C'YaPass: Forget All Your Passwords

Never Memorize A Password Again
Never Type A Password Again
Never Make Up A Password Again

How Hackers Crack Passwords (part 1)

All Memorized Passwords Are Inherently Weak

If you can memorize your password, it is because it is most likely based upon a mnemonic (memory device).

If your password is based upon a memory device, it is most likely based upon a natural language (English, Spanish, etc.) word. Humans tend to memorize based upon words since it is how we communicate.

Word-based Passwords Are Inherently Weak

However, if your password is based upon a word it is weak.

But, why is that true?  To understand the reason that word-based passwords are weak, we must take a look at the methods that hackers use to crack passwords.

One Way Hackers Crack Passwords

Brute Force Attack

Here are the steps that the hacker uses to do that:

  1. Obtain the site's database of passwords
  2. Generate passwords from a natural language dictionary of words
  3. Compare each generated word against the stolen database of passwords until successful

It's a little more difficult than this because most sites do not store their passwords in clear text but instead they also hash those passwords.

What's A Hash?

You can think of a hash as a one-way encryption technique.

That means the computer algorithm takes an input and will turn that exact input into one and only one output.

A simple diagram of this might look like the following:


In our example above, we use the ClearText (unencrypted) input of the letter a.

I've made the Hash Algorithm (in this case we are using SHA256 - Secure Hashing Algorithm) a black box in the diagram because we do not need to know the implementation details of how it works.

Every time we input the value a into the SHA256 algorithm we are guaranteed the output shown on the right.  

That value becomes a unique identifier for the value a.

One-Way Encryption : Hash

We can think of this as a one-way encryption.  But why do we call it a one-way encryption? That's because it is unfeasible that anyone can reverse the process to turn the hash value (ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb) back into the ClearText (the letter a in our case).

No Known Way To Reverse the Hash Value

Let me say that again. There is no known way to take the hash value and calculate what the original ClearText input was.
That's the power of a secure hashing algorithm.

For Every Input, There Is A Unique Output

Along with that, the hashing algorithm also guarantees that two different inputs will never produce the same hash output.
Even if the value is only changed by 1 bit of data (1/8th of a an ASCII character as it is stored on a computer).

That means if you hash the two long ClearText values shown below which differ by only one character the output hash will not be similar at all:
ClearTextHash
thisIsAReallyLongMessageForTestingTheHash9ef787ac41ec34065c69fecd7413a17ea5765ef1dc58f38d2e51d78917c5d371
thisIsAReallyLongMessageForTestingTheHash24a12d57aa0803a16ee84a82ec102686e9130918168327ad4ddee6ba66716a0ad

Most Sites Hash Your ClearText Password

This is how most modern sites now store your password.  They create a hash from the ClearText password that you've given them.  They then store that hash in their database along with your userId so they know which on it is associated with.
This guarantees that no one can every reverse the hash and discover your password.

Weak and Common Passwords

If you've been following along you may have thought about how you could go about attempting to break this.
Since a specific ClearText message produces only one SHA256 hash, you could create hundreds of passwords, hash them and then compare those hashes to what is in the site's database of passwords.
But this only works for weak and common passwords.

Dictionary Attack

That's exactly what the hackers do.  They generate hashes from every word in the natural language dictionary.

Let's look at an example table of how the hacker might do this (but of course you'll have to imagine that I have every word from the English dictionary available to me as the hackers do).

ClearTextHash
aardvark cf9c1cb89584bf8c4176a37c2c954a8dc56077d3ba65ee44011e62ab7c63ce2d
aphorism9238993bf1898c1a0de5f4f04c1a23000e848097b532a543dced7687444ea758
batteryf3d1701e1d575e1294786989517866986bc97343e07af63e201f46ba0be5806a
chinchilla2180cc6f060cdfb71a458b60f404f56d682abaf7efd3df81a957684ab3803f18
despise9272459bf48061da35d110383b95e5c3287320e40093a07e16227a719efede0c
earth7b74b418a352d67108173c20c1b16b4b726bad8606be65711ff924dbf9a40670
flavorb5d2f4515ba34f2f83f3a84e6958769f2b89b5ceca3fdfe1b4303eead3507daa
grind3026fac023c67598797c8c7da4ac6cf653f832b2c9de761d3922fb85ea086b1c
password10b14d501a594442a01c6859541bcb3e8164d183d32937b851835442f69d5c94e

Common Passwords

This is also why using a password that is commonly known to hackers, like password1, is so dangerous.  

Modern Computing Power
Modern computing power means that hackers can generate hashes for millions of possible passwords and compare each one of those hashes to their stolen password databases in very little time. 

Generating Passwords, Computing Hashes

Of course, with modern computing power, hackers are able to take multiple words from the dictionary, smash them together, and then compute  a hash from those longer passwords too, since they are still based upon natural language words.  They can do millions of these in a short period of time.

Replacing Vowels With Numbers

Since the hackers know the scheme a lot of people use wh3r3 th3y r3p1ac3 c3rta1n l3tt3rs with numbers, the hackers generate millions of passwords that mimic that too.  Once they mimic these patterns and generate the hashes they are bound to hit upon at least a few weak passwords out of the 500 million (according to Yahoo! that was the recent number) they've stolen.

