Cryptnos is a multi-platform, Open Source application for generating strong, pseudo-random passwords using cryptographic hashes. It combines a unique "site token" such as a website domain name with a master password and runs this data through a cryptographic hash algorithm to produce a password that is unique, lengthy, seemingly random yet completely repeatable. Unlike similar products, however, it is exceedingly flexible. It is not a browser plugin, so it can be used with other applications outside the Web. It provides unparalleled versatility by letting you specify the cryptographic hash to use, how many iterations of the hash to perform, what characters to include, and how long the final password should be. Best of all, it is exceedingly secure. Your master and generated passwords are NEVER stored, and the parameters to recreate your passwords are stored in an encrypted form.
Not sure if Cryptnos is for you? Try it online first!
Ever since I started working on Cryptnos nearly four years ago, it was always my hope that it would be useful to as many people as possible. Even if only a handful of people were interested in using it, I still wanted to give those people a chance. I started programming in C# for Microsoft .NET mostly as a creative, exploratory exercise; I was required to learn C# by my day job, and Cryptnos and its sibling projects were ways of teaching the language to myself without the benefit of formal classes. I never intended or wanted to exclude anyone from using it, but I eventually had to admit that .NET wasn’t the best framework for making the app as cross-platform as possible.
Thankfully, the Mono Project is here to save my bacon.
I happy to announce that we’re getting dangerously close to releasing Cryptnos for Windows 1.3.4, although there won’t be anything new for Windows folks to really see. In fact, calling it “for Windows” will soon be a bit of a misnomer, because beginning with version 1.3.4, we are officially adding Mono support to the app, meaning it will rapidly become Cryptnos for Windows, Mac OS X, Linux, various BSDs, and maybe eventually more.
While I can’t give a definitive ETA on the release just yet, I can say it will be “soonish”. I want to perform a lot more testing before leasing this into the wild. That said, my initial testing has been very promising, so I’m hoping the release will happen sometime in the next week or two.
While we’re excited to see Cryptnos open up onto other platforms, I’m sad to say it won’t come without a few caveats. Here’s a few early warning notes to share for the moment:
- Running Cryptnos on non-Windows platforms will require Mono, which is an excellent “port” of .NET to other platforms. That said, we are limited to the platforms they currently support. If you’re not on one of those platforms, unfortunately you’re still out of luck. Please note that although Apple’s iOS is in the list on Mono’s site, there are still no immediate plans for getting Cryptnos on to iPhones, iPods, or iPads any time soon.
- Cryptnos may not behave quite the same as native apps would on any give platform. Remember, Cryptnos was originally written with Windows in mind, so it’s going to look pretty foreign if you’re not familiar with that platform. That said, if you have a little bit of experience with Windows, perhaps just enough that you won’t get lost, you should be OK. There will be idiosyncrasies, but you should grow accustom to them eventually.
- Installation of Cryptnos on non-Windows platforms will end up being a bit more manual, I’m afraid. In addition to the full-featured Windows installer, we’re going to start releasing a binaries-only archive that contains just the EXE and DLLs necessary to run the program. If you’re running on any system other than Windows, you’ll need to extract that archive into a directory/folder and execute Mono directly to launch the app. After that, it should function pretty much the same.
- Upgrading will similarly being a manual process. While Cryptnos will continue to notify non-Windows users of new updates, the update notice will instead open a new browser window to the Cryptnos site where you can download the new binaries-only archive. Upgrading will then be the same process as installing the app as before, only overwriting the old files with the new ones.
- Due to some poor UI planning our part (oops), we’re going to temporarily disable “daily use” mode whenever Cryptnos is run under Mono. We apologize for that inconvenience. Once we work out those kinks, we should be able to re-enable it in a future version. Note that this doesn’t affect Cryptnos’ functionality in any way; it just means you’ll have to use the clunkier full UI all the time, rather than “collapsing” it down to a smaller size for the day-to-day use.
- Linux users: The feature to copy generated passwords to the clipboard technically works, but may be a bit clunky. Linux boxes with GUIs actually have two separate clipboards that don’t talk to each other, and Cryptnos only talks to one of them. Which clipboard that is may take some experimentation. I was able to paste generated passwords into GUI apps like gEdit and Firefox using a Control + V keyboard shortcut, but not using mouse-initiated context menus or into terminal windows. You may need a bit of trial and error to see what works best for you.
