Cryptnos is a multi-platform, Open Source application for generating strong, pseudo-random passwords using cryptographic hashes. It combines a unique "site token" such as a website domain name with a master password and runs this data through a cryptographic hash algorithm to produce a password that is unique, lengthy, seemingly random yet completely repeatable. Unlike similar products, however, it is exceedingly flexible. It is not a browser plugin, so it can be used with other applications outside the Web. It provides unparalleled versatility by letting you specify the cryptographic hash to use, how many iterations of the hash to perform, what characters to include, and how long the final password should be. Best of all, it is exceedingly secure. Your master and generated passwords are NEVER stored, and the parameters to recreate your passwords are stored in an encrypted form.
Not sure if Cryptnos is for you? Try it online first!
I am happy to announce the extremely long overdue release of version 1.3.3 of Cryptnos for Android. This is primarily a bug fix, fixing Issue #19 in our issue tracker that prevented site parameters from being imported via QRCode if the site token contained a colon (“:”), such as if use used a URL that includes the protocol as part of the name (i.e., “http://www.cryptnos.com/”).
Internally, our QRCode code uses the pipe character (“|”) to separate different parameters, then uses a colon to separate a small “header” for each parameter from the actual value. Unfortunately, if the site token field contained a colon itself, splitting the header/value pair on colons resulted in more items than expected. Using pipes to separate parameters wasn’t an issue because the pipe character is forbidden in the site token field for other reasons. (We use it as a delimiter in other places as well.) However, colons aren’t forbidden, so we have to accommodate their presence. This update should now correctly split the “header” from the value and then reassemble the value with colons intact if they’re found.
The .NET (Windows) client is unaffected by this problem because it only exports parameters via QRCode; it doesn’t import them.
The update should now be available in all the usual places. It is preferred that you install it from the Google Play Store, but folks who don’t have access to Google Play can side-load the APK after downloading it. See the official Cryptnos for Android page for the appropriate links.
I apologize for the extremely long hiatus for updates and bug fixes. I could probably write a lengthy update on what’s kept me away from Cryptnos for so long, but that’s a topic for a separate post. Cryptnos isn’t dead, I promise. It’s just extremely difficult for me to devote time to it at the moment, and there’s a lot that needs to be done to update it.
Just making a quick news post to make two quick announcements:
#1: No, Cryptnos as a project is NOT dead. I know it may seem like it is since there hasn’t been any active development visible anywhere for quite some time, but I promise you it hasn’t been abandoned. I won’t bore you with the minutia, but suffice it to say that the past year has been extremely hectic for me, having changed jobs and moved to a new city. It took us about a year of constant searching just to find a house we were happy with, and now we’re slowly unpacking and trying to resume some semblance of normalcy again. Once that happens, I’m hoping that some of my “free time” will become truly free again and I’ll be able to address some of the long outstanding bugs and improvements I’ve been working on.
#2: Due to Google’s decision to shut down its Google Code service, all of our source repositories have been moved to GitHub. GitHub is a very well know and well respected repository service in the Open Source community, hosting some very well known repositories like the Linux kernel. I’ve gone through and updated many of the links here on the site that previously pointed to Google Code, but there might be a few links straggling, especially in older news posts. The Google Code sites will redirect you to the new GitHub sites, but deep links (like links to individual issue tracker items) might not redirect fully.
Thanks again for using Cryptnos!
, Google Code
For those who aren’t aware, Google has made a number of changes to Android in version 4.4, also known as KitKat. A full list of changes (from the developer’s perspective) can be found here. As yet, most of these don’t affect Cryptnos for Android all that much, but one change in particular is going to mean a shift in functionality.
Starting with KitKat, regular applications are no longer permitted to write just anywhere to “external storage”, which includes SD cards. While reading is still allowed with the proper permissions, apps are now restricted to writing to a single location allocated to them by the operating system. What this likely means is that the functionality we added in Version 1.1.0 of Cryptnos for Android to allow users to select the import/export location (if you have a recognized file manager app installed) is probably going to get ripped out, forcing you to save your exports to a specific folder.
Yeah, I’m not happy about that either.
I’ve created Issue #18 in the issue tracker to track this change. If you’re interested in the gory technical details, you can follow the progress there. I’m not sure how long it’s going to take me to find time to address this, but I’ll try my best to get rolling on it.
In the meantime, KitKat Cryptnos users should be able to save exports to their device’s internal storage, then manually move the file to the SD card with a file manager utility. This seems to work for me. It’s not ideal by any means, but at least it’s a functional workaround.
Ever since I started working on Cryptnos nearly four years ago, it was always my hope that it would be useful to as many people as possible. Even if only a handful of people were interested in using it, I still wanted to give those people a chance. I started programming in C# for Microsoft .NET mostly as a creative, exploratory exercise; I was required to learn C# by my day job, and Cryptnos and its sibling projects were ways of teaching the language to myself without the benefit of formal classes. I never intended or wanted to exclude anyone from using it, but I eventually had to admit that .NET wasn’t the best framework for making the app as cross-platform as possible.
