Friday, September 18, 2020

KeyReel's Founder Highlighted In Entrepreneur's Article on The Future of IT Security

entrepreneur logo

As quarantine measures continue to be implemented globally, many business continue to operate virtually. Employees daily access sensitive business-related accounts, which are not always secured with unique and complex passwords, in vulnerable environments. According to the sources referenced in the article, 2020 is on its way to being a record year for data breaches. 

KeyReel founder Olek Senyuk was given the spotlight on Entrepreneur's platform this past Wednesday. The article proposed new approaches to the future of IT security, highlighting the realities mentioned,  this year's increased number of cyber attacks and increased risk of computer infection against the backdrop of decentralized business operations due to the pandemic.  

Find out how Olek suggests businesses large and small should best approach these security challenges at the link below:

Saturday, July 25, 2020

The Twitter Hack: What We Should Really Be Worried About


Of course it was a surprise to log onto Twitter two weeks ago to find that over a hundred accounts had been hijacked, but sadly, hacking is so commonplace today--even of large companies that hold vast quantities of personal information--that it's only somewhat interesting.

Most people kept tweeting, with only cursory reminders and jokes about passwords and password managers. And after the hack was brought under control, activity returned mostly back to normal.

Twitter's statement indicates the hacker got access to the tools used to access the accounts that were hacked via a social engineering scam that involved employees. Apparently, over 1,000 employees at Twitter had access to these tools. There are several facts still in question. 

One is why over a thousand employees had access to tools that allow such control over the company's user-facing system, and whether their use of these tools is audited, as is common practice. 

A second is how the alleged social engineering took place. 

 But that's not the point.

Friday, July 24, 2020

KeyReel's Monthly 5-Plus-One Story Roundup


Five items of interest within the past 30 days about safety, privacy, and technology that you should see. Plus one of our own

  1. Stealthbits with Troy Hunt: The History of Passwords Presentation by Troy Hunt. Security isn't about the lock itself. It's about the Mindset employed by the person trying to get in.

  2. Before You Use A Password Manager Part I of a two-part series by Stuart Schechter. Consider the strengths and weaknesses of any password manager. Using it irresponsibly could be your downfall.
  3. Before You Turn On Two-Factor Authentification Part II of a two-part series by Stuart Schechter. Read on if you've decided on a password manager and you're wondering whether 2FA is worth the headache. 

  4. Why Is 3sYqo15hiL Such A Popular Password? Hey, you must know at least one person who uses it. 

  5. Secrets, lies and Snowden's email: why I was forced to shut down Lavabit How Edward Snowden's private email provider learned the reality of privacy in the US.

Monday, July 6, 2020

4 Ways Hackers Steal Data And How To Protect Yours

Old joke: The average user types the correct password after the fifth attempt, but an average hacker picks it up from the third. Yeah, we don't think it's funny, either.

Everyone wants to avoid hacking because of the devastation identity theft can cause. But the truth is, unless you're multi-millionaire, you are unlikely to become an isolated target of a cyber attack. Still, no one can resist low-hanging fruit. If your accounts are vulnerable, they're likely to be hacked simply because it was too easy not to. 

Sunday, June 28, 2020

Limited Quantity offer: KeyReel Premium Free!

We’re trying to bring stress-free cybersecurity to everyone who uses the web. To do that, we need to spread the word about KeyReel. There are two ways you can help, and get the full KeyReel Premium app free:

App Store Review

Download KeyReel Premium from the App Store or the Google Play Store, put it through its paces, and leave a review on the app store you downloaded it from. Then email us a screenshot of the review you left.

Social Media Post

Download KeyReel Premium from the App Store or the Google Play Store and let your social network know you’ve done it with a tweet or Facebook post. You can either tag our Facebook or Twitter account, or email us a screenshot of your post.

You'll receive a code to get the full app free. If you enjoy using KeyReel, please don’t forget to make sure your friends have a chance at this limited opportunity: we’re only offering 100 free apps.

Thank you so much for your support; we hope you’ll enjoy KeyReel Premium on us for a lifetime.