- Technically, we have only been able to test Cryptnos under Windows and Linux. While it should work just fine on other platforms, be forewarned that it is officially untested on Mac OS X, the BSDs, or any other Mono-supported platform.
- While Mono does support MS Windows, we still recommend that Windows users continue to use Microsoft’s own .NET implementation. Most of our non-Windows workarounds are based on the question of “Are we running under .NET or Mono?” without really testing to see if we’re still running on Windows. Thus, if you run Cryptnos under Mono on Windows, you may be artificially restricting yourself. Again, we hope to work around this eventually in a future version, but for now, just stick with .NET.
We’ll be posting more detailed notes on each platform later as we’re able to perform additional tests. Until then, thanks again for using Cryptnos!
Some of you may have heard about the recent massive Bitcoin theft caused primarily by a flaw in Android’s Java Cryptography Architecture. After reviewing Google’s blog post about the flaw, I can confirm that Cryptnos for Android should be unaffected by it. Although the JCA is referenced by some third-party code in a library we use, Cryptnos doesn’t use any random numbers generated by this library or by the JCA directly. All of our cryptographic hashes and generated passwords rely on user-provided inputs, so the PRNGs are never called.
After a long, frustrating bout of testing and tweaking, we’re exhausted but happy to announce that Cryptnos Online version 1.3 has been released. If you have the production alias URL bookmarked, you should be seeing the new version immediately. Note that due to some aggressive client-side caching rules here on our site, you may need to force a refresh or clear your browser cache in order to see the change.
This is essentially a bug fix, but it did require a fundamental back-end change to our implementation. I’m not entirely sure why this occurred, but our previous implementation, based on some great scripts by Paul Johnston and other contributors, seemed to break in Safari under iOS 6.1.3. We managed to narrow down the problem to just the SHA-512 implementation, but we couldn’t find a way to work within that implementation to fix it. After some experimentation, we found that the great CryptoJS library worked without a hitch and could be used almost as a drop-in replacement for our adaptation of Johnston’s scripts.
We’re going ahead and releasing this as our new current production version, but we could use some testing contributions from folks who use non-Latin character sets. In theory, the CryptoJS library uses UTF-8 internally, which is what we here at Cryptnos use as well. However, we haven’t had a chance to thoroughly test it with non-Latin characters yet. If you regularly use non-Latin characters in Cryptnos and can compare the results generated by Cryptnos Online against the results from the Windows or Android clients, that would be greatly appreciated.
I wanted to post a quick update regarding the previously reported problem with Cryptnos Online on iOS 6.x devices. After doing some debugging, I’ve narrowed the problem down to the SHA-512 implementation. All of the other hash algorithms seem to be working correctly. It just so happens that a password I needed on my iPod Touch used SHA-512, so it’s a wonder that I stumbled upon it when I did.
Apparently, the problem occurs only on subsequent hash iterations after the first one. In other words, passwords generated on iOS devices that use SHA-512 with only one iteration should be fine, but anything that uses two or more iterations will be off. I would strongly suspect that the problem lies in the routines that convert the input strings into binary are to blame, but the other SHA methods use the same routines and don’t seem to cause any problems.
Unfortunately, I don’t have much else to report on this issue, aside from reassuring our iOS users that if they use any hash algorithms besides SHA-512, they should be OK. If you use SHA-512 with only one iteration (which I normally wouldn’t recommend), you should also be fine. As a reminder, all other platforms currently appear to be unaffected.
I’ll try to keep everyone posted on this issue. I apologize for the slow progress.
Cryptnos for Android version 1.3.2 has been unleashed upon an unsuspecting world.
Before anyone gets too excited, this is a minor bug release that may only affect a subset of users. If you have a very high-resolution smartphone like the new Samsung Galaxy S4, you have may noticed that the main menu icons were rather large. This was unintended, and unfortunately an artifact of our extreme backward compatibility. In a nutshell, Android uses a number of methods to pick which icons and graphics to use based on screen size, resolution, and other factors. While there are methods to specifically target tablets and other large screen devices in recent versions of Android, our decision to target older devices limits our ability to use them. The older methods are a little less particular and inaccurately made high-res devices like the S4 choose the wrong icons.
