Protect Your Passwords! A beta release

The past month I have spent time developing a little desktop application for safe guarding web account details. This application helps in maintaining a well organized database of secret account information and free text notes, in an ordered and easy to find manner.

What makes it so safe?

This application installs on your local desktop, so the information you type into it never leaves your computer. This application encrypts everything you put into it using a high, U.S. government approved standard called AES-128 (Advanced Encryption Standard). This application uses the password you provide as part of the encryption key ensuring no one else can breach the critical information you have, unless he has your password. It’s important to remember that nothing is 100% safe, but it helps not to be the easiest pray.

This beta release includes:

· An encrypted database, using AES-128

· Managing records for web accounts, mail accounts, software registration and general notes

· Managing categories for organizing the records (including custom categories)

The next release (not a beta) will include:

· File attachments (you will be able to drag in and out files and the system will encrypt/decrypt them accordingly)

· Backups (you would be able to have temporal backups and retrieve data in case the computer got corrupted, all backups are fully protected)

· Any cool feature I get from people using it (email me for special requests: giladmanor@yahoo.com)

Installing the Protect Your Passwords! application

The installation process is very simple; and it works for all major Operating systems (i.e. windows, Mac and Linux) just follow the instructions on the badge:

To intsall this application please follow these two steps
1. Install Adobe Air
2. Download and run Protect Your Password

Or download directly and run installation manually.

 After installing you will find the following icon on your desktop:

 

Double click it, to run the application. After consenting on the disclaimer, you will be asked to enter your master password in a screen shown in figure 1

Figure 1: Master Password Creation.

The master password is the one password you will need to remember from now on, and better not forget. The master password is used as the key for the encryption of the file containing all the vital data. This means that the encryption is unique to you. The master password registration screen requires you to enter a password of a certain minimum length. While typing your master password the password strength indicator will let you know who safe your password is.

Using the application

Once the master password is entered, the next time you open this application you will be asked to enter your master password in order to unlock the application, see figure 2.

Figure 2: the login screen

Failing to provide the correct password for over 4 times locks the application, as displayed in figure 3. The reason for this is to make life harder for hackers using automation software to try and guess your password.

Figure 3: a locked application, no further attempts are allowed until the application is restarted

Important note: If you forget your master password, there is no way to retrieve the data, not even me, since I will have to have the correct password to decrypt the database.

After logging in, the application dashboard is opened up, where you have shortcuts to all the important features of the application, as displayed in figure 4. 

Figure 4: the application dashboard

From the dashboard you can:

· Search for a protected record, the search is either by a search phrase or by category

· Create a new record

· Create your own categories, delete existing categories (deleting a category doesn’t delete the records that were related to it)

· Change your master password

Not yet in this version: the settings screen for advanced configuration

Searching for Records:

To find a record you are looking for, you may either click on the category it belongs to, or click the search records button. This will move you to the search screen displayed in figure 7.

The new record button will move you to the details screen for entering a new record, displayed in figure 6

The new category button will open up a popup for entering a label for a new category as shown in the following figure 5

Figure 5: creating a custom category

Removing an existing category envolves right clicking on the category you would like to remove and selecting “delete”.

Clicking the change master password button on the dashboard directs you to the master password screen as displayed in figure 1. Failing to complete this form will leave you with the previous password.

Creating a new record is done by the new record screen depicted in figure 6

Figure 6: creating a new record

The record form is structured from two input arias, once for standard details, as displayed in figure 6, and the other is for free text notes, which is accessible by clicking on the “Notes” bar in the bottom of the details screen.

Note that when entering a new account, the details form allows you to create a random password to use on the web account. Since you don’t have to remember the special password, it’s easier to have web accounts that are even more secure. Choose the length of password you would like to have and click on the “Generate” button to render a unique password.

For convenience, you can put the web address (URL) of the site for the web account. This is saved for later quick access but is not mandatory.

The tags have no significant use for now, but in later releases, I intend to have advanced searched and categorization according to these tags, so it might be useful to start tagging your information.

Exiting the application or this screen without clicking on the save button; will result in loss of the changes.

The search screen, as shown in figure 7 allows you to look for a particular record of information either by selecting a category, or by a search phase, or a combination of both.

Figure 7: the search screen

Once you found the record you were looking for, there are several functionality shortcuts you can access on the record display:

· Navigate to the web account site by clicking the label. This feature is available only if you entered a valid URL in the link filed on the details form, as shown in figure 6. If you left the field empty, then clicking on the label will open the record for editing

· Copy USER NAME to clipboard, this is available to you only if you put the user in the user field in the details form

· Copy PASSWORD to clipboard, this is available to you only if you put the user in the password field in the details form.

· The little x button is for deleting the record

· The little pencil button is for opening the record for editing

Clicking on any of the category icons on the side will automatically change the search result to include the selected category.

That’s it for now, please remember that I welcome any suggestion warmly, feel free to send your suggestions to my mail at: giladmanor@yahoo.com or by posting it as a response on this blog.

Flex Asynchronous Ciphering using as3crypto

Built myself a little password safe application based on Adobe AIR, and one of the features I wanted to put into it was to store encrypted files. I downloaded the as3crypto package from google code, and had my encryption/decryption functionality ready and working in an hour.

It was working smoothly right until I tries to use  it on a slightly larger file (a 6.7Mb image file) when the application froze and i got the “Not responding” message on the title of the application window. The application defrosted after a while and the file was processed properly, but it had the GUI locked for far too long.