Monday, June 22, 2020

KeyReel extension is available for 7 browsers

We developed KeyReel aiming for the most private security assistant available. It stores passwords only on your phone and, unlike similar apps, does not store passwords in the cloud or copy them between devices. So it made sense to also provide our users support for browsers with the best privacy options, like Firefox or Brave.

Chrome was the de facto choice for multi-platform browsers for quite some time. However, Chrome privacy concerns were accumulating over time with the most recent discovery of its tracking users' actions in Incognito mode.

More and more users are looking into other browser options that provide better privacy and security. Firefox made a number of safe-browsing features in the past few years. Brave and Vivaldi browsers, in addition to great privacy features, also offer superior built-in ad blocking, which make browsing faster and more enjoyable.

Today, we are happy to announce the new release of KeyReel with direct support for seven popular browsers: Chrome, Edge, Safari, Firefox, Opera, Brave, and Vivaldi. Update to the latest version of KeyReel for Mac/Windows to install the extension for your favorite browser.

Not using KeyReel yet? Why not try out all the Premium features for free for 90 days? Download it now!

Monday, May 18, 2020

KeyReel for iPhone Premium has arrived!

One year has passed since we have released a "production ready" version of KeyReel for iPhone. It has been proven to be a robust and handy password manager app which delights users with a frictionless login experience.

The time has come to separate a Premium version of KeyReel. It is available now for subscription on monthly and yearly basis. Free version is still available and it includes all standalone features, including the built-in authenticator.

Subscription version allows remote Windows and Mac clients connect to the phone. It includes all related features, like protected sites, automatic authenticator login and password clipboard sharing. We also offer an outstanding 90-day free trial of the Premium version. More details can be found on our pricing page.

The cost of the Premium version will allow us to fund new awesome features. It will also help to increase the trust of new users, as our customer feedback has clearly indicated that users trust their credentials to paid apps more than free apps.

Please join us in celebrating this fundamental milestone for KeyReel!

Truly yours,
KeyReel Team

Thursday, April 30, 2020

How strong should Master Password be?

KeyReel has a distinct difference from most password manager apps. While other password managers require to enter master password regularly, KeyReel needs a password only to recover database from a backup on the new phone. The problem of selecting a good recovery password is similar to the problem of choosing a master password though. It is because an encryption key for a backup file is derived from the recovery password.

The key difference between a master and recovery passwords is the usage pattern: since recovery password is entered only as often as you change the phone, we don't really need to optimize it for memorization or typing. Instead, you should write it down and store it in a safe box at your home or bank (or in 4th volume of the "War and Piece" where it will never be looked for :)

So how strong should a password be?

You can find tons of advice on the Internet, like "strong password has at least 12 characters", "at least one capital and one lower-case letter and digit", "must include special symbols !@#$" etc. You can find number of articles saying that 8-character password can be cracked in seconds. However, these calculations do not apply to master passwords! These articles usually refer to SHA-256 and SHA-512 hashing algorithms, that should never be used for master passwords.

The password should be so strong that it would be too expensive to crack it. Would you call a password strong if it would cost billion dollars to crack? The cost of cracking depends a lot on password hashing algorithm chosen.

Spoiler: our low-bound estimate is that to crack KeyReel backup file protected with 12-character randomly generated password which consists of capital letters and digits costs at least 2 trillion US dollars. This is enough for any use!

Digging into details

(Warning: article contains a fair amount of math :)

Length of the password and character set used define how many combinations a cracker would need to try to guess the password. For example, if possible character set includes 26 capital letters, 26 lower case letter and 10 digits, then the character set is 26+26+10=62 characters. The total number of possible combinations for 8-character password is 628=~2.18*1014 or over 218 trillion combinations.

We estimate the total cost of a potential brute-force attack by calculating the number of combinations and estimating dollar amount of a single combination attempt.