I’m not 100% sure this will affect all devices that may be affected, but it seems to work well enough on the devices I have to test with. I hope that if anyone discovers otherwise, they’ll let me know.
All the update links here on the site have been updated. The new version should be visible in the Google Play store within a few hours.
We’re still planning on releasing a 2.0 version sometime in the not too distant future, but our time to work on these updates has been pretty limited lately. I’ll try and post updates on our progress when I can. Thanks for your patience and understanding.
This is a general call for testers. In specific, we’re looking for iPhone, iPod Touch, and iPad users running both iOS 5 and 6. We believe that Apple may have changed something in Safari on iOS 6 that may break compatibility in Cryptnos Online.
I’m primarily an Android user, but I do have an iPod Touch. This is mostly due to the fact that my music and podcasting habits have been entrenched in iTunes for quite some time, but it also gives me a toe in the iOS pool to experiment and test my various websites, Cryptnos included. I recently received a shiny new iPod Touch 5th Generation with iOS 6.1.3 and during the setup process I noticed that the current production version of Cryptnos Online was not working as expected.
I ran a number of tests on various platforms and came up with the following results:
- The new iPod Touch running iOS 6.1.3 is not generating passwords correctly. Generated passwords are consistently incorrect, as in the generated password on the iPod does not match the “reference” password generated by Cryptnos for Windows with identical parameters. Both platforms should be using UTF-8 for text encoding. (I can confirm the Windows app is using UTF-8, and Cryptnos Online should use UTF-8 on all platforms.) What’s worse, subsequent taps on the Generate button occasionally produce different generated passwords, something which should never happen.
- My wife’s 3rd generation iPad (the “new iPad”), also running iOS 6.1.3, exhibits identical behavior to the iPod Touch.
- My old iPod Touch 2nd Generation running iOS 5.1.1 is generating passwords correctly, i.e. it consistently produces the correct password that matches the “reference” value on Cryptnos for Windows.
- Additional tests in several desktop browsers also produce correct, repeatable results. I ran a quick sweep through the following browsers and platforms: Firefox 21.0, MSIE 10, Google Chrome 27, Safari 5.1.7, and Opera 12.01 on Windows 7 64-bit; Firefox 21.0 on Fedora 17 (Linux).
- Additional tests in several Android browsers also produce correct, repeatable results. I tested the following combinations: Chrome 27, Firefox 21.0, “Internet” (built-in browser) on Android 4.2.2; Chrome 27, Firefox 21.0, “Internet” on Android 4.1.2.
What I’m looking for are users who can ideally run all three of the following tests. The iOS 6 test would be required, but either of the other two tests would be a definite bonus.
- Taking note of all input parameters, attempt to generate a password in Cryptnos Online on a device running iOS 6. Please take note of the exact iOS version (Settings – General – About – Version).
- Using the exact same set of parameters, try generating the same password in Cryptnos Online on a device running iOS 5 or earlier. Again, please note the exact iOS version. Please report if the generated passwords match. (You don’t need to report the actual generated password or the input parameters.)
- Using the exact same set of parameters, try generating the same password in either Cryptnos Online on another device or computer, or in the latest version of Cryptnos for Windows. Make sure you are using UTF-8 encoding in the Windows app (disable “daily mode”, Advanced, Text Encoding). Please report if the generated passwords match.
Feel free to post your results in the comments here on the blog, in the related Facebook post that points here, or send us an e-mail to one of the addresses on the Contacts page.
* Yes, Safari on iOS 6 has Web Inspector, but that only works with a Mac, which I do not currently have.
