Not Yet Another Password Store
This is the Java reference implementation of the PA55 NYAPS. The concept behind the original PA55 is that users do not need to remember complex passwords but should be able to deterministically generate complex passwords from rather simple information that the user can remember. Specifically, for every complex password, the user needs to remember a master secret (common for all passwords) and a hint (specific to each password).
For instance, with a master secret This is a master secret (really, it should not be this simple!) and a hint 01011970@myservice (emulating the fact that people use their birthdays to make their passwords) will generate a 12-character password rEApgiO6YgN+ when the password iterations and hash functions are set to 250,000 and SHA-256 respectively. That is a nice password with a 72-bits entropy for myservice. Yet, while guessing 01011970@myservice may be trivial for someone with background knowledge, guessing a rather long master secret is not easy – master secrets could be entire sentences. Even a wrongly guessed master secret differing in just one character from the actual master secret will produce (with a very high probability) a very different password. Neither the master secret nor any hint is stored by the application. Thus, if either of these are lost, it is impossible to recover the corresponding complex passwords. That should not be a matter of concern because in the event of forgotten passwords, most services will allow resetting them albeit a minor inconvenience.
There are two fundamental limitations of PA55.
Many services require users to change the passwords periodically. Thus, the user will have to remember the different hints used every time and this is not trivial. It is also not easy to remember multiple different hints for multiple services. Since PA55 does not store any hint, it can become unmanageably hard to keep track of various hints.
Many services require the users to specify passwords that draw characters from specific sets of characters, such as lowercase letters, uppercase letters, digits, punctuation characters, and so on. The passwords generated by PA55 are Base64 encoded, which means they include characters from lowercase letters, uppercase letters, digits and the characters + and /. However, the generated passwords may or may not include characters from all these sets. Thus, if the user wanted to generate passwords to contain only lowercase characters, digits and punctuation marks then PA55 cannot help.
PA55 NYAPS has been developed to address the aforementioned shortcomings.
NYAPS – Not Yet Another Password Store – actually stores (of course, encrypted) something. Instead of storing complex passwords (like most password managers do), PA55 NYAPS stores information on how to generate the passwords. One could see it as storing the hint in PA55. These are called password generation settings or password settings or simply settings. Each such encrypted file can contain multiple settings for multiple passwords. However, the master secret is still not stored and is used to generate the complex passwords.
The settings stored include specifications of desired password length, an issue number (which helps with generating new passwords when the services require them refreshed periodically), and the choice of character sets. The user can now choose to include characters from brackets, digits, lowercase letters, special characters and uppercase letters.
Q1. Why is it open-source?
We make PA55 open-source such that the users can see it for themselves that there is no funny business behind-the-scenes.
Q2. There are plenty of password managers – why PA55 NYAPS?
This is because these password managers store the passwords (even if encrypted). Thus, compromising those encrypted files leads to the disclosure of the passwords. PA55 NYAPS only stores encrypted settings. The master secret is never stored. Thus, the passwords cannot be generated even if the settings files are compromised (unless, of course, the user stores information about their master secret in those files!).
There are some password managers that had to ask their users to change their master passwords after their cloud servers got compromised. This is not the case with PA55 NYAPS. We do not store anything on our cloud servers. The user can store their settings files wherever they want, including on cloud storage services but the master secret is never stored.
There is at least one password manager that, similar to PA55 NYAPS, stores settings instead of storing passwords and does not store an integral part of the password (akin to the master secret). The problem with such password managers is that they use very simple character substitution or shifting algorithms, which are to be kept secret, to generate the passwords. Yet, decades of research in cryptography have taught us that the strength of the algorithm should not depend on the user’s ability to hide it. Instead, even with a public algorithm, there should be no advantage in guessing the output even with partial knowledge of the inputs. We use publicly known algorithms in our password generator, i.e., PBKDF2 and AES CTR 128-bits based random number generator.
Q1. What encryption is used for storing the password settings database files?
Industry-standard AES 128-bits in CTR mode with 256-bit HMAC on the ciphertext.
Q2. What encryption is used for _optionally protecting_ the QR code of the generated passwords?
AES 128-bits in CTR mode with 256-bit HMAC on the ciphertext.
Q3. PA55 offered an option for specifying the hash function: SHA-1, SHA-256, SHA-512. What happened to that?
PA55 NYAPS no longer offers that choice. The hash function used by the password based key derivation function (PBKDF2) is SHA-512.
Q4. PA55 offered an option for specifying the iterations, e.g., 250K, 500K. Where is that now?
PA55 NYAPS no longer offers that choice. The rounds used by the password based key derivation function (PBKDF2) is fixed at 25,000 (25K).
Q5. What random number generator is used in PA55 NYAPS in the password generation algorithm?
AES 128-bits in CTR mode is the basis of the deterministic random bits generator. 128-bits blocks (on counter increment) from the cipher is used to generate random numbers.
Q6. Is there a version that runs on smart phones?
Q7. I am lazy to run the executable JAR file. Is there a OS native version that I can double-click and run?
Yes, there is are OS native versions for MacOS and Windows, see releases.
For further information, including description of the algorithm and how to contribute to this repository, please refer to the wiki pages of this repository.