KeyReel uses Argon2 hashing algorithm with 6 iterations, 128 MB RAM and 2 parallel threads. It takes ~1 second to run on 2 CPUs of Pixel 2 phone. We have specifically used this phone as a baseline, since it is not too old, not too new. A second spent on password hashing during installation or recovery would not affect user experience.

By our estimates the cost of trying 1 billion combinations is ~$1,700 (see details at the end of the post). Trying 218 trillion combinations would cost 218,000*$1,700=$370,000,000 (or 370 million dollars). And to try all the combinations within 1 year a cracker would need to run on over 28,000 of most powerful AWS compute-optimized instances.

For a comparison, here is a reference table of estimated brute-force cost for various password parameters.

Character set Approx.
Est. Cost
1062 (a-z, A-Z, 0-9)1018220,000,000$1.4 trillions
962 (a-z, A-Z, 0-9)10163,500,000$23 billions
862 (a-z, A-Z, 0-9)101457,600$370 millions
892 (a-z, A-Z, 0-9, !@#$%...)10151,300,000$8 billions
1236 (A-Z, 0-9)10181,250,000,000$8 trillions
1036 (A-Z, 0-9)1015900,000$6 billions
1232 (A-Z without I and O, 2-9)1018300,000,000$2 trillions

For KeyReel Restore Key generator we chose the configuration with 12 characters and 32 combinations each. We decided to avoid ambiguous characters, like digit 0 and letter O, or digit 1 and letter I). Dividing generated sequence into 3 groups, like "3LDB-W4F9-3JHX" makes it easier to read, write or type. It is still too expensive to crack to worry about it in next few decades.

Does using special symbols help?

As you can see from the table above special symbols do not help much. Even if we use an additional set of 30 special symbols available on US layout keyboards, total number of combinations for 8-character passwords is still smaller than for 9-character password that does not include special symbols. The effort of typing special characters on mobile devices is just not worth it.

What about using words and phrases in passwords?

This is quite a large topic on its own and we will cover it in a separate post.

What about other password managers?

There is no single standard and various password managers use different algorithms with various parameters. Nowadays most used algorithms are PBKDF2, Scrypt and Argon2. PBKDF2 is oldest and also the cheapest one to crack due to availability of specialized hardware. Argon2 is a winner of Password Hashing Competition in 2015 and most recommended by the community. You can learn more about various algorithms in this article on Medium

Below is the list of various password mangers and algorithms used. To compare the speed of hashing we ran benchmarks for each algorithm on the same test machine. Slower the hashing, more costly it is to crack it.
  • KeyReel uses Argon2d with 6 iterations, 2 threads, 128MB RAM (~0.8s)
  • Dashlane uses Argon2d by default with 3 iterations, 2 threads, 32 MB RAM (~0.1s)
    • also supports PBKDF2-SHA2 with 200,000 iterations (0.01s)
  • LastPass uses PBKDF2-SHA256 with 100,100 iterations (0.005s)
  • 1Password uses PBKDF2-SHA256 with 100,000 iterations (0.005s)
  • KeePass uses AES-KDF with 60,000 iterations by default - (0.002s)
    • can be configured automatically based on 1-second performance test (needs ~25,000,000 iterations to be secure)
    • also supports Argon2 with configurable parameters. Defaults are 2 iterations, 2 threads, 1MB RAM (0.003s)
Note, that SHA256/AES are much faster/cheaper to run on GPUs or specialized ASIC hardware. Argon2 is resistant to GPUs, which makes it a better choice for hashing passwords.

Estimation of a brute-force attack cost 

As it is mentioned above, KeyReel uses Argon2 password hashing algorithm, which takes ~1 second  when executed on 2 CPU cores in parallel on Pixel 2 or iPhone 7. It would take a bit more on the older phones and a bit less on the last generation of the phones ( up to~30% faster). For the sake of our calculations we will lower the number to 0.4 seconds on a single CPU, to account for advances in hardware and software optimizations.

To estimate the cost, we use a public price of a most powerful compute-optimized instance in AWS called "c5.metal". This instance has 96 vCPU and 190 GB of RAM. And the lowest price you can get it without a special deal with Amazon is $13,000 per year (calculated based on 3-year contract full-upfront price, North Virginia region, Linux OS).