We’re happy to announce that Cryptnos for Windows 1.3.3 is out in the wild. You can find the relevant download links on the official page or, if you have automatic updating turned on, Cryptnos should discover the new version in the not to distant future. Here’s a quick rundown of what’s changed:
We’ve (hopefully) fixed a nasty bug (Issue #8 in the issue tracker) that may be affecting users who run Cryptnos as an account with less than admin privileges. This seemed to crop up especially in corporate environments with strict security policies that heavily restrict users’ access. Surprisingly, this resulted in a complete loss of the user’s Cryptnos data, forcing them to restore from a recent backup. I prefix this with “hopefully” because the number of reports of this problem were very few, and we haven’t heard back from those folks who volunteered to test the fix to see if it worked. I too was affected by this and it appears to work in my instance, but without further feedback it’s hard to know for sure.
We’ve also granted another user’s request with Issue #10, at least partially. We’ve added a few interesting “hot keys” that let you toggle some settings or perform a few simple tasks right from the keyboard, for those old farts like me whose hands rarely leave the keys. In specific, we’ve added one hot key to toggle the “keep on top” setting, which allows you to quickly force Cryptnos to stay on top of other windows while you do something else, like manually type in your generated password. (Some folks prefer not to use the copy-and-paste method, and we can’t blame them.) You can also turn on and off “daily mode” via hot key now, as well as lock/unlock your parameters, copy generated passwords, and launch the Settings dialog, among other things. Full details on the new hot keys can be found in the HTML file, which conveniently launches when you press F1 (after you update, that is).
The generated password text box now displays its value in a monospace, “typewriter” style font that makes it easier to distinguish similar characters (like the letter “O” vs. zero or lowercase “L” vs. the number one). I feel rather sheepish that this wasn’t in there from the beginning, since I’ve run afoul of mistyping stuff myself because of the old font.
The update checking code has been revamped, including a lot more error checking during start-up. This will hopefully fix a number of issues folks have been having with this process. Oh, and since we’re talking about updates, we replaced the goofy “force update check on next launch” checkbox on the Settings dialog with an interactive “Check for Updates” button. That makes forcing an update check much, much easier.
Cryptnos now remembers its previous location on the screen and attempts to restore it the next time the program launches. This was a sticking point for me as I’ve been constantly moving the window from wherever Windows decided to place it today back where I last had it. I’m not sure how well this works with multiple monitor setups since I don’t currently have one, so feedback on this item would be appreciated.
There are also a few other minor, behind-the-scenes tweaks and changes that aren’t very interesting to talk about. If you’re curious, feel free to peruse the change log to get all the changes. As always, we love getting feedback on how we’re doing, as well as suggestions on how to improve. We’ve got some big changes planned for the future to really expand our features, although they’ve been very slow to implement. We really appreciate your feedback, support, and patience.
EDIT: One last thing I forgot! It is with deep regret that I have to report that we are officially dropping support for versions of Windows prior to Windows XP SP3. This was more forced upon us that something we chose to implement. Microsoft dropped support for these old versions quite some time ago, and now our installation compiler (InnoSetup) no longer compiles setup programs that even try to support them. So I’m afraid that if you’re running anything older than XP, 1.3.2 will be your last version of Cryptnos, or you’ll need to manually copy the files from another newer machine. We sincerely apologize to anyone affected by this, although I suspect that list may be very, very small.
I apologize for the long stretch of silence, folks. I realize there haven’t been any new releases for a while, and likewise no news to speak of. As often tends to happen, I’ve been swamped lately with many different irons in many different fires, and unfortunately that means a number of things on my plate have had to sit on the back burner. Since Cryptnos has been relatively stable of late, it quickly became one of those back burner projects. I promise I haven’t forgotten or abandoned it; it’s just low on my priority list at the moment, something that will hopefully change very soon.
So I suppose you’d like to here a little bit of news on what we do have planned, wouldn’t you? Well, I can confirm that there is a Version 2.0 in the works for both the Windows and Android branches, both of which will hopefully add a number of long requested features. Chief among these will be a new “wizard” password creation mode that will take a series of requirements and generate a password that meets these requirements, all while maintaining Cryptnos’ original level of security. For example, many sites and services list a series of password creation rules not too dissimilar from these:
- Must not be a previously used password;
- Must not contain your profile ID or name;
- Must be at least 8 characters but no longer than 20 characters;
- Must have at least 2 upper case and 2 lower case letters;
- Must have at least 1 digit;
- Must not have more than 2 pair(s) for repeating characters.
