols or whatnot. You can use whatever you want to use as Password, to ensure you won’t forget it. Instead of forcing you to add special characters in order to make your Password harder to guess, PassLok evaluates its strength as you type it, and penalizes you for using a weak one. The penalty consists of spurious computations that may make things real slow for you (and for hackers trying that Password, which is why we do it this way). In case you can’t come up with anything of at least Medium strength, there is a button you can click to display five random English words. You don’t have to use those, but they might help. You can even use your email password if you want, though this is not a good practice.
And then, PassLok encrypts your message and puts it back in the Compose or Reply window. Just add whatever extra text your want, click Send, and it’s out. The email page only has the encrypted version of it, and they don’t have the key.
The recipient (you, if you installed PassLok for Email because you received an invitation from someone), will see the PassLok icon at the heading of the encrypted message. When he/she clicks on it, the Password popup appears. After supplying that another popup asks to confirm, if the sender was unknown, and then finally the decrypted message appears.
PassLok will ask you for your Password only once so long as you are using the app. After five minutes of inactivity, the Password is erased from memory and you may be asked again for it.
And that’s IT! No exchanging private or public keys. No confirmation via email. No settings! Want to change your Password? Go ahead and start using a new one. Move to another machine? You’ll find PassLok ready for you as soon as you log into Chrome and reload your email. Feel paranoid about the computer you’re using? Remove your logon from Chrome, and all the extensions, including PassLok, will be removed from the machine. Want to forget about the whole thing? Uninstall the extension.