Cryptnos

FAQ


Last updated November 12th, 2011

This page lists frequently asked questions (and hopefully their answers) that apply to Cryptnos as a whole. For platform-specific FAQs, check out the following sub-pages: .NET, Android, Java, and Online.

What exactly is Cryptnos?
Cryptnos is a multi-platform, Open Source application for generating strong, pseudo-random passwords using cryptographic hashes. It combines a unique “site token” such as a website domain name with a master password and runs this data through a cryptographic hash algorithm to produce a password that is unique, lengthy, seemingly random yet completely repeatable.
Why was Cryptnos created?
One common problem faced by users today is password security. As we begin using more and more online services, we are faced with an exponential growth in the number of passwords we have to maintain. For the best level of security, these passwords should be as long and complex as possible, using many different types of characters, and each password should be unique for each site. Of course, realistically, the vast majority of users won’t follow this advice. They will pick something simple, short, and easy to guess, and to make matters worse, they will likely reuse the same password over and over again. This not only makes one account easy for attackers to compromise, but compromising one account could mean many are at risk.One solution that has been introduced are utilities that combine the domain name of a given site with a master password, then pass that combined value through a cryptographic hash. The advantage to this system is that it produces relatively strong “passwords” that are unique for each site. The user only needs to memorize their master password, while gaining the benefits of strong, unique passwords for each site.

How is Cryptnos different from similar utilities?
Firstly, almost all of these utilities exist as browser plugins; this works great when you are using that particular browser at that particular computer, but it’s useless outside the browser or, worse, when you’re on the go with your mobile device.Secondly, the choice of the domain name as the unique token is usually automatic and cannot be configured; again, this is tied to the browser-centric design of these utilities.

Thirdly, many of these apps use the MD5 cryptographic hash as the engine for producing the final password. While this has worked relatively well, it should be noted that the MD5 hash is no longer considered secure for its intended purpose. Therefore it would be wise not to use it for secondary purposes such as password generation. Similarly, the SHA-1 hash, which is generally considered stronger than MD5, has also shown weakness to specific attacks. While it is unrealistic to assume than any given hash is invulnerable to attack, there are much stronger alternatives available than these two.

Fourth, most of these password generating utilities encode their output in hexadecimal format. While this is certainly better from the standpoint of appearing more random, it is actually weaker per character than choosing a dictionary word with mixed case. Hexadecimal only has 16 possible values per character. If these utilities used a more compact encoding such as Base64, they could obtain higher entropy (or strength per character); in the case of Base64, that would be 65 permutations per character (assuming you include the padding character, which is usually the equal sign). Even if you strip some of the non-alphanumeric symbols (i.e., anything that is not a letter or number), you would get an entropy of 62, a difference of 46 permutations per character over hexadecimal. Considering that this is a massive exponential increase in security, this upgrade should be obvious.

Fifth, none of these utilities take into account the fact that many sites have additional restrictions, such as limiting the types of characters (like only letters and numbers) or the length of the password. It is possible, of course, to modify the password after it has been generated, but then the user must make the extra effort to remember what modifications have been made. If the user cannot be bothered to produce distinct passwords per site already, it is unlikely they will do so here.

Cryptnos ups the ante by approaching each of these issues head-on. Cryptnos exists as its own application, making it usable outside of any given browser. You can simply copy the generated password into any field where it is required. The site token can be a domain name, but it doesn’t have to be; it can be whatever the user wants, so long as it is unique from every other site saved in the database. Cryptnos also gives you incredible flexibility by letting you configure which cryptographic hash to use, how many iterations of that hash should be performed, what types of characters to include, and the length of the final password. It also encodes its output in Base64, producing up to 65 distinct character options per digit.

Best of all, Cryptnos remembers all of these details for you, so you don’t have to worry about it. You just have to enter your parameters once; the next time you need your password, simply select the site token from the list and everything except your master password will be filled in for you. These parameters are stored in the database in an encrypted format, meaning that even if an attacker steals your device, they cannot access this information unless the device is unlocked. Even then, your final password is safe so long as your master password remains a secret, since it is never stored.