Now the first two rules are not something Cryptnos could handle for you. Cryptnos does not store your passwords anywhere, nor does it care what your user ID or name really is. That said, the pseudo-random nature of Cryptnos passwords makes breaking those rules so statistically unlikely that we can practically call them impossible. Similarly, the third rule is easy enough to handle with Cryptnos in its present state: simply set the password length to 20 characters. This is the upper limit of the rule’s length range, and selecting anything less than that would mean artificially weakening the password unnecessarily.
But what about the rest of these rules? Cryptnos does not currently check for these states, although the pseudo-random nature of the generation process makes it hard to actually violate them. Despite this fact, I myself have run into the occasional instance where I’ve had to tweak my Cryptnos parameters because one generated password didn’t match an arbitrary rule like this. It’s a very simple problem to work around—I just increment the number of hash iterations until I happen to reach a generated password that matches the criteria—but it’s still something that would be convenient if Cryptnos did handle for us. (My manual solution does require a bit of work on my part to check that the generated password does not violate the rules.)
So the big new feature planned for Version 2.0 will be a “wizard” mode for creating new passwords. In this mode, you will still be able to set the “classic” set of parameters as before… or you can let Cryptnos choose the “best” options from a series of defaults, in case you don’t care about hash algorithms or the number of iterations. Then you’ll be able to specify a set of rules like the ones listed above. Cryptnos will translate these rules into a series of “classic” parameters and test to see if the generated password meets the specified rules. If not, it will tweak the classic parameters behind the scenes (such as incrementing the hash iterations or changing the algorithm) until it either matches your rules or gives up if it can’t find a match in a reasonable amount of time. Your rules will then be saved in the database, and day-to-day password generation will work just as it does now (Regenerate on Android or “Daily Use” mode on Windows). When it comes time to change your password, Cryptnos will recognize which generation method was used to create the initial password (classic or wizard) and load the appropriate the interface.
Since this change will be a pretty big one, I think we’ll be justified in bumping the version number up to the next major version. Unfortunately, that also means this one will be a lot more work. We’ll have to find the best way to define, present, and store these new rules, all while keeping the “classic” generation method available for folks (like me) who will still want to use it. More work, of course, means more time, so for now I can’t give an ETA on when this version will arrive. I’m still in the planning process at the moment, so it will be a while before we’ll see anything worth beta testing.
There are a few other things I’d like to squeeze into 2.0, such as improved support under Mono (right now it doesn’t work at all) and a general clean-up of the Windows UI to make it simpler and easier to understand. And of course there’s the long awaited and oft-neglected Java port, which will likely have to wait until the Windows 2.0 UI is stabilized. It’s coming folks; I promise I haven’t forgotten it.
And then there’s Windows RT….
I received a query at the end of the year regarding whether or not there will be a Windows 8 RT* version of Cryptnos. Sadly, I’m afraid the answer, at least for now, will be the same as the one for iOS: We’d love to do one, but right now it’s not practically feasible. The reason is pretty much the same as for iOS, too. Both mobile operating systems require very specific development environments, neither of which we have access to at the moment. For iOS, that means developing on a Mac (which I don’t have) and learning Objective-C; for RT, that means purchasing Visual Studio 2012, Windows 8, and ideally an RT device to test with. Considering that I just brought all my machines up to Windows 7, I’m not looking forward to going through another upgrade cycle just yet. And while I can sort of justify having both an iOS device and an Android device (after all, I had an old classic hard drive based iPod long before I got my first Android phone, so my music is pretty much mired into iTunes for now), justifying a third such device just for testing on a free (as in beer) app with no budget isn’t going to get very far.
Of course, it’s hard to predict what the future might hold. Fortunes change, and it’s also possible volunteers may step forth to take up the challenge. While I’d love to roll up my sleeves and get into iOS or RT development, it’s going to get harder and harder for me to do so by myself. However, if some brave soul wanted to take charge of a port to one of these platforms, I’d be happy to do what I can to promote and support it. Until I win the lottery (which will be difficult since I don’t play) or a volunteer steps up, for now I suppose Cryptnos Online will have to suffice.
