pa55: remembering passwords

pa55 is a new way to solve the problem of remembering difficult-to-guess passwords. The idea is to generate strong passwords deterministically based on some easy-to-remember but difficult-to-guess information.

The problem is that we cannot remember passwords. We end up using very easy-to-remember and also very easy-to-infer (for the attacker) passwords. We keep using the same passwords for different services. When we realise that this is not a good thing to do then we start writing down passwords, try to make complicated passwords which are not always that complicated. Sometimes, we also use password managers, many of which help us generate random strong passwords. If we ever need to remember a password that we stored with a password manager then we just unlock the specific password manager database. A solution indeed but not a good one. Why?
  • The password manager database contains many passwords associated with other private information such as account numbers, user names and so on, which are then locked with just one presumably not-so-strong password or sometimes just a four digit code. Can you see the single point of failure?
  • Password managers store data on the cloud for convenience of operation between multiple devices. Yes, they use reasonable encryption but storing such sensitive data on the cloud itself may not incite much trust in people who do not understand the technology.
The solution is PBKDF2 or the industry-standard Password Based Key Derivation Function version 2 (RFC2898: along with a well-known cryptographically secure hash function: SHA1, SHA256 or SHA512. In simple terms, one can define it as a function K = PBKDF2(P, S, R, A, L) where K is the generated key of a desired length L from a password P mixed with salt S, using the HMAC hash function A with iterations R. Let us change some semantics to put this in the perspective of pa55. P is the master secret. S is the password hint, L is the desired size in characters. To keep it simple, let us ignore that pa55 allows you to change the values of R and A.

Now, consider this example. Set the master secret P = "This should not be an easy sentence to figure out!". Simple and easy to remember. (Of course, do not use this master secret literally!) Set the password hint S = "abcd!someservice2014". Well, this is a bit cryptic but that "abcd" part is supposed to be easy-to-remember, for instance the birthday that you might have used so far for your passwords. (Add a bit more secret information to it if you are really going to use your birthday!) Basically, you could just use any of the weak passwords that you have been using so far as this cryptic part. The part "someservice" identifies the service for which this password is going to be used and "2014" is optional if you want to have a date context to the passwords. (You could use months, days and even time but then you will not be able to remember that detail!) The generated password of desired size 12 characters from this example is K = "1kd/9SxlITZ4" with 72 bits entropy for R=500K and A=HMACwithSHA256. And, you will get a completely different password even if you just replaced the exclamation mark in the master secret with a period. Sidetracking here: if you cannot distinguish the I from a 1, or a 0 from a o and so on in the generated password, fear not: pa55 can read it out in slow-paced clear English.

Do we need to save the generated password on the cloud? No, because you can just remember the master secret. The password hint is not that hard to associate with a particular service so long as you have your own ways of remembering its cryptic part. As mentioned before, generated password will change completely if you choose different values of the parameters. Choosing a different value of the password length will, however, only result in a contraction or expansion of the generated password.

Your web browser or other program will save your password for a particular service (K) anyway. If that is ever compromised then the attacker still does not learn the master secret or password hint. You could just use a different password hint (for instance, change the date stamp?) with the same master secret to generate a completely different password to use with that service. Moreover, if one of your passwords get compromised that gives the attacker no advantage to gaining access to the other passwords that you use for the other services.

If you were thinking what would happen if you lost your iOS device then you should not worry: pa55 does not store your passwords on the device. In fact, after a certain period of inactivity, pa55 will delete from your device your generated password as well as the master secret and the password hint and reset all other parameters to default values. The method of generating the passwords, i.e., PBKDF2 is a standard function. It is possible to generate the same passwords with the correct parameters without an iOS device. A stand-alone Java version will be released shortly, which you can use on a computer to generate the same passwords. An Android version will make its way to the app store eventually. The source code of this app will also be made public eventually so that you can see it for yourself what the app does.

Here are some things to keep in mind.
  1. The generated password, master secret and the password hint are all cleared once after two minutes of inactivity (i.e., the app is in the background). However, this does not stop the attacker from using a sophisticated side-channel attack. Most of the time, this should not concern normal users. Mounting a side-channel attack is not trivial and the attacker needs to have your mobile device running pa55 in close proximity to the attacking equipment.
  2. Similar to (1), pa55 is not protected against a DRAM freezing attack but again this requires the attacker to have physical access to your device and the ability to extract its memory module after freezing it. Again, not a concern for normal users. Also, do not forget that pa55 clears your password from memory after a certain short period of inactivity, so the DRAM freezing ought to happen within that period.
  3. However, pa55 does not protect you against attacks launched to gain access to your accounts, such as phishing, inference based attacks and so on. For instance, methods have been demonstrated to gain access to a service starting with the pretence that the password has been lost. This type of attack arises from flaws in the service design or being vulnerable to phishing, not in your choice of password. Should you be concerned? Yes, but there is nothing much you can do regarding your passwords no matter how strong the password, how you generate or how you store it; and do not fall prey to phishing attacks!
  4. If you forget your master secret or your password hints, pa55 cannot help you remember them. Should you be worried? Yes, absolutely! Do not forget the master secret or your password hints. There is no way to retrieve a password that you have generated using the forgotten master secret or the password hint.
If pa55 does not store or transmit the generated password or any information about the user, how can it make money? Well, it does not make money. This app has been developed to solve a genuine problem that people face.