Overview

pa55 is a new way to solve the problem of remembering difficult-to-guess passwords. The idea is to deterministically generate strong passwords based on some easy-to-remember but difficult-to-guess information. All you, as the user, have to remember is some information, not the actual passwords, and pa55 can generate the relevant passwords whenever you need.

The problem with passwords

The problem is that we cannot remember passwords. We end up using very easy-to-remember and also very easy-to-infer (for the attacker) passwords. We keep using the same passwords for different services. When we realise that this is not a good thing to do then we start writing down passwords; and try to make complicated passwords which are not always that complicated. Sometimes, we also use password managers, many of which help us generate random strong passwords. If we ever need to remember a password that we stored with a password manager then we just unlock the specific password manager database. A solution indeed but not without some drawbacks:

1. The password manager database contains many passwords associated with other private information such as account numbers, user names and so on, which are then locked with just one (perhaps not-so-strong?) password or sometimes just a four digit code. This creates a single point of failure.
2. Password managers store data on the cloud for convenience of operation between multiple devices. Although, they use encryption but storing such sensitive data on the cloud itself does not incite much trust in people even if the distrust may not always be reasonable.

pa55 -- the solution!

Passwords are terrible and there is a lot of research trying to find alternative reliable means of authentication. Until passwords disappear, the solution to the problem discussed above is pa55. Imagine it as a black box that takes from you as inputs: a master secret and a password hint (and some parameters should you wish to tweak them), and generates a strong password. Every time you provide the same master secret, the same hint and the other parameters, you will get the same generated password. In addition, if you cannot distinguish the I from a 1, or a 0 from a o and so on in the generated password then pa55 can read it out in slow-paced clear English.

Does it not mean that you have to remember two things instead of one for each password?!

No. You can use the same master secret for all your passwords and even have parts of your password hints the same. This is illustrated in the example below.

Is it still a single point of failure?

No. Make the master secret a really long sentence, and do not make obvious references to it such that it can be derived from inference. This makes it hard to guess but even if someone has access to it, the password hints are different. Just the master secret will not generate your actual strong passwords.

Is there an example?

Let us try this example: set the master secret to "This should not be an easy sentence to figure out!" (ignore the double quotes). This secret is simple and easy to remember. (Of course, do not use this master secret literally!) Set the password hint to "abcd!someservice2014" (again, without the quotes). Well, this is a bit cryptic but that "abcd" part is supposed to be easy-to-remember, for instance the birthday that you might have used so far for your passwords. (Add a bit more secret information to it if you are really going to use your birthday!) Basically, you could just use a single weak password that you might have been using so far as this cryptic part. The part "someservice" identifies the service for which this password is going to be used and "2014" is optional if you want to have a date context to the passwords. (You could use months, days and even time but then you will not be able to remember that detail!) The generated password of desired length 12 characters in this example, is "1kd/9SxlITZ4" (without the quotes) with 72 bits entropy for password iterations set to 500K and the HMAC algorithm set to HMACwithSHA256. You will get a completely different password even if you just replaced the exclamation mark in the master secret with a period. Choosing a different value of the password length will, however, only result in a contraction or expansion of the generated password.

What is going on under the hood?

pa55 utilises the industry-standard Password Based Key Derivation Function version 2 or PBKDF2 (RFC2898: https://www.ietf.org/rfc/rfc2898.txt) along with a well-known cryptographically secure hash function: SHA1, SHA256 or SHA512. In simple terms, one can define PBKDF2 as a function as follows.

DK = PBKDF2(PRF, PWD, S, C, L)

Here, DK is the generated key of a desired length L from a password PWD mixed with salt S, using the pseudo-random function PRF with iterations C. Putting this in the perspective of pa55, we change the semantics of the terms as follows. PWD is the master secret, S is the password hint, L the desired size in characters while DK is the strong password that pa55 generates for you.

Storing versus remembering passwords

Do you need to store the generated password on the cloud? No, because you can just remember the master secret. The password hint is not that hard to associate with a particular service so long as you have your own ways of remembering its cryptic part. If you cannot remember either then by all means, do save either the master secret or the cryptic part of the password hint somewhere but remember never to save them together! Depending on user preferences, in future, pa55 may allow saving either the password hint or the master secret on the cloud.

Besides, your web browser or some other program will save your password for a particular service anyway. If that stored password is ever compromised then the attacker still does not learn the master secret or password hint. You could just use a different password hint (for instance, by changing the date stamp?) with the same master secret to generate a completely different password for use with that service.

If you forget your master secret or your password hints, pa55 cannot help you remember them. Should you be worried? Yes, absolutely! Do not forget the master secret or your password hints. There is no way to retrieve a password that you have generated using the forgotten master secret or the password hint.

Where do I get pa55?