Thankfully, the Mono Project is here to save my bacon.
I happy to announce that we’re getting dangerously close to releasing Cryptnos for Windows 1.3.4, although there won’t be anything new for Windows folks to really see. In fact, calling it “for Windows” will soon be a bit of a misnomer, because beginning with version 1.3.4, we are officially adding Mono support to the app, meaning it will rapidly become Cryptnos for Windows, Mac OS X, Linux, various BSDs, and maybe eventually more.
While I can’t give a definitive ETA on the release just yet, I can say it will be “soonish”. I want to perform a lot more testing before leasing this into the wild. That said, my initial testing has been very promising, so I’m hoping the release will happen sometime in the next week or two.
While we’re excited to see Cryptnos open up onto other platforms, I’m sad to say it won’t come without a few caveats. Here’s a few early warning notes to share for the moment:
- Running Cryptnos on non-Windows platforms will require Mono, which is an excellent “port” of .NET to other platforms. That said, we are limited to the platforms they currently support. If you’re not on one of those platforms, unfortunately you’re still out of luck. Please note that although Apple’s iOS is in the list on Mono’s site, there are still no immediate plans for getting Cryptnos on to iPhones, iPods, or iPads any time soon.
- Cryptnos may not behave quite the same as native apps would on any give platform. Remember, Cryptnos was originally written with Windows in mind, so it’s going to look pretty foreign if you’re not familiar with that platform. That said, if you have a little bit of experience with Windows, perhaps just enough that you won’t get lost, you should be OK. There will be idiosyncrasies, but you should grow accustom to them eventually.
- Installation of Cryptnos on non-Windows platforms will end up being a bit more manual, I’m afraid. In addition to the full-featured Windows installer, we’re going to start releasing a binaries-only archive that contains just the EXE and DLLs necessary to run the program. If you’re running on any system other than Windows, you’ll need to extract that archive into a directory/folder and execute Mono directly to launch the app. After that, it should function pretty much the same.
- Upgrading will similarly being a manual process. While Cryptnos will continue to notify non-Windows users of new updates, the update notice will instead open a new browser window to the Cryptnos site where you can download the new binaries-only archive. Upgrading will then be the same process as installing the app as before, only overwriting the old files with the new ones.
- Due to some poor UI planning our part (oops), we’re going to temporarily disable “daily use” mode whenever Cryptnos is run under Mono. We apologize for that inconvenience. Once we work out those kinks, we should be able to re-enable it in a future version. Note that this doesn’t affect Cryptnos’ functionality in any way; it just means you’ll have to use the clunkier full UI all the time, rather than “collapsing” it down to a smaller size for the day-to-day use.
- Linux users: The feature to copy generated passwords to the clipboard technically works, but may be a bit clunky. Linux boxes with GUIs actually have two separate clipboards that don’t talk to each other, and Cryptnos only talks to one of them. Which clipboard that is may take some experimentation. I was able to paste generated passwords into GUI apps like gEdit and Firefox using a Control + V keyboard shortcut, but not using mouse-initiated context menus or into terminal windows. You may need a bit of trial and error to see what works best for you.
- Technically, we have only been able to test Cryptnos under Windows and Linux. While it should work just fine on other platforms, be forewarned that it is officially untested on Mac OS X, the BSDs, or any other Mono-supported platform.
- While Mono does support MS Windows, we still recommend that Windows users continue to use Microsoft’s own .NET implementation. Most of our non-Windows workarounds are based on the question of “Are we running under .NET or Mono?” without really testing to see if we’re still running on Windows. Thus, if you run Cryptnos under Mono on Windows, you may be artificially restricting yourself. Again, we hope to work around this eventually in a future version, but for now, just stick with .NET.
We’ll be posting more detailed notes on each platform later as we’re able to perform additional tests. Until then, thanks again for using Cryptnos!
Some of you may have heard about the recent massive Bitcoin theft caused primarily by a flaw in Android’s Java Cryptography Architecture. After reviewing Google’s blog post about the flaw, I can confirm that Cryptnos for Android should be unaffected by it. Although the JCA is referenced by some third-party code in a library we use, Cryptnos doesn’t use any random numbers generated by this library or by the JCA directly. All of our cryptographic hashes and generated passwords rely on user-provided inputs, so the PRNGs are never called.
After a long, frustrating bout of testing and tweaking, we’re exhausted but happy to announce that Cryptnos Online version 1.3 has been released. If you have the production alias URL bookmarked, you should be seeing the new version immediately. Note that due to some aggressive client-side caching rules here on our site, you may need to force a refresh or clear your browser cache in order to see the change.
