C'YaPass: Forget All Your Passwords

Never Memorize A Password Again
Never Type A Password Again
Never Make Up A Password Again

Nothing Can Make You Completely Safe, But You Can Be Safer

There are no guarantees for safety.  As soon as someone offers you a guarantee, someone else sees it as a security challenge to crack.   Fortunately there are ways to become more safe.  

Safe Enough Through Strength

However, if you use the correct tool, you will be so safe that it is too bothersome for nefarious characters to try to crack your security.  They'll move on to easier prey.

Convenience and Strength

A proper security tool should offer you convenience and strength.  We all know that if a tool is too difficult to use, people are going to ignore it, even if it makes them safe.  

That's a big reason that C'YaPass is focused on making your life easier.  That's why the big three ideas of C'YaPass are so important:

Big Three of C'YaPass

  1. Never type a password again
  2. Never memorize a password again
  3. Never make up a password again

In the End, It's Just A Password Generator

But, C'YaPass is no panacea, no cure-all.  It will :
  1. Make far stronger passwords than you could ever create
  2. Make it easier to sign in to your secure sites no matter what device you are using.

Even When Using C'YaPass, Think Strong

The strong you make your site/keys in C'YaPass, the better.
Here's how you can make stronger site/keys:
  • Make them longer
  • Put special chars in them
  • Use uppercase
Why would you do all of that?  in the extreme case where some hacker comes along and attempts to generate passwords based off of the billions of graphic patterns and unlimited site/key inputs it will make it more difficult for the hacker to get even close to your site/key.  Without your exact site key they'll never be able to get your final hash password.  

Here's An Extreme Example

Suppose you make your site/key something like any of the following:
  • yahoo
  • gmail
  • microsoft
Those may be common site/keys which could mean the nefarious actor would be half way towards a final hash.  Well, it's probably not even half way with all the graphic patterns she'd have to try also, but stronger is better.

You might create yours which look like the last two in the following image:


Of course, you can make the pattern you draw far more complex than my example also.

Why Would I Tell You This?

I reveal everything about C'YaPass so you can be the most secure possible.

Main Goal of My Work With C'YaPass

My goal is to get everyone to use C'YaPass, but a more important goal of mine is to :
Make Everyone More Secure
and 
Make Hacking of People's Data More Difficult As A Deterrent

It we all simply become more conscious of security through many people considering passwords and we obtain stronger security, then I consider that a success.

Three Steps To Never Type Your Password Again

Once you have just one site/key entered into C'YaPass you will begin to realize the benefit of never having to type a password again.  It's as simple as three steps shown in the following series of images.

Choose Your Site/Key

Simply click on the item in your list of site/keys.

[x]

Here's a quick zoomed up look at the generated password.  Later we'll compare this to the one that is generated in the Anrdoid app.


Draw Your Pattern

This is your unique pattern that helps create the password for all your sites.

You can see the pattern we drew in the first image.

Paste The Password At Your Login Site

In this example, we'll sign into our mail account at Microsoft Live.

Just right-click on the password text box and choose the Paste item that appears in the context menu.


I've highlighted the password field in the next image to make it stand out.  You can see that the password box turns the characters into dots to hide them.


Not Necessarily All That Amazing

This isn't all that amazing, except of course you don't have to type your password.  On a computer, that's not too big of a deal because you have a physical keyboard.  

Consider Typing 64 Characters With Your Thumbs

However, imagine trying to type that 64 character password on a mobile device.  With C'YaPass you never have to again.  Let's take a look at the Android app as an example.

Android Sign On : No Typing With Your Thumbs

We can do this fast, because it's the same thing.

  1. Choose your site/key.
  2. Draw your pattern
  3. Paste the generated password.
It all looks like the following in the Android app:


It's The Same Complex Generated Password

Take a close look at the generated password.  It's the same generated password here on Android as you had generated in the Windows app.  

Same Two Elements

That's because you used the same :
  1. site/key
  2. drawn pattern
If you had altered either of those you'd have a completely different complex password.

To finish this out, here's what it looks like when you paste your password into the mail.live.com site:




It's true with C'YaPass: 

Never type a password again.  

Remember, C'YaPass also means :
  1. You will never memorize a password again
  2. You will never make up a password again.

Arbitrary Password Requirements Got Users Going In All Directions

We've all experienced it. You go to a web site and try to sign up and create a password and it has yet another set of arbitrary rules for creating your password.  

Those requirements are often created by developers who make arbitrary decisions that are not based upon current research.  

MIT Technology Review magazine has exposed research which shows that longer passwords are stronger.

