Paranotic - for notes, for passwords
I want to share with you an unusual password manager (for Win), which I did about a year ago. I think that now it’s not a shame to show it and maybe it will find its users here: www.paranotic.comA year ago, the volume of my passwords from hosting, registrars, FTP and email accounts exceeded the notorious 10% of the brain. I, like many here, generated passwords according to some of my own algorithms, so that I could always remember, and also had a set of “time-tested” and “historically established” passwords.
Of course, I had a “file”, in an encrypted container, where I tried to save everything. In the end, all this became terribly uncomfortable and, most importantly, unsafe. And I began to look for a password manager ...
I didn’t review a lot, the three most common pieces, but I understood the trend and it didn’t quite suit me. The fact is that I had a certain set of requirements for such a program and none of those reviewed completely met these requirements, and their similarity discouraged the search for further. The requirements were as follows:
1. Daily backup to the web server.
In order not to worry about the lost flash drive and, as an option, to be able to "get" their passwords, not having the treasured file on hand, but having access to the Network.
2. Data storage in any text form, approximately, as in a notebook.
Well, I do not like these sets of fields! Not always data is limited by password and login. There are all sorts of pins, payment passwords, etc. And then, often it’s just necessary to tweet a few words and find them in a month.
3. Full text search
I generally had strict requirements for the search. I wanted to be able to find the first letter from hundreds of others. For example, “VTB Credit Card”, it doesn’t matter where these words appear in the note and in what order. I need to find VTB credit card details! A list of recent searches is also needed to minimize keyboard usage.
4. Convenient, minimalistic interface.
Ideally, it should be such a notebook, instantly appearing at the right time with focus on the search field. Well, all sorts of amenities, such as copying data in one click (fewer movements, long live inactivity).
5. Naturally, a reliable encryption and data processing algorithm.
This item, fortunately, is performed by all well-known password managers.
From words to deeds
Having scratched my head, I, as it often happens with me, decided to do everything myself. Firstly, it was necessary to find a reliable and smart crypto module. The coveted dll that meets all the requirements was found on the spiky Australian meadows, at the guys from CryptoSys.net. After some troubles with payment, I still received a valuable load.
The main requirement for the module (after having the BlowFish algorithm) is the presence of the PBKDF2 function. As you know, the key used to encrypt data is obtained using some “strong” hash function, for example, SHA-256. Upon generation, the password is hashed and a key is obtained. The same operation occurs when hacking brute force passwords. And the main thing in search is speed. And in order to reduce the speed of password guessing, scientists came up with the Password-Based Key Derivation Function - roughly speaking, the password is not hashed once, but say 1000 times, which is almost not noticeable when opening an encrypted file, but it is significantly noticeable when trying, because it will require 1000 times more operations with the same password length.
Having decided on the "engine", I began work on the program.
Further, the concept of the points:
1. Data is stored in a single file encrypted with one Master Password
Nothing unusual here. Just like most password keepers. BlowFish encryption algorithm, key 448 bit. Key Generation: SHA256 x PBKDF2
2. Data is broken down into notes.
Let's say one note about hosting (username, password, registration email, link to the control panel, support phone), the other about a suspicious neighbor (when it arrives, whom it leads + phone to follow), the third - the State Department phone, data of the Cyprus account, etc. .d.
Notes are displayed entirely, in a continuous tape, like tweets. Without any folders and groupings. There is, however, the ability to tag. By default, notes are sorted by relevance. The most relevant miraculously hang from above. There are other sorting options, for example, the latest, recently edited, etc.
3. The search query is divided into separate "words" by a space.
For a search query, only notes containing all the searched "words" are displayed. The words are in quotation marks, because it can be any part of the word or the whole word. Ideally, I would like to take into account morphology, but hands have not reached this point yet.
4. Autosave when creating and editing notes.
Everything is clear here. Edit the note and the changes are automatically saved. You can disable it if you can’t live without Ctrl + S.
5. "Gentle" delete notes.
So that unnecessary or outdated notes do not hang in the general tape, you can safely delete them. And if necessary, find the Deleted tab.
6. Backup encrypted file to the server.
This option may seem to many a potential hole, I will not argue. She is not imposed. I can only say that the file is sent through a secure connection and is itself encrypted. If you use a reliable master password, then even when stealing the database from the server, the probability of access to your data tends to zero.
The recovery mechanism (receiving a file from the server) is as follows:
By turning on the backup function, you specify the email to which the file will be sent at your request. Once a day, if there are changes, the file is uploaded to the server. In case of file loss you go to paranotic.com/restoreand request file recovery. If there are files in the database that correspond to the specified email, you will receive an email to this email with links to your files. Download them and open them with your master password.
I note that I do not store emails in the database in clear text - only a richly salted hash. So if attackers get the database, they won’t be able to (quickly) even get user emails. I mean, having received an email and a data file, you can try to get the password by trick .
7. Quick access to data
As I have said more than once, a note can have an arbitrary format, but if you make out the text in a certain way, you will get additional features. For example, a line of the form:
Parameter: value
allows you to copy the value with one click. To visually hide passwords, just put an asterisk after the parameter:
Password *: simsim
After saving, this line will look like this:
Password *: ******
and to copy the simsim to the clipboard, you just need to click on the asterisks.
8. Hot keys
When editing a note, or when viewing it, you can press hot keys and quickly create, for example, a note of the form Login-Password-Url.
Ctrl + L - paste Login:
Ctr + P - paste Password:
Ctrl + G - generate a password (if you press Ctrl + G several times in a row, the generated password is "complicated").
9. Hiding program window.
The paranoid window can be moved to the edge of the table and then it will ridiculously leave behind the screen so as not to interfere with the work. To make it laugh funny, just move the mouse to the edge of the screen. If necessary, you can fix the window with the Fix button so that it does not hide.
10. Automatic file lock.
Leave the file open, you see, is not advisable, even if you went for 10 minutes for lunch or to the chef for a salary. Therefore, the file is locked after a certain idle time, or when the program window is closed. But you also worry about entering a complex master password every time ...
To solve this dilemma, a mechanism called QuickPin was introduced: a short digital pincode that opens a file, but which only works after the file is opened with a password. Those. Once in the morning you enter the password, and then, before the program is restarted, you can unlock the file using QuickPin.
11. Cover the tracks, remove the witnesses.
The program has many chips that will please the chronic paranoid. For example, clearing a memory dump every time a file is locked and disabling the output of the last files opened in the paranoid (recent files).
By the way, KipAs has such a feature as a special field for entering a master password. Like no one can intercept the entered password ... I also wanted it that way until I intercepted the password entry in KipA with a dumb enumeration of the keys pressed. So I refused this chip and the password is entered into the usual "password-protected" field. Perhaps this is the weakest point of all password keepers. But I hope everyone here already uses antiviruses.
How to use all this?
In a nutshell, how I use the paranoid: I have a mobile phone that I use as a flash drive. It stores an encrypted file. During work, I connect the mobile phone to the computer, the paranoid pops up and asks for a password. I enter the password, close the paranoid. If in the process of work I need to write something down - the mouse to the left to the stop (the paranoid popped up), entering the pincode is all! Notes are open. I’m writing down or looking for what I need. Disconnected the mobile phone from the computer - the paranoid closed, the dump cleared. Very comfortably.
Finally
These basic features were implemented in the first version of the paranotics. Then all sorts of little things appeared, which I do not see the point of describing. Try it, you'll figure it out, everything is clear there. Plus, there is a small video on the site.
What are your plans for the future?
The plans include a web interface, mobile including, with the ability to synchronize the local file and data in the web storage. Research on this topic is already underway.
Thank you for your comments and comments.