Paranotic - for notes, for passwords

I want to share with you an unusual password manager (for Win) that I did about a year ago. I think that now it is not a shame to show him and maybe he will find his users here: www.paranotic.com

A year ago, the volume of my passwords from hosting sites, registrars, FTP and email accounts exceeded the notorious 10% of the capacity of the brain. I, like many here, generated passwords according to my own algorithm, so that you can always remember, and also had a set of “time-tested” and “historically formed” passwords.

Of course, I had a “file”, in an encrypted container, where I tried to save everything. In the end, it all became terribly inconvenient and, most importantly, unsafe. And I started looking for a password manager ...
')

I didn’t review much, the three most common things, but I understood the trend and it didn’t quite suit me. The fact is that I had a certain set of requirements for such a program and none of the viewed ones met these requirements completely, and their similarity had discouraged them from looking further. The requirements were:

1. Daily backup to a web server.

In order not to worry about the lost flash drive and, alternatively, to be able to “get” their passwords, without having the coveted file at hand, but having access to the Network.

2. Data storage in an arbitrary text form, approximately as in a notebook.

Well, I do not like these sets of fields! Data is not always limited to a password and login. There are all sorts of pins, payment passwords, etc. And then, it is often necessary to just chirkanut a few words and find them in a month.

3. Full-text search

To search, I generally had strict requirements. I wanted to be able to find a note from hundreds of others by the first letters. For example, "VTB Credit Card", no matter where these words are found in the note and in what order. I need to find VTB credit card details! A list of recent searches is also needed to minimize keyboard usage.

4. Convenient, minimalistic interface.

Ideally, it should be such a notebook, instantly appearing at the right time with focus on the search field. Well, all sorts of amenities, such as copying data in one click (less movement, long live hypodynamia).

5. Naturally, a strong encryption algorithm and work with data.

This item, fortunately, is performed by all known password managers.

From words to deeds

Scratching the back of my head, I, as I often have, decided to do everything myself. First, it was necessary to find a reliable and smart cryptomodule. A cherished dll that meets all the requirements was found on the growing Australian meadows, from the guys at CryptoSys.net. After minor problems with payment, I still received a valuable cargo.

The main requirement for the module (after the presence of the BlowFish algorithm) is the presence of the PBKDF2 function. As you know, the key by which data is encrypted is obtained with the help of some “strong” hash function, for example, SHA-256. When generated, the password is hashed and the key is obtained. The same operation occurs when brute force burglary. And most importantly in the search - speed. And in order to reduce the speed of brute force, scientists came up with the Password-Based Key Derivation Function - roughly speaking, the password is hashed is not one, but say 1000 times, which is hardly noticeable when opening an encrypted file, but significantly noticeable when iterating, as it will require 1000 times more operations with the same password length.

Having defined the “engine”, I began work on the program.
Further, the concept of the items:

1. Data is stored in a single file, encrypted with one master password.

There is nothing unusual. Just like most password keepers. BlowFish encryption algorithm, 448 bit key. Key generation: SHA256 x PBKDF2

2. Data is divided into notes.

Say, one note about hosting (login, password, registration email, link to control panel, support phone), the other about suspicious neighbor (what time he comes, who is brought + phone by whom) follows, the third is the phone number of the State Department, the Cyprus account data and t .d

Notes are displayed in full, solid tape, like tweets. Without any folders and groupings. There is, however, the ability to put tags. By default, notes are sorted by relevance. The most current miraculously hang from above. There are other sorting options, for example, the most recent, recently edited, etc.

3. The search query is divided into separate “words” by a space.

The search query displays only notes containing all the searched “words”. Words in quotes, because it can be any part of a word or a whole word. Ideally, I would like to take into account the morphology, but before that the hands have not reached.

4. Autosave when creating and editing notes.

It's all clear. Edit the note, and the changes are automatically saved. You can turn off if you can not live without Ctrl + S.