MIT Technology Review Magazine

MIT's Technology Review magazine reported back in October 2015 that research shows that longer passwords is what makes them stronger.  The article goes on to explain that many web sites get password requirements wrong and require special characters and uppercase in a false belief that those elements make passwords stronger.  You can read the original article at : https://www.technologyreview.com/s/542576/youve-been-misled-about-what-makes-a-good-password/

Making Passwords Stronger

Making passwords stronger means making them longer.  But everyone knows that human memory has limits.  A great length for a password might be 64 characters. However, there are few people who are going to memorize a 64 character password for even one site. That's what C'YaPass is for.  It generates long passwords (which are not based upon words) and will manage them for you.

Arbitrary Password Requirements

Even a federal student loan payment site (nelnet.com) that I've had to use recently enforces these false requirements.  Here's what the requirements look like:


The alarming thing in these requirements is that a password is constrained to a maximum of fifteen characters.  That's not good.

That's a very short password and makes it quite a bit easier for hackers to generate password possibilities.

Arbitrary Requirements Confuse Users

These requirements confuse users into believing this is how you create a strong password.  But, as the MIT article mentioned, the hackers have changed their methods and using those extra symbols doesn't do much to increase the strength of a password.

Great Sites Understand That Password Length Is What Matters

Here are some example sites and companies that accept the C'YaPass default 64 character password:

  • Microsoft
  • Google
  • LinkedIn.com
  • Yahoo! mail - They changed this right after they were hacked.  Previously they only allowed passwords up to 32 characters.

What About Apple?

My AppleId will only accept up to 32 characters and it forces an uppercase.

Password Strength Testers

We've all seen those Password Strength testers which supposedly determine how strong your password is, but they are of dubious value.  That's because they simply check for things like the arbitrary requirements I showed you earlier in this article. 

When I enter a 64 character hash value generated by C'YaPass, that is not based upon words into those things, they generally say the password is of medium strength.  That's something that really needs to change.

Check Your Password Strength

Here's a utility that was created by the creators of DashLane, a popular password management system that stores your passwords in an encrypted file or out on the web on the Dashlane site.  

https://howsecureismypassword.net/

That link will open in a new window and then you can check your password strength and how long it will take hackers to guess your password on average.  

Test Easy Passwords

You don't have to type your real password, but just type in something like a word.  For example I used the word super and it resulted in the following:


I then changed my test password to "supergood" and got the following result:


Finally, I changed my password test to one generated by C'YaPass :

8d9b0b2639a9bdf96c1066ad2fa488f33b1188fc0ab7c600df83cfe2851e9017

I obtained the following result:


Yes, sesvigintillion is a real number.That's a long, long time.  See https://en.wikipedia.org/wiki/Names_of_large_numbers for more about sesvigintillion.

Make Your Passwords Stronger

Whether you decide to use Dashlane or C'YaPass is up to you, but definitely start using something to make your passwords stronger and your accounts more secure.

C'YaPass Availability

You can get C'YaPass for Windows here at this site for free: http://cyapass.com/page/get-c-yapass

You can get the Android version in the Google Play store for free: https://play.google.com/store/apps/details?id=us.raddev.cyapass

IOS Coming Very Soon

The iOS / iPhone/ iPad version is coming soon (by end of year 2016).

Why Did I Create C'YaPass? Who Will Use It?

Passwords have become such a burden that many people escape them however they can.

Yet Another Password

Recently, my son began attending the local University.  I had to sign up for numerous new IDs during that time (a FAFSA fed id, another University ID tied to my son's, etc). 

How Real People Use Passwords

I was lamenting the problem of multiple IDs and passwords when my son's friend said, "You know what i do?"  Then without waiting she finished. "I just use one password for all of my accounts."

My jaw fell open and I said, "You are going to get hacked."

She said,

"Oh, I did.  My Facebook account got hacked.  You know what I did?  I just changed one letter in my password to an uppercase or something. It's just too much of a pain to think about all those passwords."

If you're tech savvy your first thought may be that someone who feels this way may not be intelligent.  I assure you this is a very smart person. She's an honors student at University.  This type of thinking may be naive, because the person believes it doesn't even matter if they do get hacked, but this is not about intelligence.  It's more about how annoying and overburdening passwords have become.

C'YaPass Is Perfect For Kids

It's perfect for kids who are probably going to take shortcuts to creating passwords. Get them to use it and help them have one more layer of security for their online accounts. 

You May Be Technically Savvy

You may be a technical savvy person who finds it easy to create cryptic passwords.  But most people are not great at it.  Help those people use C'YaPass.  


You May Have A Great Memory 

You may have the ability to memorize thirty different passwords to thirty different accounts but most people just take the path of least resistance. Those are the people that should be using C'YaPass.

You May Understand the Reality of Security

You may understand that there are real security issues and real hackers who can cause real problems if they get your information.  A lot of people just don't even consider the problem, because passwords are first and foremost a burden.