Is Cryptnos a browser plugin? I’ve seen plugins that do this sort of thing.
No. Cryptnos resides outside your browser as a separate application. The primary advantage to this is the fact that you can use it to manage additional passwords besides just website passwords.
Where does Cryptnos store my passwords?
It doesn’t, and that’s part of the point. Cryptnos is not a password vault. Your passwords are NEVER stored, neither your master password nor your generated passwords. Generated passwords are recreated on the fly each time you need them. The rest of your site parameters are stored, and how they are stored is platform-specific. In each case, however, they are stored in an encrypted format using strong AES-256 encryption, making them extremely difficult to break.
How much does Cryptnos cost?
Cryptnos is entirely free. We think promoting better Internet security is more important that making money.
Is Cryptnos Open Source?
We have not gone through any efforts to be officially certified as such, but yes, Cryptnos is Open Source. All our new code has been released under the GNU General Public License, version 2, and you should be able to find download links for the source packages along with the links to download the binaries. All pre-existing code exists either as built-in standard libraries for the given platform or also come from Open Source providers.
Do you have any tips or suggestions for what parameters I should use?
What parameters you use is entirely up to you. With the defaults, you will generate a suitably strong password that is extremely resistant to attack. However, by planning ahead you can make the most of Cryptnos and make your passwords even stronger.You are required to make your site tokens unique. However, you should also make them descriptive. A domain name for a website is an obvious choice, but using longer and more verbose text adds more data for the hashing algorithms to work with, as well as gives you a better idea what the password is for. If you have multiple accounts on the same site (like multiple Twitter accounts), adding a bit of extra text will help you differentiate between them (i.e., “Twitter (Personal)”, “Twitter (Blog)”, etc.).

Try experimenting with different hash algorithms and the number of iterations. Don’t use MD5 or SHA-1 unless you absolutely have to; stick to the stronger hashes if you can. If a stronger hash produces too many characters, limit the length using the length restriction. The more iterations of the hash you use, the further your result will be from the original data, but the longer it will take to generate.

If you can, use all the generated characters, as it will include several symbols. For added security, modify the generated password somehow before actually using it, like replacing the second and fourth characters with dollar signs or transposing characters in certain positions.

If you are ever required to change your passwords, you can do this easily by changing your master password. Remember, your master password is never stored, so Cryptnos doesn’t care what you enter; it just adds it to the data and generates the result. You can create “new” passwords by changing your master password once and keeping all your parameter data the same.

The site I’m trying to log into says my password is wrong, but I’m copying it directly out of Cryptnos!
If the site or application you are trying to log into complains that your password is incorrect, check that you entered your master password correctly first. Cryptnos never checks that your master password is “right” or “wrong”, because it never stores it; thus a “wrong” master password will simply generate a different string of characters that won’t match your original generated password. Carefully retype your master password and try again. Humans are very good at visual pattern recognition and if you use a particular password frequently, over time you can often tell that a generated password is “wrong” just by glancing at it.Another possibility is that the service you are authenticating with has a maximum password length restriction, but doesn’t publish that fact. It may accept your original full-length password without throwing an error and silently truncate it; then when you try to log in with the full-length password, it won’t match the truncated value, causing authentication to fail. We’ve run into this problem several times ourselves, and we think it’s bad form on the part of the designers of those services. However, aside from complaining to them about it, there’s not much else we can do. If you think you’ve run into this situation, try using the service’s password recovery or reset feature and generate a new password with a shorter length. Try to make it as long as the service will allow. We also suggest you contact the service’s customer support and politely request that they publish all password restrictions up-front before the user signs up or changes their password.

