Cryptnos

Privacy Policy


Last updated June 26th, 2015

The privacy policy for the entire Cryptnos project is fairly simple: We do not collect your data because we do not want your data. We believe your data belongs to you and we have no business looking at it, let alone collecting it. This is especially important when it comes to the security of your password parameters and your master and generated passwords. Not only is it none of our business what your passwords are, but it’s our primary mission to keep them safe. Why would we want to compromise that mission by collecting unnecessary information?

Our base policy is this: We do not collect any data from you aside from (a) what is required for our applications to function properly and (b) what is already broadcast to us that is mostly beyond our control. Additional clarifications of this base policy are listed below.

Data Stored by the Applications

Naturally, Cryptnos is required to store some information in order to function. Each application stores this data in a location appropriate for the platform it is running on (i.e., the Windows Registry, a SQL database, etc.). Two specific classes of data are collected:  (1) the password parameter data necessary to recreate each generated password and (2) your preferences for each application’s unique settings. Password parameter data is ALWAYS encrypted using a pseudo-random key unless it is currently in active use (that is, you are currently editing or regenerating a given password). Preference data is generally not encrypted as it is not considered security critical.

Your preference and parameter data will NEVER be exported from their storage locations except by direct action by the user. You have the option to export parameter data either via an encrypted export file or by an unencrypted QR Code, either of which may be imported into another copy of Cryptnos on a different device. These exports and imports cannot be automated and require direct user interaction. Master and generated passwords are NEVER available for export or import by either of these methods.

Your master and generated passwords are NEVER stored in any fashion, aside from your device’s transient, operational memory (i.e. RAM).  They are NEVER stored in long-term storage. Thus, these passwords should be relatively safe, although there is always a risk of exposure to malware or other applications running on the same device. Certain optional preferences may increase this risk. Read the Disclaimers page for a more in-depth analysis of these risks.

Checking for Updates

Each version of Cryptnos performs periodic checks over the Internet to see if a new version of the application is available. How these checks are performed and what data is transferred during the process depends on the platform Cryptnos is running on.

Once per week, the Windows (.NET) version of Cryptnos accesses an XML file stored on this site and parses its contents. This XML file includes information on the latest version of the application, including its version number, where the installer for this version can be downloaded, and a cryptographic hash to check for download validity. If the version listed in the file is later than the currently installed version, the user is prompted to download the update and install it. The user may disable this update check within the application preferences, although this is not recommended. No data is collected by the server during this process aside from typical web server traffic (see the section “This Website” below).

Updates for the Android version of Cryptnos are handled via the Google Play Store update mechanism. This performs a similar interaction as described above, although the data transaction is handled by the Play Store application and not Cryptnos itself. We here at Cryptnos have no insight into what data Google collects during this process, aside from the aggregated data they provide us through their Developer Console. This aggregate data includes, but may not be limited to: your device model, the version of Android installed on the device, your country, your language preference, the version of Cryptnos you have installed, and your wireless carrier (if applicable). If you install Cryptnos for Android manually (that is, you do not install it via the Play Store), no update checks are performed.

This Website

Normal Internet traffic, and World Wide Web traffic in particular, always consists of an exchange of data between the requesting client and the server. This site is no exception. When your browser contacts our server, it sends a series of headers along with the request that informs the server of its capabilities. Some of this data includes information that may be considered identifiable, although none of it should be considered personal. This data may include, but may not be limited to: your IP address, your browser’s user agent, and the general capabilities of your browser. We store this data temporarily in log files, which we use to analyze our traffic patterns and look for performance optimizations and security violations. We retain detailed logs for approximately one month, then discard them. We also keep aggregate log data, which we currently retain indefinitely.

If you create a login on this site, such as for leaving comments, your browser may be branded with one or more cookies that may contain state and setting information. You may opt to have the site remember your login; if so, an additional set of cookies may include your user name and a “nonce” to ensure its validity. If you do not elect to remain logged in, your browser should discard these cookies when the application is closed. By the nature of the cookie protocol, this data is returned to the server with each request. The user may, at their option, use the preferences within their browser to block cookies set by this site, although it should be noted that this may limit some of its more advanced functionality.

The Cryptnos does not currently use secure HTTPS communication (SSL or TLS). This is primarily because it shares a physical server and IP address with another site that already uses HTTPS, and HTTPS does not like to be shared across sites that share the same IP. We would like to enable HTTPS on the Cryptnos site eventually, but for now you should be aware that all traffic to and from this site is currently unencrypted.

The GitHub Sites

Our source code repositories are currently hosted by the GitHub service. Aside from comments left there by users, source repository transactions (commits, checkouts, etc.), and generic aggregated data concerning downloads, we receive no information from GitHub on what data they may collect. For that information, please see GitHub’s own privacy policy.