Salting the Hash

There is another element of security that is generally applied to this also called salting the hash that would further scramble the hash, but I won't go into that here.

What Does This Mean?

This exposes the fact that passwords based upon natural language words are much weaker since the attacker can use all the words in the dictionary to generate passwords, hash them and check them. 

Main Point

 However, if you password were not based upon a word, it would be far less likely to be hacked.
This leads us to the fact that you really should create your passwords from some random list of characters and numbers.
For example, no hacker could guess your password is: 
bdb7085c1cd90f6cc1f44856131a56535c0e493188dc6919b0ef8e3b7cffaf8d
The hacker is not even going to try that, because it would take her too long to even mess with creating an algorithm that checks an almost infinite list of hashes.  There isn't enough computing power in the world to make this effective.
That is why your passwords should themselves be based upon a cryptographically strong hash.
That's what CYaPass does for you.

How Could You Remember Your Password?

It is unlikely that you could remember that hash above.  Of course there are people who can do it  But that would be more of a pain than just using the passwords you already use.
That's why you should use C'Ya Pass and forget all your passwords.

C'Ya Pass Generates Cryptographically Strong Hashes For You

All you have to do is 
  1. supply a site/key (to help you remember what the password is used for)
  2. Draw a pattern
C'Ya Pass will generate a password for you that is a SHA256 Hash.  That long password will be your actual password which will then (most likely) be hashed again by the target site you are logging into.  

Then, if the site you are logging into ever gets hacked it is unfeasible the hacker would be able to generate your original long hash password and be able to hack you.
That's how C'Ya Pass makes your passwords stronger and makes it so you never have to memorize a password again.


Easiest Way To Get Started With CYaPass

Get The Windows Version

The easiest way to try out C'Ya Pass is probably to get the Windows version. The download is less than 1 Megabyte and it will only take about 30 seconds to install it.  

You can download the installation package directly at: http://www.cyapass.com/downloads/CYaPassInstall_v120.zip 

If you want more details on how Windows (10) might try to stop you from downloading that and what the installation looks like as it runs then check out: http://cyapass.com/page/get-c-yapass

If you want to know absolutely everything the installation package does then check out: http://cyapass.com/post/what-is-installed-cyapass-for-windows

Try It With One Password

Once you get the app, I suggest you just try it with one password. 
All you have to do is add a site/key which will help you remember what you use the password for.  
You just click the [Add] button and type your site/key.  
It'll look like the following:


Click the [OK] button and you'll see that the item is now highlighted.


All you have to do now is draw a pattern that contains at least two points, by clicking the red posts in the grid.

When you do, you'll see a strong password appear.

Copied To Clipboard For Easy Use

When the password is generated, it is also copied to your clipboard for ease of use.
That way, all you have to do is move to your target site and paste it in the password field.



Once you try it out with one password I believe you'll find the app to be extremely easy to to use.

When You Add More Sites/Keys It Gets Easier To Use

When you add a new site/key C'Ya Pass generates a new unique password for that site using your same pattern.
I'll add a new one named supersite.


Now, when I click the [OK] button, notice that I have a new generated password (and it's copied to the clipboard for me).


It's that easy to start F*orgetting All Your Passwords.

What Is Installed : CYaPass for Windows

100% Transparency

I've been a software developer for almost 25 years now and I'm very protective about the software I install on my computer and you should be too.  That's why I want to let you know exactly what happens when you install C'Ya Pass on your Windows computer. What Is Actually Installed? Only two things are actually installed.
  1. CYaPass.exe (the actual windows app)
  2. Newtonsoft.json.dll (a helper library which provides some functionality for saving CYaPass data (more about that data below)
Here's a snapshot of the program installed on my computer. installer7 
 You can see that, by default it installs into your ProgramFiles(x86) directory. There are a couple of other files in there, but those are related to the installation so you can easily uninstall the application from Programs & Features in Windows. That's probably because I use the free installation package creator called InnoSetup.

C'YaPass Only Creates One File

Once you run C'Ya Pass it will create one file when you create a new site/key.  Those are the text strings that you use to remember which password goes with each of your logins. That's so that once you create the site/keys you don't have to create them each time you use the program. You can see the site/keys I'm talking about in the next image on the top left of the where I've highlighted the one (yahooMail).

initialrun2 

Where Are Those Values Saved? 

 I save those files in a file in the JSON format (that's why I use the Newtonsoft.json.dll). When you add the first one I create a new file in a folder in your Windows AppData folder.  That's the suggested location by Microsoft.

 Here's what it looks like on my computer: initialrun3 Yours will be slightly different but you can get to that folder if you go to File Explorer and type the following : %localappdata%\100 Percent Accountability, LLC  <ENTER> The cyapass.json file is straight json, nothing special there.  And it's very simple. Here's what mine looks like right now when opened in an editor:

  initialrun4 

 Very simple.  I hope this clears up all the questions and worries you might have about installing software that you don't know about. It's probably way more than you ever wanted to know. :)
VirusTotal.com Check 
 You can also upload the zip and the installation exe and all of the installed components to VirusTotal.com and you'll see that it verifies that they are virus free. Try it at: http://virustotal.com A couple of them will display a false positive that looks like the following and could scare you: initialrun5  
However, I found that this seems to occur with this particular virus scanner and software built with Visual Studio Community 2015 (which is what C'Ya Pass Windows was created with).