Those are the people I want to reach.  I want to give them any extra help to create the most secure accounts that I can.

I created C'YaPass to help everyone manage the overwhelming number of online accounts that most of us have now.  It's meant to be a simple tool that can be run universally (Windows, Android, soon-coming iOS (iphone / ipad).  

Manage All the Password Nonsense

Get it and use it for free.  I believe you'll find it serves to resolve a lot of the nonsense that is associated with the modern difficulty of password management.

A Password Generator? What? Why? How?

CYaPass Does Not Store Your Password

Here's the thing that may seem odd.  CYaPass does not store your password anywhere.

Nope.  

It generates your password every time.

It Doesn't Quite Look Right

When you see a really new thing, it doesn't quite look right.  I mean somebody probably would've already thought of this thing, right?

That's one of the reasons I'm so excited about CYa Pass, because it forces a paradigm shift of sorts.  Previously, everyone thought that you had to store the password in a file and keep it encrypted for the user.  Now, CYaPass changes that.

It does something so different that it shifts your thinking about passwords.

It's something like what Peter Thiel says in the preface of his current best-selling non-fiction book, Zero To One:

The act of creation is singular, as is the moment of creation, and the result is something fresh and strange.

How Can CYaPass Generate the Same Password Every Time?

It generates your password based upon two things:
  1. your site/key
  2. the pattern you draw. 
As long as you have the same value for your site/key and you draw the same pattern it doesn't matter if you're running the Android version or the Windows version, it will generate the same hash value password for you.

Here's the Android version running next to the Windows version.  You can see that when they both have the same site/key and pattern then the password hash is exactly the same.  It's not stored anywhere.  It's generated from those two data elements.



Alter The Site/Key Alters the Password

If you alter the site/key at all the generated password is altered, because it is generated off of new data.
In the next image you can see that I change the site/key from supersite to supersite1.  Even one character change alters the resulting password in a large way.



Changing the Drawn Pattern, Alters the Password

Of course if you change, just the pattern at all as I do in the next image you will see that even if the site/key has not changed, then the password is altered drastically also.  Notice that I both the Windows and Android apps are using the same site/key but I altered the pattern only on the Windows app, which alters that password.


Now The Passwords Match Again

Finally, I change the pattern on the Android app and that makes the passwords match again -- though they are, of course, different from the original ones since the pattern changed.


You can clearly see that these passwords are generated though they are not stored anywhere.
That's why you can generate the same values on two different systems even though they have no knowledge of each other.

Sign In From Any Device

That means as long as you know your site/keys and pattern you can re-generate your password on separate platforms so you can sign in from any device where you have the C'YaPass app.

How Hackers Crack Passwords (part 1)

All Memorized Passwords Are Inherently Weak

If you can memorize your password, it is because it is most likely based upon a mnemonic (memory device).

If your password is based upon a memory device, it is most likely based upon a natural language (English, Spanish, etc.) word. Humans tend to memorize based upon words since it is how we communicate.

Word-based Passwords Are Inherently Weak

However, if your password is based upon a word it is weak.

But, why is that true?  To understand the reason that word-based passwords are weak, we must take a look at the methods that hackers use to crack passwords.

One Way Hackers Crack Passwords

Brute Force Attack

Here are the steps that the hacker uses to do that:

  1. Obtain the site's database of passwords
  2. Generate passwords from a natural language dictionary of words
  3. Compare each generated word against the stolen database of passwords until successful

It's a little more difficult than this because most sites do not store their passwords in clear text but instead they also hash those passwords.

What's A Hash?

You can think of a hash as a one-way encryption technique.

That means the computer algorithm takes an input and will turn that exact input into one and only one output.

A simple diagram of this might look like the following:


In our example above, we use the ClearText (unencrypted) input of the letter a.

I've made the Hash Algorithm (in this case we are using SHA256 - Secure Hashing Algorithm) a black box in the diagram because we do not need to know the implementation details of how it works.

Every time we input the value a into the SHA256 algorithm we are guaranteed the output shown on the right.  

That value becomes a unique identifier for the value a.

One-Way Encryption : Hash

We can think of this as a one-way encryption.  But why do we call it a one-way encryption? That's because it is unfeasible that anyone can reverse the process to turn the hash value (ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb) back into the ClearText (the letter a in our case).

No Known Way To Reverse the Hash Value

Let me say that again. There is no known way to take the hash value and calculate what the original ClearText input was.
That's the power of a secure hashing algorithm.

For Every Input, There Is A Unique Output

Along with that, the hashing algorithm also guarantees that two different inputs will never produce the same hash output.
Even if the value is only changed by 1 bit of data (1/8th of a an ASCII character as it is stored on a computer).

