C'YaPass: Forget All Your Passwords

Never Memorize A Password Again
Never Type A Password Again
Never Make Up A Password Again

Microsoft Security Baseline: Stop Expiring Passwords

Microsoft has published new guidelines for passwords along with their latest release of Windows 10 v1903 and Windows Server v1903.

The (Bad) State of Passwords

One of the first things Microsoft mentions is the terrible state of passwords which are made up by humans.  Here's the Microsoft blog writer's take on it.

When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.

Removing Password Expirations

Microsoft is also admitting that the idea of forcing passwords to expire is ancient and makes no sense.

Again, the blog writer admits that their is no logic in expiring passwords in 60 or 90 days since the password may have been stolen at the beginning of the cycle and the cracker may have been using the password and associated account for a long time. 

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems.

The problem is that password expiration is even a problem for the network administrators. 

Stop Making Up and Memorizing Passwords

If you are still making up and memorizing passwords, I suggest you stop and make your life easier by using C'YaPass.  It is 100% Open Source code so you can examine everything it does.  It generates strong passwords for you for each site you want to login to. 

If you don't want to download anything, you can try it here at this site just to see how it works.

All the code runs in JavaScript on your client and nothing is passed over the network.  Password keys are stored in the LocalStorage of your browser and only that browser instance will have those.

Try it at: http://cyapass.com/js/cya.htm

Try it out today and make your life easier.  Once you decide you want to use it you can download the free Windows app and the free Android app.

Why Did I Create C'YaPass? Who Will Use It?

Passwords have become such a burden that many people escape them however they can.

Yet Another Password

Recently, my son began attending the local University.  I had to sign up for numerous new IDs during that time (a FAFSA fed id, another University ID tied to my son's, etc). 

How Real People Use Passwords

I was lamenting the problem of multiple IDs and passwords when my son's friend said, "You know what i do?"  Then without waiting she finished. "I just use one password for all of my accounts."

My jaw fell open and I said, "You are going to get hacked."

She said,

"Oh, I did.  My Facebook account got hacked.  You know what I did?  I just changed one letter in my password to an uppercase or something. It's just too much of a pain to think about all those passwords."

If you're tech savvy your first thought may be that someone who feels this way may not be intelligent.  I assure you this is a very smart person. She's an honors student at University.  This type of thinking may be naive, because the person believes it doesn't even matter if they do get hacked, but this is not about intelligence.  It's more about how annoying and overburdening passwords have become.

C'YaPass Is Perfect For Kids

It's perfect for kids who are probably going to take shortcuts to creating passwords. Get them to use it and help them have one more layer of security for their online accounts. 

You May Be Technically Savvy

You may be a technical savvy person who finds it easy to create cryptic passwords.  But most people are not great at it.  Help those people use C'YaPass.  

You May Have A Great Memory 

You may have the ability to memorize thirty different passwords to thirty different accounts but most people just take the path of least resistance. Those are the people that should be using C'YaPass.

You May Understand the Reality of Security

You may understand that there are real security issues and real hackers who can cause real problems if they get your information.  A lot of people just don't even consider the problem, because passwords are first and foremost a burden.

Those are the people I want to reach.  I want to give them any extra help to create the most secure accounts that I can.

I created C'YaPass to help everyone manage the overwhelming number of online accounts that most of us have now.  It's meant to be a simple tool that can be run universally (Windows, Android, soon-coming iOS (iphone / ipad).  

Manage All the Password Nonsense

Get it and use it for free.  I believe you'll find it serves to resolve a lot of the nonsense that is associated with the modern difficulty of password management.

How Hackers Crack Passwords (part 1)

All Memorized Passwords Are Inherently Weak

If you can memorize your password, it is because it is most likely based upon a mnemonic (memory device).

If your password is based upon a memory device, it is most likely based upon a natural language (English, Spanish, etc.) word. Humans tend to memorize based upon words since it is how we communicate.

Word-based Passwords Are Inherently Weak

However, if your password is based upon a word it is weak.

But, why is that true?  To understand the reason that word-based passwords are weak, we must take a look at the methods that hackers use to crack passwords.

One Way Hackers Crack Passwords

Brute Force Attack

Here are the steps that the hacker uses to do that:

  1. Obtain the site's database of passwords
  2. Generate passwords from a natural language dictionary of words
  3. Compare each generated word against the stolen database of passwords until successful

It's a little more difficult than this because most sites do not store their passwords in clear text but instead they also hash those passwords.

What's A Hash?