No worries, I said to myself, all I need is some background process to do the dirty work while the GUI stays free for working with me.

Its a shame that Adobe Flex do not support multi threads.

Eventually I worked around this problem and wrote a component that interlaces calls to whatever function you give it, so the GUI wont freeze. (see my post on flex multi threading workaround).

Then I took to the task of making my ciphering class work a chunk at a time. After a superficial profiling session I came to the conclusion that the reading and writing of the files are by far cheaper operations then the ciphering, so the steps used in the solution are:

• Initiate everything: read source file into memory

• Interlace on encrypt and decrypt for a small chunk at a time

• Finalize: write file 

Note: I made a lenient assumption that I wouldn't store a file I cant open all at once.

When I put everything together, it didn't work. I kept crashing on decryption and got an error saying: Error: PKCS#5:unpad: Invalid padding value. expected [252], found [152]

I had a vague  idea what this meant, but no idea what I was doing wrong. The answer came to me an hour after i posted a mayday question on stack overflow. so I posted the answer too:

the encryption and decryption actions change the actual chunk size. in the processChunck method, the ByteArray length before encryption was 16400 and after changed to 16416. using the decrypt changes the ByteArray length from 16416 back to 16400.

hence the solution i chose was to use two numeric values, one for each method used.

I have no idea why this happens, its not the padding (tested it with Crypto.getPad("none")).

So now I'm sharing it with the world (or rather with the 6 other people who viewed the question in stack overflow so far)

Requirements:

• Download and add the as3crypto package from google code  into your project
• Create an interlacing component that would call the async-crypto in pace with the GUI frame rate (or use what i wrote: here)

 

Download the source for the CryptoAsync and add it into your project.

Usage example:

var aCrypt:CryptoAsync = new CryptoAsync("C:/screen.jpg","C:/xxx.crp",key,CryptoAsync.ENCRYPT);
aCrypt.getSet();
asyncThread.exec(aCrypt.run,aCrypt);

var aCrypt:CryptoAsync = new CryptoAsync("C:/xxx.crp","C:/result.jpg",key,CryptoAsync.DECRYPT);
aCrypt.getSet();
asyncThread.exec(aCrypt.run,aCrypt);

When:

• key is a string of your liking
• asyncTread is an instance of AsyncThreadComponent you can find here

good luck

Flex AS3 Multi Treading Workaround

Its well known that the current versions of Flex (using either the flash or AIR players) do not provide support for multithreading. Everything you do is loaded on the same main thread that is running the GUI too.

This restriction means that if you have to do a dutiful task, the GUI actually stops responding to the user and  your app may even get the “Not Responding” label in the title bar while its off processing.

The way to bypass this issue is to follow two guidelines

• Break down the big process in to smaller, manageable runs. this means that if you have a loop that each iteration is taxing, you would want to call that loop one iteration at a time.
• Call the single iteration in a way that interlaces with the GUI refresh rate.

Here is a simple GUI component that you may place on your application, to invoke calls on some other process without hampering the responsiveness of the GUI.

The method you call by this component has to be in the nature of:

public function runFunction(data:Object):Boolean

Download zip file for AsyncThreadComponent

Usage:
Paste this on your app:

<view:AsyncThreadComponent id="asyncThread" />

When you want something to be invoked, create an object and pass the method:

asyncThread.exec(theObject.runFunction,theObject);

Independent on Sundays

The TimeLabel component

The time label component is something I slapped together to show accumulated time. Its an enhanced ActionScript3 Label with a simple API for making it tick.

Input a numeric value of time in milliseconds, and the TimeLabel will display it grouped nicely in days, hours minutes and seconds.

Invoke the time label’s start/stop to make it count seconds in any direction you like.

This is the image of the TimeLabel, I surrounded with the controls that operate its API.

The API is as following:

Set and retrieve the numeric value representing time in milliseconds (note; there is no numeric validation, so its up to you):

• function set data(value:Object):void
• function get data():Object

Start and stop the timer:

• function start():void
• function stop():void

Determine if the timer goes up or down:

• function increment():void
• function decrement():void

download source code

Software Disclaimer Sample

I’ve found this text:

This SOFTWARE PRODUCT is provided by THE PROVIDER "as is" and "with all faults." THE PROVIDER makes no representations or warranties of any kind concerning the safety, suitability, lack of viruses, inaccuracies, typographical errors, or other harmful components of this SOFTWARE PRODUCT. There are inherent dangers in the use of any software, and you are solely responsible for determining whether this SOFTWARE PRODUCT is compatible with your equipment and other software installed on your equipment. You are also solely responsible for the protection of your equipment and backup of your data, and THE PROVIDER will not be liable for any damages you may suffer in connection with using, modifying, or distributing this SOFTWARE PRODUCT.

(taken from: www.deq.louisiana.gov)

just have to replace “THE PROVIDER”  with your name or company name, and hopefully it should be ok.

if anyone knows about a better generic disclaimer for software, i would really appreciate a tip.

Crafting blog

I've revived my old “practical art” blog with some things I've done lately.

Lately I have been spending my time either on the White Rabbit project or in my studio, making pots and bowls.

This is the link to my crafty blog: http://practicalart.blogspot.com/

And here is a screen shot from the new White Rabbit version:

In this version I thought it nice to use the spring-graph by Mark Shepherd. I’m not sure its the best concept, but its lots of fun.

I’ve also been playing around with the skinning, but i haven't mastered it yet ( as one can see )