Click on the Download on the AppStore button to download to your iOS device or the Android App on Google Play™ button to download to your Android™ device. If you were thinking what would happen if you lost your mobile device then worry not: pa55 does not store your passwords on the device. In fact, after two minutes of inactivity, pa55 will delete from your device your generated password as well as the master secret and the password hint and reset all other parameters to default values. The method of generating the passwords, i.e., PBKDF2 is a standard function. It is possible to generate the same passwords with the same inputs without a mobile device. Should you not have a mobile device, there is a stand-alone Java version, which you can use on a computer to generate the same passwords.

The pa55 app has not been released under the same developer name for iOS and Android. Why?

That is because it has been developed by different developers working on the same project :-) The link to both the Apple App Store and the Google Play Store apps from here are the original versions, and will be consistent with the source code released in future.

How can I download and use the Java standalone version of pa55?

Download the latest pa55.jar from https://github.com/anirbanbasu/pa55/tree/master/pa55-java-standalone. Ensure that you have the latest Java Runtime Environment on your computer. In the terminal or command prompt, navigate to the directory where you downloaded pa55.jar, and execute the command:

java -jar pa55.jar

Phew, that is ghastly. Is there a pretty interface that I can see on my computer?

Sorry, no: not at the moment but we are thinking of building one.

How much does it cost?

Nothing! pa55 is FREE and has been developed to solve a genuine problem that people face. The source code of this app will also be made public through this GitHub repository eventually so that you can see it for yourself what the app does.

Where to get support?

Use our issue tracker to let us know your questions, comments, feature requests and above all, bugs. You will need to have a GitHub account to report issues.

Privacy policy

pa55 does not store or transmit any of the master secrets and the password hints that you use to generate your passwords. The app also does not track usage information. Well, you will have to take our word on it until the source code is made open! We have made the Java standalone code open, so you can see what is going on. We will release the code for the iOS and Android versions eventually.

Frequently asked questions

There is a Low (10K) option for the password iterations in the Android and the Java versions but there is no such thing in the iOS version. Why?

Android runs on a variety of devices, some of which do not have powerful enough or optimised hardware for secure hash functions. Therefore, running the default 500K iterations may be very time consuming, hence that option has been enabled in the Android version. It has been enabled in the Java standalone version for consistency. In future, it will also be enabled in the iOS version for consistency. The currently supported iOS devices have reasonably optimised hardware to compute 500K iterations of SHA-256 within a reasonable time, which is why this 10K option was not enabled in the iOS version.

The default options in iOS seem to be hard coded while there is a way to save user preferences in Android. Why? I thought nothing was stored!

This is an experimental feature to store the password length, iterations and hash function settings for the user on the device. This is not transmitted anywhere, and is not sensitive enough by itself. This may be enabled in iOS later. Nonetheless, you can disable this option.

The other reason for enabling this feature on Android is to ensure that if a user chooses 10K (because of the aforementioned performance reasons) for the password iterations then the app will remember that choice and go with the 10K option every time without forcing the user to use the slower 500K option the first time.

Are there other similar apps?

The Stanford PwdHash springs to mind. It is built to be used with web browsers.

PwdHash protects the user from phishing attacks. What about pa55?

No, it does not protect the user from phishing attacks. PwdHash is a browser extension that keeps track of which sites you visit. It generates a password based on the website you are visiting. In contrast, pa55 does not really have any control over which website you visit or which application you use your password in. Therefore, it cannot thwart phishing attacks.

Can the secret information be 'sniffed' using a side-channel attack?

The generated password, master secret and the password hint are all cleared after two minutes of inactivity (i.e., the app is in the background). However, this does not stop the attacker from using a sophisticated side-channel attack when the app is in use. Most of the time, this should not concern users. Mounting a side-channel attack is not trivial and the attacker needs to have your mobile device running pa55 in close proximity of the attacking equipment.

Can the secret information be obtained using a DRAM freezing attack?

pa55 is not protected against a DRAM freezing attack but as with the side channel attack, this requires the attacker to have physical access to your device and the ability to extract its memory module after freezing it. This should not be a concern for users. Do not forget that pa55 clears your password from memory after two minutes of inactivity, so the DRAM freezing ought to happen within that period.

General note about attacks

pa55 is an app that helps you generate strong passwords from easy-to-remember information. It does not protect your online privacy from against attacks launched to gain access to your accounts, such as phishing, inference based attacks and so on. For instance, methods have been demonstrated to gain access to a service starting with the pretence that the password has been lost. This type of attack arises from flaws in the service design or being vulnerable to phishing, not in your choice of password. There is nothing much you can do regarding your passwords no matter how strong the password, how you generate or how you store it. Enabling multi-factor authentication on services that support it can be of help, if such multi-factor schemes are implemented correctly.