That means if you hash the two long ClearText values shown below which differ by only one character the output hash will not be similar at all:
ClearTextHash
thisIsAReallyLongMessageForTestingTheHash9ef787ac41ec34065c69fecd7413a17ea5765ef1dc58f38d2e51d78917c5d371
thisIsAReallyLongMessageForTestingTheHash24a12d57aa0803a16ee84a82ec102686e9130918168327ad4ddee6ba66716a0ad

Most Sites Hash Your ClearText Password

This is how most modern sites now store your password.  They create a hash from the ClearText password that you've given them.  They then store that hash in their database along with your userId so they know which on it is associated with.
This guarantees that no one can every reverse the hash and discover your password.

Weak and Common Passwords

If you've been following along you may have thought about how you could go about attempting to break this.
Since a specific ClearText message produces only one SHA256 hash, you could create hundreds of passwords, hash them and then compare those hashes to what is in the site's database of passwords.
But this only works for weak and common passwords.

Dictionary Attack

That's exactly what the hackers do.  They generate hashes from every word in the natural language dictionary.

Let's look at an example table of how the hacker might do this (but of course you'll have to imagine that I have every word from the English dictionary available to me as the hackers do).

ClearTextHash
aardvark cf9c1cb89584bf8c4176a37c2c954a8dc56077d3ba65ee44011e62ab7c63ce2d
aphorism9238993bf1898c1a0de5f4f04c1a23000e848097b532a543dced7687444ea758
batteryf3d1701e1d575e1294786989517866986bc97343e07af63e201f46ba0be5806a
chinchilla2180cc6f060cdfb71a458b60f404f56d682abaf7efd3df81a957684ab3803f18
despise9272459bf48061da35d110383b95e5c3287320e40093a07e16227a719efede0c
earth7b74b418a352d67108173c20c1b16b4b726bad8606be65711ff924dbf9a40670
flavorb5d2f4515ba34f2f83f3a84e6958769f2b89b5ceca3fdfe1b4303eead3507daa
grind3026fac023c67598797c8c7da4ac6cf653f832b2c9de761d3922fb85ea086b1c
password10b14d501a594442a01c6859541bcb3e8164d183d32937b851835442f69d5c94e

Common Passwords

This is also why using a password that is commonly known to hackers, like password1, is so dangerous.  

Modern Computing Power
Modern computing power means that hackers can generate hashes for millions of possible passwords and compare each one of those hashes to their stolen password databases in very little time. 

Generating Passwords, Computing Hashes

Of course, with modern computing power, hackers are able to take multiple words from the dictionary, smash them together, and then compute  a hash from those longer passwords too, since they are still based upon natural language words.  They can do millions of these in a short period of time.

Replacing Vowels With Numbers

Since the hackers know the scheme a lot of people use wh3r3 th3y r3p1ac3 c3rta1n l3tt3rs with numbers, the hackers generate millions of passwords that mimic that too.  Once they mimic these patterns and generate the hashes they are bound to hit upon at least a few weak passwords out of the 500 million (according to Yahoo! that was the recent number) they've stolen.

Salting the Hash

There is another element of security that is generally applied to this also called salting the hash that would further scramble the hash, but I won't go into that here.

What Does This Mean?

This exposes the fact that passwords based upon natural language words are much weaker since the attacker can use all the words in the dictionary to generate passwords, hash them and check them. 

Main Point

 However, if you password were not based upon a word, it would be far less likely to be hacked.
This leads us to the fact that you really should create your passwords from some random list of characters and numbers.
For example, no hacker could guess your password is: 
bdb7085c1cd90f6cc1f44856131a56535c0e493188dc6919b0ef8e3b7cffaf8d
The hacker is not even going to try that, because it would take her too long to even mess with creating an algorithm that checks an almost infinite list of hashes.  There isn't enough computing power in the world to make this effective.
That is why your passwords should themselves be based upon a cryptographically strong hash.
That's what CYaPass does for you.

How Could You Remember Your Password?

It is unlikely that you could remember that hash above.  Of course there are people who can do it  But that would be more of a pain than just using the passwords you already use.
That's why you should use C'Ya Pass and forget all your passwords.

C'Ya Pass Generates Cryptographically Strong Hashes For You

All you have to do is 
  1. supply a site/key (to help you remember what the password is used for)
  2. Draw a pattern
C'Ya Pass will generate a password for you that is a SHA256 Hash.  That long password will be your actual password which will then (most likely) be hashed again by the target site you are logging into.  

Then, if the site you are logging into ever gets hacked it is unfeasible the hacker would be able to generate your original long hash password and be able to hack you.
That's how C'Ya Pass makes your passwords stronger and makes it so you never have to memorize a password again.