Thursday, October 1, 2020

Why a password manager like KeyReel is essential for business and leisure travel

By Joanne Shurvell, Travel writer

Like most journalists, I travel with multiple devices including an iPhone, laptop and iPad and, until recently, I made little attempt to protect my personal data, leaving me an easy target for cybercriminals. After hearing about a new password manager, KeyReel, I discovered a few simple things I could do to be more secure when traveling.

The only essential security measure I was taking was to ensure that my phone was locked using a PIN number and fingerprint ID. Like many non-techie travelers, I had no idea that it’s also vital to check that your operating system is up to date on all your devices. An out-of-date operating system is a major security risk and an open invitation to hackers.

Another essential step is to install anti-virus protection to keep your personal and business information secure while traveling. According to Bojan Jovanovic, of DataProt, only half of mobile devices in the United States have some kind of antivirus protection.

Although I had a sneaking feeling that it’s not a great idea to use free WiFi hotspots in a city you travel, it’s always so tempting. But these networks aren’t always secure. Don’t use unencrypted WiFi networks and if you do use free WiFi hotspots, try not to access highly personal sites like your bank accounts. The same goes for bluetooth on your phone; if you leave it permanently on, cyberthieves could hack your device.

But perhaps the best advice I’ve received recently is that crucial for your cybersafety, both at home and while traveling, is a password manager — an impenetrable “vault” that stores your passwords. It’s among the most significant thing you can do, besides two-factor authentication, to keep your online data safe. Managing secure passwords for all your online accounts on all your devices, demands a good memory, to say the least. Every website requires passwords to include numbers or special characters to make passwords more secure but also making them even more difficult to memorize. With data breaches on the rise, using the same password on multiple sites is a huge risk. If you do use the same password repeatedly, once hacked, all sites using that password are hacked.

A password manager stores your login details for the websites, apps and other services you use in a secure, encrypted form. Once that is set up, the only password you need to remember is the one for the password manager itself that, once entered, unlocks your vault of passwords, allowing access to any of your sites or apps with a single click.

The best known online password managers like 1Password, Dashlane and Lastpass use the Cloud for storage and they keep encrypted copies of your password vault on their own servers. Although KeyReel’s Oleksandr Senyuk, who has an extensive background working with Cloud companies, says the Cloud itself is not insecure, he does say that there is a risk that cybercriminals can breach a cloud-based service. This risk is small but there is a risk nonetheless because criminals are known to put a huge amount of effort trying to hack cloud-based password managers. This is why Mr Senyuk created KeyReel, a “local” password management system, the first of its kind to store and sync your "vault" of passwords and other sensitive information on your own devices without using cloud servers. Your phone becomes a smart security system.

The Keyreel app encrypts and stores all of your passwords on your android or i-Phone without transferring them back and forth to a cloud, thus protecting them from cybersecurity threats. Even the FBI failed to hack the 256-AES military-grade encryption they use to protect their customers’ data.

KeyReel’s founder says he is on a mission “to make Keyreel work for everyone, so you don’t have to be an IT professional to have essential protection.” For starters, KeyReel allows you to easily store your passwords in a “vault” on your phone for free. Considering many people store their passwords in a very insecure standard memo app on their phone, this seems like an essential, minimum security step. If you feel comfortable with that level of tech, you can progress to the more sophisticated paid service.

It is so important to understand that although digitalization has brought untold benefits to our lives, it has also created many risks so it’s crucial to keep up with the latest IT security developments, especially when we’re traveling and using WiFi access points, a favorite target for cybercriminals. I’m more cautious with my digital security when traveling now and my new KeyReel app on my phone is a big part of that.

Friday, September 18, 2020

KeyReel's Founder Highlighted In Entrepreneur's Article on The Future of IT Security

entrepreneur logo

As quarantine measures continue to be implemented globally, many business continue to operate virtually. Employees daily access sensitive business-related accounts, which are not always secured with unique and complex passwords, in vulnerable environments. According to the sources referenced in the article, 2020 is on its way to being a record year for data breaches. 