Can I use the same master password for all my sites?
Actually, that was the original idea. Since your master password is never stored, it won’t be in danger of being stolen. And because your generated passwords are derived from the master password and combined with the other parameters, it should be impossible to reverse engineer the generated password to get the master one. The site token and other parameters make each generated password unique. Bear in mind, however, that using the same master password for all your sites could be a weakness; if an attacker acquires both your master password and your parameter information, he can recreate any of your passwords at will. Therefore, you should safeguard your master password carefully to prevent all your passwords from being compromised.
How can I tell which versions of Cryptnos are compatible with each other across all these different platforms?
We try not to release major updates unless we can release them for all affected platforms at once. Thus, we may work on a fix for one platform first and hold off on releasing it until we know we can work on the related fix on another platform. Keeping the application in sync across all these platforms is very important to us, as it ensures compatibility.In general, the version number should help you keep track of which versions are compatible across platforms. Our version numbers are in the format major.minor.build.revision. Major version numbers are reserved for fundamental changes in how the application is designed. Minor numbers indicate important bug fixes or enhancements that may affect all platforms but do not change the core of how the system operates. Build numbers are only incremented for minor bug fixes that affect only one platform. Revision numbers are purely informational and are used for our internal record keeping, so they can be safely ignored; sometimes, the revision number is omitted altogether. You can safely assume that version numbers in which the major and minor components match (1.2.x) are compatible across platforms. Build and revision numbers can be ignored for these comparisons are and valid only for that particular platform.

Will the passwords generated by one version of Cryptnos be the same as passwords generated by another version on another platform?
In theory, yes, so long as the underlying text encoding used on both platforms are identical (i.e., you may use Unicode on both systems). Cryptographic hashes operate on binary data, and as long as the inputs are converted into binary and manipulated in the say way, the output should always be identical. If, however, you use one text encoding on one platform and a different text encoding on another platform, you will likely get incompatible results. Before relying on Cryptnos for password generation on multiple platforms, you should experiment with each version you intend to use and make sure the results are the same.
What is text encoding? How do I check what encoding my platform uses, and how do I change that? What encoding should I use for best compatibility?
Text or character encodingrefers to the way computers convert human-recognizable text into the binary data computers understand. Just as there are very many languages and alphabets among humans that require translation so we can communicate, there are many different forms of character encoding so computers can translate our text into numbers, which is how computers think. Unfortunately, this means that the same block of text can result in different internal binary numbers depending on the encoding used, and since Cryptnos uses binary data to generate passwords, two platforms with different encodings will generate different passwords, even if they use the same inputs.Cryptnos 1.2 introduces a new Advanced Settings dialog/activity that allows you to change the character encoding used during password generation. This can be a dangerous thing and can potentially “break” your existing passwords, so you should only modify this setting if you find that your passwords are inconsistent between platforms. Pick an “official” platform that generates your passwords “correctly”, then enter its Advanced Settings section and see what encoding it is currently using. Then go into the Advanced Settings of Cryptnos on the other platforms and modify the encoding to match. The encoding must be the same on all platforms you use in order for your passwords to be consistent across all of them. The default encoding for each platform will be displayed under the encoding drop-down list.

Cryptnos Online can only generate passwords using UTF-8 encoding, a setting which cannot be changed. UTF-8 is widely supported across many platforms and supports a staggering array of alphabets and character types, making it one of the most compatible encodings around. Therefore, we strongly recommend that all users switch to using UTF-8 within Cryptnos unless doing so will severely “break” your existing passwords. All new installations of Cryptnos 1.2 and above will automatically default to UTF-8, but existing installations will maintain their current encoding settings (the platform default) unless explicitly changed by the user.

Import/export files generated by Cryptnos 1.1 or higher are unaffected by your character encoding choice as they have always used UTF-8 internally. Therefore, they should remain platform-independent without modification.

I accidentally deleted a site from my site parameters list. How do I recover it?
Um, you did export your entire site list and create a backup, didn’t you? If so, just import the list and you should be fine. If not… well, you’re out of luck. Once deleted, sites cannot be recovered. That is why we strongly recommend you make a full backup export of your site list every time you make a change you intend to keep, and that you copy that backup to a reliable storage location separate from the computer or device you use Cryptnos on. We provide the import/export mechanism, but creating the backups are your responsibility.
How do I copy a given site from one computer running Cryptnos to another?
All versions of Cryptnos except the Online version provide an import and export mechanism for transferring parameters from one instance to another.