This is essentially a bug fix, but it did require a fundamental back-end change to our implementation. I’m not entirely sure why this occurred, but our previous implementation, based on some great scripts by Paul Johnston and other contributors, seemed to break in Safari under iOS 6.1.3. We managed to narrow down the problem to just the SHA-512 implementation, but we couldn’t find a way to work within that implementation to fix it. After some experimentation, we found that the great CryptoJS library worked without a hitch and could be used almost as a drop-in replacement for our adaptation of Johnston’s scripts.
We’re going ahead and releasing this as our new current production version, but we could use some testing contributions from folks who use non-Latin character sets. In theory, the CryptoJS library uses UTF-8 internally, which is what we here at Cryptnos use as well. However, we haven’t had a chance to thoroughly test it with non-Latin characters yet. If you regularly use non-Latin characters in Cryptnos and can compare the results generated by Cryptnos Online against the results from the Windows or Android clients, that would be greatly appreciated.
I wanted to post a quick update regarding the previously reported problem with Cryptnos Online on iOS 6.x devices. After doing some debugging, I’ve narrowed the problem down to the SHA-512 implementation. All of the other hash algorithms seem to be working correctly. It just so happens that a password I needed on my iPod Touch used SHA-512, so it’s a wonder that I stumbled upon it when I did.
Apparently, the problem occurs only on subsequent hash iterations after the first one. In other words, passwords generated on iOS devices that use SHA-512 with only one iteration should be fine, but anything that uses two or more iterations will be off. I would strongly suspect that the problem lies in the routines that convert the input strings into binary are to blame, but the other SHA methods use the same routines and don’t seem to cause any problems.
Unfortunately, I don’t have much else to report on this issue, aside from reassuring our iOS users that if they use any hash algorithms besides SHA-512, they should be OK. If you use SHA-512 with only one iteration (which I normally wouldn’t recommend), you should also be fine. As a reminder, all other platforms currently appear to be unaffected.
I’ll try to keep everyone posted on this issue. I apologize for the slow progress.
Cryptnos for Android version 1.3.2 has been unleashed upon an unsuspecting world.
Before anyone gets too excited, this is a minor bug release that may only affect a subset of users. If you have a very high-resolution smartphone like the new Samsung Galaxy S4, you have may noticed that the main menu icons were rather large. This was unintended, and unfortunately an artifact of our extreme backward compatibility. In a nutshell, Android uses a number of methods to pick which icons and graphics to use based on screen size, resolution, and other factors. While there are methods to specifically target tablets and other large screen devices in recent versions of Android, our decision to target older devices limits our ability to use them. The older methods are a little less particular and inaccurately made high-res devices like the S4 choose the wrong icons.
I’m not 100% sure this will affect all devices that may be affected, but it seems to work well enough on the devices I have to test with. I hope that if anyone discovers otherwise, they’ll let me know.
All the update links here on the site have been updated. The new version should be visible in the Google Play store within a few hours.
We’re still planning on releasing a 2.0 version sometime in the not too distant future, but our time to work on these updates has been pretty limited lately. I’ll try and post updates on our progress when I can. Thanks for your patience and understanding.
This is a general call for testers. In specific, we’re looking for iPhone, iPod Touch, and iPad users running both iOS 5 and 6. We believe that Apple may have changed something in Safari on iOS 6 that may break compatibility in Cryptnos Online.
I’m primarily an Android user, but I do have an iPod Touch. This is mostly due to the fact that my music and podcasting habits have been entrenched in iTunes for quite some time, but it also gives me a toe in the iOS pool to experiment and test my various websites, Cryptnos included. I recently received a shiny new iPod Touch 5th Generation with iOS 6.1.3 and during the setup process I noticed that the current production version of Cryptnos Online was not working as expected.
I ran a number of tests on various platforms and came up with the following results:
- The new iPod Touch running iOS 6.1.3 is not generating passwords correctly. Generated passwords are consistently incorrect, as in the generated password on the iPod does not match the “reference” password generated by Cryptnos for Windows with identical parameters. Both platforms should be using UTF-8 for text encoding. (I can confirm the Windows app is using UTF-8, and Cryptnos Online should use UTF-8 on all platforms.) What’s worse, subsequent taps on the Generate button occasionally produce different generated passwords, something which should never happen.
- My wife’s 3rd generation iPad (the “new iPad”), also running iOS 6.1.3, exhibits identical behavior to the iPod Touch.
- My old iPod Touch 2nd Generation running iOS 5.1.1 is generating passwords correctly, i.e. it consistently produces the correct password that matches the “reference” value on Cryptnos for Windows.
- Additional tests in several desktop browsers also produce correct, repeatable results. I ran a quick sweep through the following browsers and platforms: Firefox 21.0, MSIE 10, Google Chrome 27, Safari 5.1.7, and Opera 12.01 on Windows 7 64-bit; Firefox 21.0 on Fedora 17 (Linux).