Since we chose 128 MB as a parameter for hashing algorithm, this instance has enough RAM to run 1,900 hashes in parallel. However, there are enough CPU cores to run only 96 hashes in parallel. With one hash taking 0.4 seconds, such host can calculate 96/0.4=240 combinations per second. This is equivalent of 240*60*60*24*365=~7,600,000,000 combinations per year. Therefore, we assume that cost of testing 1 billion combinations is $13,000/7.6=~$1,700

Wednesday, April 29, 2020

New features in KeyReel for Android!

In the past several weeks we have added a number of new features to KeyReel Android (Beta). Here is the short summary.

Search and Icons

The most wanted feature - Search - is now available on Android! With just few taps you can filter out your accounts to ones you need right now.

We have also improved the quality of account icons by advanced site metadata parsing and considerably improved icon load speed for most common sites. 

2FA at your fingertips

Adding a second factor of authentication in addition to the password is a big improvement to your online security. With new release setting up a second factor became even easier. Just click on the account you want to add the second factor to and follow the steps similar to Google Authenticator, Duo Mobile or similar apps.

This way you can track authentication code on the same account as your password and benefit from automatic password and code auto-fill on your paired laptop/desktop.

Generation of Backup password

While KeyReel does not have a master password, strong recovery key is necessary for backups. We have switched our backup password hashing algorithm to a stronger Argon2, which allowed us to minimize the recovery key length. More about it in a separate post.

Root Protection

When phone is rooted, it allows to install apps that have nearly unlimited power of the phone. While it was necessary in the early days of Android, when there was a little amount of apps, it is not used much today. Only few enthusiasts and identity thieves have use root devices. In order to protect our user most sensitive information, we have made a decision to disable KeyReel on rooted devices.

Other changes

  • Improved auto-fill in Android apps
  • Improved Bluetooth connectivity with laptops/desktops
  • Conceal passwords by default and make it configurable in the settings
  • Switched site password strength estimation algorithm to Dropbox zxcvbn library

Monday, April 20, 2020

KeyReel Windows Beta major update

Over the past 4 weeks we have added a number of new features to KeyReel Windows (Beta) version 1.23. Below is what we added.

Configuration Wizard

We have added a step-by-step guide to setup KeyReel. It makes installation of web-browser extensions and phone pairing really fast.

Support for Edge Chromium

Since Edge Moved to Chromium, it supports Chrome Extension Web Store. This allows to install existing KeyReel extension from Chrome store. We have added links to the extension from system tray menu and installation wizard.

Password Generator

 Password generator is available from the system pair menu.

Other Changes and Features

  • Switched UI to use Windows Presentation Framework (WPF). This allowed to bring rich styles to the user interface.
  • Improved stability and robustness of the app. Fixed several bugs causing crashes and added automatic restart in a case of failure.
  • Improvements to Bluetooth connection stability.
  • Removed annoying console windows during installation and upgrade.
  • Switched to Dropbox 'zxcvbn' library to analyze password strength.
  • Enabled anonymous data usage statistics.
  • Fixed new version availability notification (requires one-time manual reinstall).

Tuesday, March 3, 2020

KeyReel Beta for Android and Windows are available now!

We are excited to present two new additions to KeyReel family:

New products include core features, like clipboard sharing and integrated 2FA (similar to Google Authenticator).

Both products are available at Beta tier. What does it mean? UI is not polished and missing a number of features (like search or filtering). And likely has a couple of bugs. 

However, we have not compromised security! On opposite, our Android version is slightly more secure than iOS. One example is that passwords are doubly encrypted and are not stored in Android device memory in decrypted form longer than it is needed for login to an app or a site.

Give it a try and let us know what you like about it and how it can be improved. If you wish to contribute to KeyReel as an official beta tester of Android version, use this link. Or you can always send us feedback using our contact form.

And if you have not yet tried KeyReel before and love your Apple products, try it now!