If both systems are running Cryptnos 1.1 or higher, you can export any number of your site parameters to an encrypted file and import it on any other platform running the same version of Cryptnos. At one time export files were platform specific and could not be moved from one platform to another, but this limitation has been removed with version 1.1. You can export any number or combination of sites, from one to all of them. The encryption on the export file is keyed to the password you set at the time of export, so you just need to supply that password when you import it on the other machine.

Starting with Cryptnos 1.3.0, can also transfer individual sets of parameters from one instance to another using specially formatted QR codes. Cryptnos for Windows (and eventually Java) can export via QR code but cannot import. Cryptnos for Android can both import and export via QR code provided a recognized third-party bar code scanning application is also installed on the device. To transfer parameters via QR code, export the site to a QR code on one device, then use the import mechanism to scan the code and import the site into the other device.

Are the export file formats on all the platforms compatible? Can I export my sites from one platform and import them on another?
Version 1.0 of Cryptnos for both Windows and Android exported sites in a platform-specific way and sites could not be shared across these two platforms. That has changed with Cryptnos 1.1; both platform versions of Cryptnos use the same compatible export format, meaning you can now share your parameters across platforms. Future versions for other platforms should have this new export format from the beginning. Please note that each platform version can still read the old platform-specific export format, so you old export files should still be valid. However, exports from 1.1 versions are not backward compatible to version 1.0 on any platform.
I tried to import a site from a file, but it imported all the sites and overwrote some already saved on my system!
Prior to version 1.3.0, Cryptnos’ import mechanism was an all-or-nothing deal; there was no way to selectively import certain sites from the file. If you wanted to be selective with your import, you should have been selective with your export first. This has changed in version 1.3.0; you will be presented with a list of sites available in the import file and you’ll be able to pick which sites you would like to import. You will be given a warning if you select a site that will overwrite one already stored.
Why is the Cryptnos interface so Spartan on all the platforms?
Our primary focus was on functionality, not making it look pretty. There are no frills; it just works. If you have some suggestions on how to make Cryptnos look better on any given platform, we’d love to hear from you. Bear in mind, of course, that we’re not interested in UI “enhancements” that make Cryptnos harder to use or bloats the file sizes beyond anything practical.
When will Cryptnos be available for the iPhone/iPod Touch/iPad?
Probably not any time soon. The primary problem is that Apple’s iPhone SDK will only run on a Mac and I (Jeff) don’t have a Mac to develop on, nor am I likely to get one anytime soon. Macs are expensive and I’m cheap, and I happen to be firmly entrenched in the PC/Windows/Linux world. However, Cryptnos Online works just fine in Mobile Safari (at least in iOS 4) with only minor display issues. While you will not be able to save your parameter data, you should be able to recreate your passwords if you remember all your settings.
When will Cryptnos be available for [platform it doesn't currently exist on yet]?
Um, when you’d like to help us write it? Cryptnos is currently available on the selected platforms because those are the platforms we know. We’d love to see folks using Cryptnos anywhere and everywhere, but there’s only so much that can be done in a day with the tools that we have. If you’re interested in potentially porting Cryptnos to another platform, drop us a line and I’m sure we can find a way to collaborate. Until then, why not give Cryptnos Online a try?
Does Cryptnos comply with United States export regulations regarding encryption?
As far as we know, yes. Cryptnos uses algorithms that are either standard and built-in to the respective platform (such as Microsoft’s own .NET libraries or Sun’s own cryptographic providers) or are provided by the Legion of the Bouncy Castle Crypto API. With respect to the Bouncy Castle code, we will quote from their own FAQ: “Bouncy Castle is approved classified under ECCN code 5D002 and approved for export under License Exception TSU…. See The Bureau of Industry and Security website for further details.”
Bookmark and Share