Lost Minds
macOS and iOS software

DotPass Security discussion


This is a security discussion about the password app DotPass available for macOS and iOS (iPhone and iPad).

DotPass product page


As with all security solutions this one has both benefits and drawbacks. Depending on the situation, it's up to you to decide if the benefints outweigh the drawbacks.

Benefits

Reasonably good unique passwords
First, DotPass makes it easy for you to generate reasonably good passwords that are different for each account. The passwords will be strong enough to withstand basic brute-force attacks (especially if you use the 18-character password option), and if an attacker gets a hold of one of your passwords they cannot use it for any other accounts. As the app uses standard cryptographic hash functions to generate the passwords, it will also be difficult to deduce the pattern and seed you've used, even if the attacker knows a resulting password.

Retrievable passwords without risk of data loss
Second, as long as you remember the pattern you've designed and your account seed words you can retrieve your passwords by just entering them again. This is done without your passwords, patterns or seed words being stored on your device/computer or sent anywhere on the internet, so there is no password data that could be stolen by an attacker or lost in a hardware failure.

Make multiple new passwords with a single change to remember
Third, if you've used the app to generate passwords for multiple accounts it's easy to change all your passwords at the same time. All you need to do is to decide on a new pattern and you can use the same seed words that you've used before to generate new passwords for all your accounts.

Drawbacks

Hard to remember for manual entry
The first drawback of this system is that the passwords generated will be random-looking and therefore hard to remember. So for passwords you need to enter manually often they will not be ideal. However, many passwords are seldom used, and you can usually use automatic password managers to help you remember and fill in passwords you use often. The same goes for the 18-character password option. While this makes the password a lot more secure, it makes it cumbersome to enter manually if you can't copy and paste the password into the field.

Pseudo-random is not really random
The second drawback is that the passwords generated by this app are not actually random. So an attacker who knows you use this app could potentially reverse-engineer the way it generates passwords, try to guess what seed words you've used and then try all possible or likely pattern combinations for this seed word in a brute-force attack. While there are a lot of possible pattern combinations and even more combinations with plausable seed words, this is still significantly fewer combinations than a truly random password string of the same length.

To give you some numbers in a rough estimate DotPass can generate 10^16 different outputs based on the possible combination of seed words and patterns (that's one million billions), while there are about double that amount of possible combinations for a nine character string using the same character set. And for a 18 character string with the same set you would have a lot more combinations, something along the lines of 3 * 10^32, in other words one million billions times more.

There are many ways to make this sort of attack more difficult, see some tips below. But realistically, if you need security that strong you probably shouldn't be using an app for your passwords at all.


Disclaimer

The passwords generated by this app are in no way guaranteed to be secure or unbreakable by hackers. This app is only a tool that generates passwords from a combination of a pattern and a string. How you chose to use these passwords is your responsibility.



Q & A

Q: I'm worried about someone else seeing the pattern I enter when I use the app, what can I do?

A: Indeed, just like with your passwords you should try to keep your pattern and seed words secret and make sure that nobody is looking over your shoulder when you enter them. If you worry about this you can use the privacy settings in the app to hide the pattern and/or seed word after entry.


Q: The passwords generated by this app are hard to remember, and it's cumbersome to use the app each time I need to login somewhere. Is there an easier way?

A: For passwords you need to enter manually often this system is probably not ideal for this reason. But in most cases you can use the built-in password managers that exist in most modern browsers and operating systems to help you remember your passwords and fill them in during normal use. So you only need to use this app when you're creating new accounts or changing your passwords, or for passwords you very rarely need to enter.


Q: Different sites have different requirements for passwords, will the passwords generated by this app fit them all?

A: Probably not, since some sites have very strange and unusual requirements. However, the format of the passwords generated in the app is chosen to fit as many systems as possible while still being reasonable good and practical to use.


Q: So, what format and rules do the passwords conform to?

A: The passwords generated by DotPass are always nine (9) or eighteen (18) characters long depending on the current setting, they always have uppercase letters, lowercase letters and numbers in them. Sometimes they will also have some common special characters, like &!#? etc..


Q: If I forget my pattern or seed words, is there any way to get my password back?

A: No. Since nothing about your passwords is stored on your device or anywhere else you have to remember these things in order to get your password back.


Q: How can I make it easier to remember my pattern?

A: A good way to make it easier to remember your pattern is to simply practice drawing it in the app now and then. This could be a good practice especially when you've designed a new pattern, plus you get to play with the nice colors in the app. Another more old-school way could of course be to physically draw the pattern somewhere you can check if you forget it. While this could be a security risk if someone finds it, depending on how you draw it and what your pattern looks like someone else who finds it might not realize what it is.


Q: I'm interested in the technical algorithm used to generate the passwords, can I trust that it doesn't have any bugs in it that makes it vulnerable to attack? How does it work?

A: We cannot guarantee 100% that there are no such flaws in the algorithm, but by using well tested industry standard cryptographic hash functions we've tried to minimize this risk. While we won't tell you exactly how it's done here's the basic procedure: First a text string is created by combining your seed word with a unique description of your pattern. This string is then passed to a standard hash function that does the actual scrambling. The values in the resulting hash digest are then mapped to the character set used by the app to make the password, in a way that makes sure it conforms to the format standard described above.


Q: I'm really security conscious, what can I do to make my passwords more secure?

A: As a first step you should try to keep it a secret that you use this app for your passwords (or for what passwords). Maybe not so good for our marketing, but probaly best for your security. Without knowing you use this system an attacker will not be able to exploit any inherit weaknesses in the system.

Second, you can try to use asymmetrical patterns with a lot of lines, and slightly altered seed words to generate your passwords. For example adding extra "salt"-characters before or after, like "facebook1" instead of "facebook", or "mytwitter" instead or just "twitter". This will will make it much more difficult for an attacker to guess your seed and pattern combination.

Third, you could chose to use slightly altered versions of the passwords this system gives you. For example adding or changing a few characters according to some rule you make up. All these techniques will add additional layers of security, but of course also make it harder to remember how to retrieve your passwords.


Q: I'm really really security conscious, should I really trust this app for my passwords?

A: Well, you don't really have to trust the app with anything as it doesn't store anything for you. In a sense it's like a complicated set of dice that lets you come up with reasonably good passwords that you can retrieve if you need them again. But if you're really paranoid, perhaps it's not for you. But you could still get DotPass and have it as a decoy, making all your real or imagined attackers think you use this app to generate your passwords, hiding your real password system!