Sunday, June 26, 2022

Deterministic Password Manager

While Apple, Google, and Microsoft are all very hard at work on a variety of passwordless schemes, passwordless logins will not be a reality at every website you visit anytime soon, simply because password-based login systems are the easiest and the cheapest to implement and most business, including banks/financial institutions are too lazy and don't want to do anything unless they are forced to implement a better solution. So we all have to continue using password manager for quite some time to come. 

There are many commercial and free versions of password managers out there to choose from but most of them store your encrypted password somewhere on the cloud which has a potential to be compromised. What if a password manager stores literally nothing and is able to deterministically calculate your password every time you access it? Would that be cool? That is what I did with my deterministic password manager prototype below. 

My website creates deterministic password without storing anything on the cloud or local storage unlike many password managers. All you need to remember is your single passphrase, the website name (FQDN), username for each website to create or retrieve your strong password on the fly. For convenience, the password is copied to browser's clipboard so it can be pasted into the website's password field directly.

Note: Password length can be set to 8 char for old & outdated websites that still insists on 8 char but it is highly recommended to use 16 char. Also, fields are case sensitive to ensure high variability on generation of password.

Simple Encrypted Drive

We all have sensitive data that we need to keep them away from prying eyes. While there are so many free software and solutions available, they all have advantages and disadvantages in using them. A discussion of available solutions and the pros/cons are outside the scope of this blog. If you are interested in using a simple, highly secure and most importantly, a free solution where you have 100% control of your sensitive information, read on. Note: This is only if you use a Mac or Linux laptop/desktop, sorry no Windows.

Here is a simple shell script to encrypt your data locally in your hard drive or on a portable USB stick to take it anywhere. If your USB stick is lost or stolen, the data stored in there are of course useless to anyone. The way the script works is by creating an encrypted disk using a special filesystem driver (encfs) and allows you to copy your ordinary files (i.e. unencrypted) through the driver just like copying a file with your operating system's copy command. To access these files, you have to mount the drive with your passphrase. Once the filesystem is mounted, they are available through a mounted drive in plain form to retrieve or update your files. Once the file system is unmounted, they stay in your hard drive or usb stick in encrypted from. 

Here is how to use it.

./ -d /tmp -m

In the screenshot below, I am using a /tmp directory just as an example but you should actually choose a permanent storage like an ordinary directory in your home path like "$HOME/encrypted" or a USB disk mount ex: /Volumes/<mydisk> on Mac. Note: you need to choose a strong passphrase and remember that to access your files later. The very first time you run, script will ask you a question about encrypted volume type as shown below, just hit enter to take the default; subsequent runs will not ask anything except the Encfs password i.e. master password you chose to mount the encrypted volume.

Once the drive is mounted (see the screenshot above shows mounted drive on your desktop), you can simply copy your sensitive files using operating system copy command like shown below, or just drag and drop files like you'd do with any other drive/path. The mounted drive will stay mounted for 15 minutes and unmount itself automatically for security reasons.

As you can see from the above screenshot the files are now accessible through the mount point (/tmp/decrypted) for reading and writing in plain form. Once you unmount using -u command, you see the files in /tmp/decrypted are gone and the actual files in encrypted form are in /tmp/encrypted which is useless if anyone got a hold of your USB drive or your computer containing these files. (Note: replace /tmp/ with the path you chose for your permanent storage when you mounted the drive)

The script is available in my GIT repo below. Download it and follow the instructions (below) to install the encfs which is required for this script to operate. Love to hear feedback.

#  Instructions for installing encfs

#   Mac
#   run the following 2 commands on mac terminal (assumed you have brew installed)
#     brew cask install osxfuse
#     brew install encfs
#   Linux:
#     Ubuntu/Debian: apt-get install encfs
#     Redhat/CentOS: yum install encfs  
#     Other: refer to your distro manual
#   Windows:
#      Sorry, wipe that crap 😃 and install Linux or get a Mac!

Facebook knows you way more than you think!

We all know that Facebook collects data on all of us. They manage to do that with different ways including via 3rd-party web browser cookies; an explanation of 3rd-party cookies goes beyond the scope of this blog but you can read about it at the link here. Though 3rd-party cookies are slowly phased out, the alternative i.e. FLoC proposed by Google, as per many privacy advocates, is even worse i.e. so for now, just assume Facebook and other platforms will always have a way to spy on you.

While there are ways to restrict what Facebook collects (follow steps at end of this blog), there is not a whole lot you can do to make them stop other than just deleting your Facebook account. The reason is, Facebook generates substantially all of its revenue by selling ads so they have to monitor your online activity to slap you with targeted ads and curated content based on your web browsing behaviour i.e. the sites you visit, shop, like etc. At the end of the day, Facebook knowing I have T-mobile wireless, or shop at Amazon or browse Reddit is not a big deal for me, I just don't care. However, when I looked at what websites are sharing with Facebook, specifically, financial institution that I do business with, I was concerned. My financial institution (will not mention their name here) shared with Facebook something related to my activity, see below ... 

Off-Facebook Activity

It is unclear to me what they shared since I don't have the details other than Facebook telling me they did. I have the habit of clearing all cookies on banking and financial websites frequently, so unfortunately, I can no longer access this specific cookie in my browser to see the content! However, based on the name of activity shared i.e. "COMPLETE_REGISTRATION", I can only assume it is not something I would like them to share, whatever it is. If it was just "PAGE_VIEW" like all other sites, I would be ok with it. The only thing I remember is opening a new account, transferring money on those 2 days at that exact time mentioned which caused my concern. Why on earth Facebook needs this information? Just to give some perspective, this is just one specific instance of a website I have discussed above, there could be crap ton of them we visit everyday sharing all kinds of stuff w/ Facebook 😮

Finally, if you got this far, you can follow the steps below to tell Facebook to quit doing this, at least for now, until they figure out new ways of profiting on you 😃

Update: (May 22, 2024): Since many page links and interfaces have changed since this original post back in June 2022, I updated the details below as of today. 

While logged in Facebook ...

  1. Navigate to
  2. Click "Manage future activity"
  3. Click on "Disconnect future activity" [Note: this will also clear all the stored activity so you don't need to clear that]
For visual reference, The screenshots for steps 2 and 3 are below.