KeyReel founder Olek Senyuk was given the spotlight on Entrepreneur's platform this past Wednesday. The article proposed new approaches to the future of IT security, highlighting the realities mentioned,  this year's increased number of cyber attacks and increased risk of computer infection against the backdrop of decentralized business operations due to the pandemic.  

Find out how Olek suggests businesses large and small should best approach these security challenges at the link below:

Saturday, July 25, 2020

The Twitter Hack: What We Should Really Be Worried About


Of course it was a surprise to log onto Twitter two weeks ago to find that over a hundred accounts had been hijacked, but sadly, hacking is so commonplace today--even of large companies that hold vast quantities of personal information--that it's only somewhat interesting.

Most people kept tweeting, with only cursory reminders and jokes about passwords and password managers. And after the hack was brought under control, activity returned mostly back to normal.

Twitter's statement indicates the hacker got access to the tools used to access the accounts that were hacked via a social engineering scam that involved employees. Apparently, over 1,000 employees at Twitter had access to these tools. There are several facts still in question. 

One is why over a thousand employees had access to tools that allow such control over the company's user-facing system, and whether their use of these tools is audited, as is common practice. 

A second is how the alleged social engineering took place. 

 But that's not the point.

Friday, July 24, 2020

KeyReel's Monthly 5-Plus-One Story Roundup


Five items of interest within the past 30 days about safety, privacy, and technology that you should see. Plus one of our own

  1. Stealthbits with Troy Hunt: The History of Passwords Presentation by Troy Hunt. Security isn't about the lock itself. It's about the Mindset employed by the person trying to get in.

  2. Before You Use A Password Manager Part I of a two-part series by Stuart Schechter. Consider the strengths and weaknesses of any password manager. Using it irresponsibly could be your downfall.
  3. Before You Turn On Two-Factor Authentification Part II of a two-part series by Stuart Schechter. Read on if you've decided on a password manager and you're wondering whether 2FA is worth the headache. 

  4. Why Is 3sYqo15hiL Such A Popular Password? Hey, you must know at least one person who uses it. 

  5. Secrets, lies and Snowden's email: why I was forced to shut down Lavabit How Edward Snowden's private email provider learned the reality of privacy in the US.

Monday, July 6, 2020

4 Ways Hackers Steal Data And How To Protect Yours

Old joke: The average user types the correct password after the fifth attempt, but an average hacker picks it up from the third. Yeah, we don't think it's funny, either.

Everyone wants to avoid hacking because of the devastation identity theft can cause. But the truth is, unless you're multi-millionaire, you are unlikely to become an isolated target of a cyber attack. Still, no one can resist low-hanging fruit. If your accounts are vulnerable, they're likely to be hacked simply because it was too easy not to. 

Sunday, June 28, 2020

(ENDED) Limited Quantity offer: KeyReel Premium Free!

(Promotion has ended)

We’re trying to bring stress-free cybersecurity to everyone who uses the web. To do that, we need to spread the word about KeyReel. There are two ways you can help, and get the full KeyReel Premium app free:

App Store Review

Download KeyReel Premium from the App Store or the Google Play Store, put it through its paces, and leave a review on the app store you downloaded it from. Then email us a screenshot of the review you left.

Social Media Post

Download KeyReel Premium from the App Store or the Google Play Store and let your social network know you’ve done it with a tweet or Facebook post. You can either tag our Facebook or Twitter account, or email us a screenshot of your post.

You'll receive a code to get the full app free. If you enjoy using KeyReel, please don’t forget to make sure your friends have a chance at this limited opportunity: we’re only offering 100 free apps.

Thank you so much for your support; we hope you’ll enjoy KeyReel Premium on us for a lifetime.

Monday, June 22, 2020

KeyReel extension is available for 7 browsers

We developed KeyReel aiming for the most private security assistant available. It stores passwords only on your phone and, unlike similar apps, does not store passwords in the cloud or copy them between devices. So it made sense to also provide our users support for browsers with the best privacy options, like Firefox or Brave.

