Keyring - Easy password management

[krid]

I've gotten some reports of problems with version 0.0.3, with webOS 1.1 and 1.2. Hold off on installing it until I can try to reproduce them.

[krid]

Version 0.0.4 uploaded. Get it now.

There were a few unpleasant bugs in 0.0.3. I knew I hadn't done enough testing, but I went ahead with the release anyways. Stupid. Well, they're fixed now, and I tested this one a lot more thoroughly.

All kinds of thanks to John Ferraro, who sent me three separate emails about the problems he had. All of them were pleasant and informative, despite the fact that he lost data because of my mistakes. His patience and good information really helped me solve the problems quickly.

[StarDestroyer]

Having the password prompt at startup and a way to get data from KeyPass and I think this would be one awesome app. Unlike others here, I especially like the fact that this is open source.

Perhaps the KeyPass export can somehow be handled in a similar method to the simple-cgi.py ... if I understand that correctly. KeyPass could just dump a file to a location where this CGI (or some other script) feeds it to the phone OTA. Or something like that.

[voltageROCK]

I have a couple concerns with this app:

First of all, I think the concept of this is wonderful. I started to use this app and loved how it asked for a password at a preset time just to enter or access the prgram. Mine was 30 seconds.

As I started to enter my info, I realized that although this app requires a password, I can't continue to use it. It is awesome to have all of your info in your phone.

But, what happens if your phone is lost or stolen? I certainly do not feel comfortable in the security of this app to keep that info from someone who can hack right into it. Then, every bit of private info of mine would be compromised.

Also, what if this info can be transmitted without us knowing right back to anyone else who can figure out how to do that?

So after loving this app and beginning to enter my info, I then decided to delete it without hesitation.

My question now is, as I really want to use this app again!, what does happen if we lose our Pre's? Is there a way to remotely wipe out all of the info?

[awhiteprevis]

This morning I attempted to enter a new bit of info into Keyring and it keeps telling me my password is incorrect? I KNOW it's the correct password, b/c I also use it for most of my other apps. It's a four-letter password. Why would it suddenly not be working? How to get around this? Is there a "password reminder" option?

[kuoirad]

Krid:

Very intrigued by this app, and wanted to run a couple feature requests by you - one which has already been aired here, and one which hasn't.

I currently use Secret! on my 700P, and love the paradigm of it basically being an encrypted memo pad. It's excellent for allowing me to keep password lists for the systems I'm responsible for at work (sysadmin for an academic department at a major state university). Is keyring able to expand to include that sort of idea? I would love to not have to rely on running Secret! in Classic until Linkesoft gets their hands on some WebOS hardware and figures out whether or not they can port to WebOS.

Additionally, please let me put in another "vote" for having to enter a "master password" on app launch - better security, IMO.

Thanks for your attention.

[edhkim]

Quote:

Originally Posted by awhiteprevis

This morning I attempted to enter a new bit of info into Keyring and it keeps telling me my password is incorrect? I KNOW it's the correct password, b/c I also use it for most of my other apps. It's a four-letter password. Why would it suddenly not be working? How to get around this? Is there a "password reminder" option?

I just noticed I'm having the same problem. I'm not sure when the last time I used Keyring was, but it was probably before one of the updates.

Interestingly, at first after closing the program while the password entry area was still open it would sometimes give me the Welcome screen on next program run and ask me to enter a new master password, and sometimes it wouldn't. Now it consistently asks me to enter a new master password, but it always (early on and now) just sits there after I enter a password (twice) and hit the Ok button, and doesn't do anything else after that.

Any ideas?

[awhiteprevis]

Quote:

Originally Posted by edhkim

I just noticed I'm having the same problem. I'm not sure when the last time I used Keyring was, but it was probably before one of the updates.

Interestingly, at first after closing the program while the password entry area was still open it would sometimes give me the Welcome screen on next program run and ask me to enter a new master password, and sometimes it wouldn't. Now it consistently asks me to enter a new master password, but it always (early on and now) just sits there after I enter a password (twice) and hit the Ok button, and doesn't do anything else after that.

Any ideas?

EDHKIM, I just tried this as well, closing the program while the password entry screen was still on, and I had the exact same error as you. I was prompted to enter a new Master Password, then, after doing so, the program froze up. I have closed and reopened now numerous times, and the same thing happens. I have even less entry to my information than before. I am tempted to delete Keyring and reinstall, but now I am nervous that any future webOS updates will cause a freeze in the program; the purpose of inputting my info is so that I *don't* have to write it down somewhere else as well in case of a freeze. I am out of ideas too.

[krid]

I think I know why Keyring is popping up the "Welcome" dialog -- it looks like there's a timing issue. It works fine every time on the emulator, but only some of the time on the phone -- and since I keep Keyring running all the time, I didn't hit the bug on my phone. I tried dismissing the app and restarting it repeatedly, and I got the welcome screen about 1 out of 3 times. It should be an easy fix, and I'll have a go at it this weekend.

In the mean time, if you get the welcome screen when you don't expect it, just dismiss the app and restart it. It may work better with fewer apps open, or with more, I haven't had time to really delve into it.

Sorry I didn't reply sooner, but I'd set my preferences to email me whenever there was a post to the forum, and it emailed me once, and then ignored the next five posts. I started a new job in September, so I was concentrating on work and not checking the forum.

[krid]

Quote:

Originally Posted by voltageROCK

I have a couple concerns with this app:
... what happens if your phone is lost or stolen? I certainly do not feel comfortable in the security of this app to keep that info from someone who can hack right into it.