You can think of a hash as a one-way encryption technique.

That means the computer algorithm takes an input and will turn that exact input into one and only one output.

A simple diagram of this might look like the following:

In our example above, we use the ClearText (unencrypted) input of the letter a.

I've made the Hash Algorithm (in this case we are using SHA256 - Secure Hashing Algorithm) a black box in the diagram because we do not need to know the implementation details of how it works.

Every time we input the value a into the SHA256 algorithm we are guaranteed the output shown on the right.  

That value becomes a unique identifier for the value a.

One-Way Encryption : Hash

We can think of this as a one-way encryption.  But why do we call it a one-way encryption? That's because it is unfeasible that anyone can reverse the process to turn the hash value (ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb) back into the ClearText (the letter a in our case).

No Known Way To Reverse the Hash Value

Let me say that again. There is no known way to take the hash value and calculate what the original ClearText input was.
That's the power of a secure hashing algorithm.

For Every Input, There Is A Unique Output

Along with that, the hashing algorithm also guarantees that two different inputs will never produce the same hash output.
Even if the value is only changed by 1 bit of data (1/8th of a an ASCII character as it is stored on a computer).

That means if you hash the two long ClearText values shown below which differ by only one character the output hash will not be similar at all:

Most Sites Hash Your ClearText Password

This is how most modern sites now store your password.  They create a hash from the ClearText password that you've given them.  They then store that hash in their database along with your userId so they know which on it is associated with.
This guarantees that no one can every reverse the hash and discover your password.

Weak and Common Passwords

If you've been following along you may have thought about how you could go about attempting to break this.
Since a specific ClearText message produces only one SHA256 hash, you could create hundreds of passwords, hash them and then compare those hashes to what is in the site's database of passwords.
But this only works for weak and common passwords.

Dictionary Attack

That's exactly what the hackers do.  They generate hashes from every word in the natural language dictionary.

Let's look at an example table of how the hacker might do this (but of course you'll have to imagine that I have every word from the English dictionary available to me as the hackers do).

aardvark cf9c1cb89584bf8c4176a37c2c954a8dc56077d3ba65ee44011e62ab7c63ce2d

Common Passwords

This is also why using a password that is commonly known to hackers, like password1, is so dangerous.  

Modern Computing Power
Modern computing power means that hackers can generate hashes for millions of possible passwords and compare each one of those hashes to their stolen password databases in very little time. 

Generating Passwords, Computing Hashes

Of course, with modern computing power, hackers are able to take multiple words from the dictionary, smash them together, and then compute  a hash from those longer passwords too, since they are still based upon natural language words.  They can do millions of these in a short period of time.

Replacing Vowels With Numbers

Since the hackers know the scheme a lot of people use wh3r3 th3y r3p1ac3 c3rta1n l3tt3rs with numbers, the hackers generate millions of passwords that mimic that too.  Once they mimic these patterns and generate the hashes they are bound to hit upon at least a few weak passwords out of the 500 million (according to Yahoo! that was the recent number) they've stolen.

Salting the Hash

There is another element of security that is generally applied to this also called salting the hash that would further scramble the hash, but I won't go into that here.

What Does This Mean?

This exposes the fact that passwords based upon natural language words are much weaker since the attacker can use all the words in the dictionary to generate passwords, hash them and check them. 

Main Point

 However, if you password were not based upon a word, it would be far less likely to be hacked.
This leads us to the fact that you really should create your passwords from some random list of characters and numbers.
For example, no hacker could guess your password is: 
The hacker is not even going to try that, because it would take her too long to even mess with creating an algorithm that checks an almost infinite list of hashes.  There isn't enough computing power in the world to make this effective.
That is why your passwords should themselves be based upon a cryptographically strong hash.
That's what CYaPass does for you.

How Could You Remember Your Password?

It is unlikely that you could remember that hash above.  Of course there are people who can do it  But that would be more of a pain than just using the passwords you already use.
That's why you should use C'Ya Pass and forget all your passwords.

C'Ya Pass Generates Cryptographically Strong Hashes For You

All you have to do is 
  1. supply a site/key (to help you remember what the password is used for)
  2. Draw a pattern
C'Ya Pass will generate a password for you that is a SHA256 Hash.  That long password will be your actual password which will then (most likely) be hashed again by the target site you are logging into.  

Then, if the site you are logging into ever gets hacked it is unfeasible the hacker would be able to generate your original long hash password and be able to hack you.
That's how C'Ya Pass makes your passwords stronger and makes it so you never have to memorize a password again.