Chrome was the de facto choice for multi-platform browsers for quite some time. However, Chrome privacy concerns were accumulating over time with the most recent discovery of its tracking users' actions in Incognito mode.

More and more users are looking into other browser options that provide better privacy and security. Firefox made a number of safe-browsing features in the past few years. Brave and Vivaldi browsers, in addition to great privacy features, also offer superior built-in ad blocking, which make browsing faster and more enjoyable.

Today, we are happy to announce the new release of KeyReel with direct support for seven popular browsers: Chrome, Edge, Safari, Firefox, Opera, Brave, and Vivaldi. Update to the latest version of KeyReel for Mac/Windows to install the extension for your favorite browser.

Not using KeyReel yet? Why not try out all the Premium features for free for 90 days? Download it now!

Monday, May 18, 2020

KeyReel for iPhone Premium has arrived!

One year has passed since we have released a "production ready" version of KeyReel for iPhone. It has been proven to be a robust and handy password manager app which delights users with a frictionless login experience.

The time has come to separate a Premium version of KeyReel. It is available now for subscription on monthly and yearly basis. Free version is still available and it includes all standalone features, including the built-in authenticator.

Subscription version allows remote Windows and Mac clients connect to the phone. It includes all related features, like protected sites, automatic authenticator login and password clipboard sharing. We also offer an outstanding 90-day free trial of the Premium version. More details can be found on our pricing page.

The cost of the Premium version will allow us to fund new awesome features. It will also help to increase the trust of new users, as our customer feedback has clearly indicated that users trust their credentials to paid apps more than free apps.

Please join us in celebrating this fundamental milestone for KeyReel!

Truly yours,
KeyReel Team

Thursday, April 30, 2020

How strong should Master Password be?

KeyReel has a distinct difference from most password manager apps. While other password managers require to enter master password regularly, KeyReel needs a password only to recover database from a backup on the new phone. The problem of selecting a good recovery password is similar to the problem of choosing a master password though. It is because an encryption key for a backup file is derived from the recovery password.

The key difference between a master and recovery passwords is the usage pattern: since recovery password is entered only as often as you change the phone, we don't really need to optimize it for memorization or typing. Instead, you should write it down and store it in a safe box at your home or bank (or in 4th volume of the "War and Piece" where it will never be looked for :)

So how strong should a password be?

You can find tons of advice on the Internet, like "strong password has at least 12 characters", "at least one capital and one lower-case letter and digit", "must include special symbols !@#$" etc. You can find number of articles saying that 8-character password can be cracked in seconds. However, these calculations do not apply to master passwords! These articles usually refer to SHA-256 and SHA-512 hashing algorithms, that should never be used for master passwords.

The password should be so strong that it would be too expensive to crack it. Would you call a password strong if it would cost billion dollars to crack? The cost of cracking depends a lot on password hashing algorithm chosen.

Spoiler: our low-bound estimate is that to crack KeyReel backup file protected with 12-character randomly generated password which consists of capital letters and digits costs at least 2 trillion US dollars. This is enough for any use!

Digging into details

(Warning: article contains a fair amount of math :)

Length of the password and character set used define how many combinations a cracker would need to try to guess the password. For example, if possible character set includes 26 capital letters, 26 lower case letter and 10 digits, then the character set is 26+26+10=62 characters. The total number of possible combinations for 8-character password is 628=~2.18*1014 or over 218 trillion combinations.

We estimate the total cost of a potential brute-force attack by calculating the number of combinations and estimating dollar amount of a single combination attempt.

KeyReel uses Argon2 hashing algorithm with 6 iterations, 128 MB RAM and 2 parallel threads. It takes ~1 second to run on 2 CPUs of Pixel 2 phone. We have specifically used this phone as a baseline, since it is not too old, not too new. A second spent on password hashing during installation or recovery would not affect user experience.

