Android, General, Java, Online, Windows

Power Tip: Reusing Parameters to Make Related Passwords

June 8th, 2010 | Comment?

As mentioned in the FAQ, all versions of Cryptnos do (or will) store all your password generating parameters, with the important exception of your master password. The master password is NEVER stored, and neither is it ever checked for validity. Cryptnos has no concept of whether you master password is “right” or “wrong”; it’s just an extra “salt” of information stirred into the pot to make the soup that becomes your generated password more unique. Some might view this as a design flaw; after all, if you type in your master password incorrectly, your generated password might be “wrong”, resulting in a login failure. We, however, consider this a feature, and here’s a nifty trick you can use to take advantage of it.

Consider, if you will, a popular remote access service that allows you to access your desktops at home from anywhere. You simply install their server software on your machines and whenever you need to access them remotely, you log into their website and select the computer you wish to connect to from the list.  Their server creates the initial connection between the client and the remote machine, then hands over control to the pair to let them communicate directly once the connection is established. Naturally, you’ll want to protect this account with a strong password, and Cryptnos will happily step in to help.

For this scenario, the default parameters appear to be sufficient:

  • Site: PopularRemoteAccessService.com
  • Master Password: “My super secret master password”
  • Hash Algorithm: SHA-1
  • Hash Iterations: 1
  • Character Types: Use all generated characters
  • Character Limit: None (or zero)

So you create your account using this generated password. Great! You’re in. Now it’s time to set up the individual machines. You have several you’d like to access remotely; perhaps you have a couple at home, your parents often ask for help with their computer so you’d like to install it there too, you’re constantly helping your in-laws with their computer so it makes sense to add it to the list, and on rare occasions you even need to help out your sister half-way across the country. That’s five machines you’d like to associate with your account, and the service is happy to oblige you (for an additional fee, of course). Unfortunately, the installation process requires a separate password for each machine as an extra security measure. Being a security conscious person (you do use Cryptnos, after all), you have no problem with that. It’s just you’d hate to clutter up your Cryptnos site list with individual parameters for each machine.

To quote Douglas Adams: Don’t panic. Remember what we stated above: Cryptnos doesn’t care about your master password. So what if we kept the same parameters we used for the account password, but just changed the master password to something else, like the name of the machine we’re going to access? We can even combine that name with another short, easy to remember password for additional security. Consider the following, assuming the machines are named after the characters in a popular comic strip:

Computer Name Master Password
Nick “Nick shortpassword”
Ki “Ki shortpassword”
Fooker “Fooker shortpassword”
Dwayne “Dwayne shortpassword”
Trudy “Trudy shortpassword”

By changing only the master password, you can now reuse the same parameters as the main account password without adding an additional five sets of parameters to your database. There’s no need to modify any of the saved parameters, so you can keep the “Lock Parameters” setting turned on (for the Windows and Java clients) or just use “Generate Existing Password” (for Android), protecting those settings from fat-fingering. Since the inputs will be subtly different for each machine, the cryptographic hash will produce a dramatically different pseudo-random password for each one, unique for each machine and distinct from the overall account password.

This, of course, is just one example of the many permutations you could use for this scenario. If your machines are numbered, you can use that number as the number of hash iterations. (There are limits on this option, of course; you’ll need to specify a number for the account password, and excessively large numbers could lead to performance issues.) You could also pick a different hash algorithm per machine. These, however, modify your parameter settings and require a little extra effort on your part to keep track of what changes are associated with which machine. However, this should give you an idea of what you can do with Cryptnos. You can create an entire set of related passwords, still just as unique and strong, without a lot of extra effort.

What other creative ways have you come up with for using our program?


You can skip to the end and leave a response. Pinging is currently not allowed.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

You must be logged in to post a comment.