5. “Gentle” deletion of notes.

So that unnecessary or outdated notes do not hang out in the general tape, you can safely delete them. And if necessary, find the tab Deleted.

6. Backup an encrypted file to the server.

This option may seem like a potential hole to many, I will not argue. She does not impose. I can only say that the file is sent over a secure connection and is itself already encrypted. If you use a reliable master password, then even if the database is stolen from the server, the probability of access to your data tends to zero.

The recovery mechanism (getting the file from the server) is as follows:
Including the backup function, you specify an email to which the file will be sent at your request. Once a day, if there are changes, the file is uploaded to the server. If the file is lost, you go to paranotic.com/restore and request file recovery. If there are files in the database corresponding to the specified email, you will receive an email with links to your files to this email. Download them and open it with your master password.

I note that I do not store e-mails in the database in open form - only abundantly salted hash. So if attackers get a base, they will not be able (quickly) to even get user e-mails. This is me to the fact that having received an email and a data file, you can try to get the password with a trick .

7. Quick access to data

As I have said more than once, a note may have an arbitrary format, but if you formalize the text in a certain way, you will get additional options. For example, a string like:

Parameter: value

allows you to copy the value with one click. To visually hide passwords, just put an asterisk after the parameter:

Password *: Simsim

After saving, this line will look like this:

Password *: ******

and to copy the sims to the buffer, you just need to click on the asterisks.

8. Hot keys

When editing a note, or while browsing, you can press hotkeys and quickly create, for example, a note of the Login-Password-Url type.

Ctrl + L - insert Login:
Ctr + P - Insert Password:
Ctrl + G - generate a password (if you press Ctrl + G several times in a row, the generated password is “complicated”).

9. Hiding program window.

The paranotik window can be shifted to the edge of the table and then it will ridiculously leave behind the screen so as not to interfere with the work. To make it jump out funny - just move the mouse to the edge of the screen. If necessary - you can fix the window with the Fix button so that it does not hide.

10. Automatic file lock.

Leave the file open, you see, it is not advisable, even if you moved for 10 minutes for lunch or to the boss for a salary. Therefore, the file is blocked after a certain idle time, or when closing the program window. But also enter a complex master password every time, too, torment ...

To solve this dilemma, a mechanism called QuickPin was introduced: a short digital pincode that opens a file, but which only works after opening a file with a password. Those. Once in the morning you enter the password, and then, before restarting the program, you can unlock the file using QuickPin.

11. Zamete traces, remove witnesses.

The program has a lot of chips that will please chronic paranoids. For example, clearing the memory dump every time the file is locked and turning off the output of the last files opened in the para-paratic (recent files).

By the way, KipAs has such a feature as a special field for entering the master password. Nobody will be able to intercept the entered password ... I also wanted to, until I intercepted entering the password into KipAs with a blunt brute force of the keys pressed. So I refused this chip and the password is entered in the usual password-protected field. Perhaps this is the weakest point of all password keepers. But I hope everyone here already uses antivirus.

How to use it all?

In a nutshell, I use the paranoiac: I have a mobile phone, which I use as a flash drive. It stores an encrypted file. During work, I connect my cell phone to my computer, a paranotik pops up and asks for a password. I enter the password, close the paranotik. If in the process of work I need to write something down - the mouse to the left until it stops (the paraomatic jumped out), input the pincode - that's it! Notes are open. Writing down or looking for what I need. Disconnected the mobile phone from the computer - the paranotik was closed, the dump was cleared. Very comfortably.

Finally

These main features were implemented in the first version of the paranotik. Then, all sorts of trivialities appeared, which I still do not see the point of describing. Try it - you will understand, everything is clear. Plus, there is a small video on the site.

What are your future plans?

The plans include a web-based mobile interface, including the ability to synchronize the local file and data in the web storage. Studies on this topic are already underway.

Thanks for the comments and comments.