Keyring stores the data in a securely encrypted format. The title and date attributes of each item are plaintext, but the username, password and url fields are encrypted (using the well-regarded Blowfish algorithm). Furthermore, it only decrypts a single item at a time, and it doesn't store your master password anywhere (in fact, I don't keep it in memory either).

If someone steals your phone, all they will have access to is a blob of encrypted data that looks like this:

...0HhToNDV6EAfG+JOphDZslgZFEeNPWdCvqlVKfY3G9OhjJF5PpsV7um4E7UnyfL
lLh2PltDPo9miV3f80s8G/w+zsaTIChGjVRL7RXmGLHDE+vDxUxMDjZZtiEzUYm1nZ
Tv2+Au7qY6JPYjxSsZ1mbZiqv11Mu+1bWFcbujou4ZFzuxxwv5dhnfGNbmWBAHk
Od9vDOySJjPX8Awk+e9tvKj6c...

So long as they don't have your master password, that's all they'll get.

[krid]

Quote:

Originally Posted by kuoirad

I currently use Secret! on my 700P, and love the paradigm of it basically being an encrypted memo pad.

Secure memo (notes-only items) is on my list of upcoming features. Categories will come first, since more folks have been asking for that.

Quote:

Additionally, please let me put in another "vote" for having to enter a "master password" on app launch - better security, IMO.

I guess I'm going to have to implement this. The easy way would be to just pop up a password dialog when the app starts. The better way would be to actually encrypt the entire db (titles, dates, category names, etc.). However, that would require a bunch of extra work.

Would it be "good enough" to leave the stuff that's currently stored in plaintext as is, and have the app-launch password just deny UI access to the data, or do y'all want it to be really and truly secure (and thus slower and more susceptible to bugs and the like)? In the former, someone who stole your phone or hacked in over the network could read the titles of the items. In the latter, they'd get nothing but an encrypted blob (well, that and the salt).

[Cohens]

Any update on the repeated saying "invalid password" when you are certain the password you are entering is correct...?

[krid]

Version 0.0.5 hot off the IDE. Fixes the "enter a new Master Password" bug, adds the option to require password at launch (it fell out of the fix for the big bug), along with various other bug fixes and features. Get it now from the Homebrew Gallery.

Hopefully I can get to categories next weekend. This whole "paying job during the week" thing is really cramping my style.

[krid]

Quote:

Originally Posted by Cohens

Any update on the repeated saying "invalid password" when you are certain the password you are entering is correct...?

I hope that 0.0.5 will fix it. If it doesn't, uhh, PM me and I'll see if I can think of anything. If you can get to the help scene, check and see if there's a link at the top that says "Show Errors". If there is, click it, and let me know what it says.

[kuoirad]

Quote:

Originally Posted by krid

Secure memo (notes-only items) is on my list of upcoming features. Categories will come first, since more folks have been asking for that.

Fair enough, but immensely good to know that it's on your list.

Quote:

I guess I'm going to have to implement this. The easy way would be to just pop up a password dialog when the app starts. The better way would be to actually encrypt the entire db (titles, dates, category names, etc.). However, that would require a bunch of extra work.

Would it be "good enough" to leave the stuff that's currently stored in plaintext as is, and have the app-launch password just deny UI access to the data, or do y'all want it to be really and truly secure (and thus slower and more susceptible to bugs and the like)? In the former, someone who stole your phone or hacked in over the network could read the titles of the items. In the latter, they'd get nothing but an encrypted blob (well, that and the salt).

It's your time, but I would opine that at least for now put a "input password on launch" and work towards a fully-encrypted db, which it seems that you've done.

I would definitely vote for this program to be fully secure if it can be done well. But I'm a paranoid one - especially since I'd be putting password lists for work into the database once secure memo is implemented.

Thanks for the responses, krid - they're much appreciated.

Cheers,
Dario

[jaytee]

downloaded 0.5 and can't start it up. I get :

template load failed: loading/new-password-dialog.html

[krid]

Quote:

Originally Posted by jaytee

downloaded 0.5 and can't start it up. I get :
template load failed: loading/new-password-dialog.html

Wow, that was sure a dumb bug. Thanks for reporting it.

I just rolled an 0.0.6 release. It's uploaded already; it should show up on File Coaster later today, but you can d/l it directly from the URL.

I guess the next "feature" is going have to be a test suite. it's getting too hard to test all the nooks and crannies of the app manually.

[Cohens]

It was still saying invalid password after updating. I deleted and re-installed it and it works fine now... If it happens again I'll PM you.

[jaytee]

any hope of importing in a format that gnukeyring can export? (I'm thinking a flat csv type file)

[voltageROCK]

Quote:

Originally Posted by krid

Keyring stores the data in a securely encrypted format. The title and date attributes of each item are plaintext, but the username, password and url fields are encrypted (using the well-regarded Blowfish algorithm). Furthermore, it only decrypts a single item at a time, and it doesn't store your master password anywhere (in fact, I don't keep it in memory either).

If someone steals your phone, all they will have access to is a blob of encrypted data that looks like this:

...0HhToNDV6EAfG+JOphDZslgZFEeNPWdCvqlVKfY3G9OhjJF5PpsV7um4E7UnyfL
lLh2PltDPo9miV3f80s8G/w+zsaTIChGjVRL7RXmGLHDE+vDxUxMDjZZtiEzUYm1nZ
Tv2+Au7qY6JPYjxSsZ1mbZiqv11Mu+1bWFcbujou4ZFzuxxwv5dhnfGNbmWBAHk
Od9vDOySJjPX8Awk+e9tvKj6c...

So long as they don't have your master password, that's all they'll get.

Well, that is very nice to know! Thanks!
I think I will give it a shot again...

thanks