- Additional tests in several Android browsers also produce correct, repeatable results. I tested the following combinations: Chrome 27, Firefox 21.0, “Internet” (built-in browser) on Android 4.2.2; Chrome 27, Firefox 21.0, “Internet” on Android 4.1.2.
What I’m looking for are users who can ideally run all three of the following tests. The iOS 6 test would be required, but either of the other two tests would be a definite bonus.
- Taking note of all input parameters, attempt to generate a password in Cryptnos Online on a device running iOS 6. Please take note of the exact iOS version (Settings – General – About – Version).
- Using the exact same set of parameters, try generating the same password in Cryptnos Online on a device running iOS 5 or earlier. Again, please note the exact iOS version. Please report if the generated passwords match. (You don’t need to report the actual generated password or the input parameters.)
- Using the exact same set of parameters, try generating the same password in either Cryptnos Online on another device or computer, or in the latest version of Cryptnos for Windows. Make sure you are using UTF-8 encoding in the Windows app (disable “daily mode”, Advanced, Text Encoding). Please report if the generated passwords match.
Feel free to post your results in the comments here on the blog, in the related Facebook post that points here, or send us an e-mail to one of the addresses on the Contacts page.
* Yes, Safari on iOS 6 has Web Inspector, but that only works with a Mac, which I do not currently have.
« Previous Entries
We’re happy to announce that Cryptnos for Windows 1.3.3 is out in the wild. You can find the relevant download links on the official page or, if you have automatic updating turned on, Cryptnos should discover the new version in the not to distant future. Here’s a quick rundown of what’s changed:
We’ve (hopefully) fixed a nasty bug (Issue #8 in the issue tracker) that may be affecting users who run Cryptnos as an account with less than admin privileges. This seemed to crop up especially in corporate environments with strict security policies that heavily restrict users’ access. Surprisingly, this resulted in a complete loss of the user’s Cryptnos data, forcing them to restore from a recent backup. I prefix this with “hopefully” because the number of reports of this problem were very few, and we haven’t heard back from those folks who volunteered to test the fix to see if it worked. I too was affected by this and it appears to work in my instance, but without further feedback it’s hard to know for sure.
We’ve also granted another user’s request with Issue #10, at least partially. We’ve added a few interesting “hot keys” that let you toggle some settings or perform a few simple tasks right from the keyboard, for those old farts like me whose hands rarely leave the keys. In specific, we’ve added one hot key to toggle the “keep on top” setting, which allows you to quickly force Cryptnos to stay on top of other windows while you do something else, like manually type in your generated password. (Some folks prefer not to use the copy-and-paste method, and we can’t blame them.) You can also turn on and off “daily mode” via hot key now, as well as lock/unlock your parameters, copy generated passwords, and launch the Settings dialog, among other things. Full details on the new hot keys can be found in the HTML file, which conveniently launches when you press F1 (after you update, that is).
The generated password text box now displays its value in a monospace, “typewriter” style font that makes it easier to distinguish similar characters (like the letter “O” vs. zero or lowercase “L” vs. the number one). I feel rather sheepish that this wasn’t in there from the beginning, since I’ve run afoul of mistyping stuff myself because of the old font.
The update checking code has been revamped, including a lot more error checking during start-up. This will hopefully fix a number of issues folks have been having with this process. Oh, and since we’re talking about updates, we replaced the goofy “force update check on next launch” checkbox on the Settings dialog with an interactive “Check for Updates” button. That makes forcing an update check much, much easier.
Cryptnos now remembers its previous location on the screen and attempts to restore it the next time the program launches. This was a sticking point for me as I’ve been constantly moving the window from wherever Windows decided to place it today back where I last had it. I’m not sure how well this works with multiple monitor setups since I don’t currently have one, so feedback on this item would be appreciated.
There are also a few other minor, behind-the-scenes tweaks and changes that aren’t very interesting to talk about. If you’re curious, feel free to peruse the change log to get all the changes. As always, we love getting feedback on how we’re doing, as well as suggestions on how to improve. We’ve got some big changes planned for the future to really expand our features, although they’ve been very slow to implement. We really appreciate your feedback, support, and patience.
EDIT: One last thing I forgot! It is with deep regret that I have to report that we are officially dropping support for versions of Windows prior to Windows XP SP3. This was more forced upon us that something we chose to implement. Microsoft dropped support for these old versions quite some time ago, and now our installation compiler (InnoSetup) no longer compiles setup programs that even try to support them. So I’m afraid that if you’re running anything older than XP, 1.3.2 will be your last version of Cryptnos, or you’ll need to manually copy the files from another newer machine. We sincerely apologize to anyone affected by this, although I suspect that list may be very, very small.