By our estimates the cost of trying 1 billion combinations is ~$1,700 (see details at the end of the post). Trying 218 trillion combinations would cost 218,000*$1,700=$370,000,000 (or 370 million dollars). And to try all the combinations within 1 year a cracker would need to run on over 28,000 of most powerful AWS compute-optimized instances.

For a comparison, here is a reference table of estimated brute-force cost for various password parameters.

Character set Approx.
Est. Cost
1062 (a-z, A-Z, 0-9)1018220,000,000$1.4 trillions
962 (a-z, A-Z, 0-9)10163,500,000$23 billions
862 (a-z, A-Z, 0-9)101457,600$370 millions
892 (a-z, A-Z, 0-9, !@#$%...)10151,300,000$8 billions
1236 (A-Z, 0-9)10181,250,000,000$8 trillions
1036 (A-Z, 0-9)1015900,000$6 billions
1232 (A-Z without I and O, 2-9)1018300,000,000$2 trillions

For KeyReel Restore Key generator we chose the configuration with 12 characters and 32 combinations each. We decided to avoid ambiguous characters, like digit 0 and letter O, or digit 1 and letter I). Dividing generated sequence into 3 groups, like "3LDB-W4F9-3JHX" makes it easier to read, write or type. It is still too expensive to crack to worry about it in next few decades.

Does using special symbols help?

As you can see from the table above special symbols do not help much. Even if we use an additional set of 30 special symbols available on US layout keyboards, total number of combinations for 8-character passwords is still smaller than for 9-character password that does not include special symbols. The effort of typing special characters on mobile devices is just not worth it.

What about using words and phrases in passwords?

This is quite a large topic on its own and we will cover it in a separate post.

What about other password managers?

There is no single standard and various password managers use different algorithms with various parameters. Nowadays most used algorithms are PBKDF2, Scrypt and Argon2. PBKDF2 is oldest and also the cheapest one to crack due to availability of specialized hardware. Argon2 is a winner of Password Hashing Competition in 2015 and most recommended by the community. You can learn more about various algorithms in this article on Medium

Below is the list of various password mangers and algorithms used. To compare the speed of hashing we ran benchmarks for each algorithm on the same test machine. Slower the hashing, more costly it is to crack it.
  • KeyReel uses Argon2d with 6 iterations, 2 threads, 128MB RAM (~0.8s)
  • Dashlane uses Argon2d by default with 3 iterations, 2 threads, 32 MB RAM (~0.1s)
    • also supports PBKDF2-SHA2 with 200,000 iterations (0.01s)
  • LastPass uses PBKDF2-SHA256 with 100,100 iterations (0.005s)
  • 1Password uses PBKDF2-SHA256 with 100,000 iterations (0.005s)
  • KeePass uses AES-KDF with 60,000 iterations by default - (0.002s)
    • can be configured automatically based on 1-second performance test (needs ~25,000,000 iterations to be secure)
    • also supports Argon2 with configurable parameters. Defaults are 2 iterations, 2 threads, 1MB RAM (0.003s)
Note, that SHA256/AES are much faster/cheaper to run on GPUs or specialized ASIC hardware. Argon2 is resistant to GPUs, which makes it a better choice for hashing passwords.

Estimation of a brute-force attack cost 

As it is mentioned above, KeyReel uses Argon2 password hashing algorithm, which takes ~1 second  when executed on 2 CPU cores in parallel on Pixel 2 or iPhone 7. It would take a bit more on the older phones and a bit less on the last generation of the phones ( up to~30% faster). For the sake of our calculations we will lower the number to 0.4 seconds on a single CPU, to account for advances in hardware and software optimizations.

To estimate the cost, we use a public price of a most powerful compute-optimized instance in AWS called "c5.metal". This instance has 96 vCPU and 190 GB of RAM. And the lowest price you can get it without a special deal with Amazon is $13,000 per year (calculated based on 3-year contract full-upfront price, North Virginia region, Linux OS).