That’s all the news I have for now. I wish everyone a happy and health New Year, and I hope my next post will be a long awaited release announcement!
* Note that Windows 8 RT is the “watered-down” tablet-only version of Windows 8. Cryptnos for Windows should still work on Windows 8 for desktops and laptops, although you may have to drop out of the “Metro” interface to the desktop to use it. At this time, Cryptnos for Windows if officially untested on Windows 8. There are currently no plans for placing Cryptnos in the Windows Store.
, Windows RT
Just popping in to quickly announce that version 1.3.2 of Cryptnos for Windows has just been released. This a minor bug fix to address Issue #6 in the issue tracker, pertaining to the sorting of site tokens (i.e. names) in the drop-down list when a new set of parameters has been added. Originally we were planning to hold off on adding this until we started work on version 2.0.0, but work there has been progressing much slower than we anticipated. This was a simple fix, however, so we were able to get it out in an afternoon. Sorry it took so long to get to it.
You can find the download links on the Cryptnos for Windows page, or if you have automatic updates turned on you should get the update notification sometime in the next few days. You can force an update by ticking the “Force update check on next launch” checkbox under Advanced Settings.
« Previous Entries
We are pleased to announce that Cryptnos Version 1.3.1 for both Windows (.NET) and Android have been released. This is a minor feature release for both platforms, but it also contains some updates to some of our third-party libraries. There’s also a little bit of code clean-up on the Android side which should slightly improve performance.
For both platforms, we’ve introduced a new requested feature that should slightly improve security. This feature allows the user to specify that Cryptnos should clear out the contents of the master and generated password text boxes (“Passphrase” and “Password” on the Windows client) whenever the application loses focus, i.e. Cryptnos is no longer the application that has the user’s direct attention. On Windows (and other .NET clients), this should occur if Cryptnos gets minimized or becomes obscured by another window; on Android, this occurs if the user taps the Home button or otherwise switches to another application without tapping Back to leave and close Crpytnos. In both situations, if the user returns to Cryptnos with this option set, the application will wipe out the contents of these password boxes to prevent anyone for seeing or reading their contents. If the user has selected to have the generated password copied to the clipboard, that copy of the password is unaffected. By default, this option is turned off to replicate the behavior of previous versions. You can find this new setting under each application’s Advanced Settings location.
On the Android side, we also added the ability to type/tap the Enter key while in the master password box to trigger generating the site password. This was already the default behavior for the Windows client, but implementing this on Android isn’t something built into the operating system so it wasn’t as obvious. Still, this was something that annoyed me about the Android client as well, so it seemed like an excellent addition. Note that on the off chance you might use the Enter character as part of your master password, this may break your generated passwords. Since this behavior is incompatible with the Windows client, we don’t think that will affect many people, but please let us know if it does affect you.
We also took the opportunity to upgrade ZXing (the QR code generating library) on the Windows side and the Legion of the Bouncy Castle (our crpyto library) on the Android side, both to the latest versions at the time of their release. You shouldn’t notice anything different with respect to this change, but this will hopefully prevent any potential bugs and security flaws that might be present in these modules.
Recently Google integrated a version of Lint into their Android development kit, so we took advantage of the impending release to run the Android version of Cryptnos through it. While many of the suggestions were trivial (and one completely broke Cryptnos so we had to back it out), we did find a few things to tweak that may slightly improve performance. You probably won’t notice it, but maybe folks on slower devices will see an improvement.
As usual, you can download the updates directly from the respective pages here on the site, or from the Google Code sites. Of course, we’d prefer you use the automated update options to keep you as up-to-date as possible. Folks who installed the Android client from the Google Play Store (formerly the Android Market) should get the update notification soon. The Windows client checks for updates once per week, but you can force an update check through the relevant option under Advanced Settings.
If you discover any problem with Cryptnos, please let us know and we’ll look into it as soon as possible. The time I personally have to devote to Cryptnos is a lot less than it used to be, but I try to work on it when I have the opportunity. The preferred place to report bugs or request features is through the Google Code issue trackers, which you can find links to from the various platform pages. While we do take issues via e-mail, we always repost them there for tracking purposes.
As always, thanks for using our humble little app for your password hashing needs!