Since we chose 128 MB as a parameter for hashing algorithm, this instance has enough RAM to run 1,900 hashes in parallel. However, there are enough CPU cores to run only 96 hashes in parallel. With one hash taking 0.4 seconds, such host can calculate 96/0.4=240 combinations per second. This is equivalent of 240*60*60*24*365=~7,600,000,000 combinations per year. Therefore, we assume that cost of testing 1 billion combinations is $13,000/7.6=~$1,700

Wednesday, April 29, 2020

New features in KeyReel for Android!

In the past several weeks we have added a number of new features to KeyReel Android (Beta). Here is the short summary.

Search and Icons

The most wanted feature - Search - is now available on Android! With just few taps you can filter out your accounts to ones you need right now.

We have also improved the quality of account icons by advanced site metadata parsing and considerably improved icon load speed for most common sites. 

2FA at your fingertips

Adding a second factor of authentication in addition to the password is a big improvement to your online security. With new release setting up a second factor became even easier. Just click on the account you want to add the second factor to and follow the steps similar to Google Authenticator, Duo Mobile or similar apps.

This way you can track authentication code on the same account as your password and benefit from automatic password and code auto-fill on your paired laptop/desktop.

Generation of Backup password

While KeyReel does not have a master password, strong recovery key is necessary for backups. We have switched our backup password hashing algorithm to a stronger Argon2, which allowed us to minimize the recovery key length. More about it in a separate post.

Root Protection

When phone is rooted, it allows to install apps that have nearly unlimited power of the phone. While it was necessary in the early days of Android, when there was a little amount of apps, it is not used much today. Only few enthusiasts and identity thieves have use root devices. In order to protect our user most sensitive information, we have made a decision to disable KeyReel on rooted devices.

Other changes

  • Improved auto-fill in Android apps
  • Improved Bluetooth connectivity with laptops/desktops
  • Conceal passwords by default and make it configurable in the settings
  • Switched site password strength estimation algorithm to Dropbox zxcvbn library

Monday, April 20, 2020

KeyReel Windows Beta major update

Over the past 4 weeks we have added a number of new features to KeyReel Windows (Beta) version 1.23. Below is what we added.

Configuration Wizard

We have added a step-by-step guide to setup KeyReel. It makes installation of web-browser extensions and phone pairing really fast.

Support for Edge Chromium

Since Edge Moved to Chromium, it supports Chrome Extension Web Store. This allows to install existing KeyReel extension from Chrome store. We have added links to the extension from system tray menu and installation wizard.

Password Generator

 Password generator is available from the system pair menu.

Other Changes and Features

  • Switched UI to use Windows Presentation Framework (WPF). This allowed to bring rich styles to the user interface.
  • Improved stability and robustness of the app. Fixed several bugs causing crashes and added automatic restart in a case of failure.
  • Improvements to Bluetooth connection stability.
  • Removed annoying console windows during installation and upgrade.
  • Switched to Dropbox 'zxcvbn' library to analyze password strength.
  • Enabled anonymous data usage statistics.
  • Fixed new version availability notification (requires one-time manual reinstall).

Tuesday, March 3, 2020

KeyReel Beta for Android and Windows are available now!

We are excited to present two new additions to KeyReel family:

New products include core features, like clipboard sharing and integrated 2FA (similar to Google Authenticator).

Both products are available at Beta tier. What does it mean? UI is not polished and missing a number of features (like search or filtering). And likely has a couple of bugs. 

However, we have not compromised security! On opposite, our Android version is slightly more secure than iOS. One example is that passwords are doubly encrypted and are not stored in Android device memory in decrypted form longer than it is needed for login to an app or a site.

Give it a try and let us know what you like about it and how it can be improved. If you wish to contribute to KeyReel as an official beta tester of Android version, use this link. Or you can always send us feedback using our contact form.

And if you have not yet tried KeyReel before and love your Apple products, try it now!