Sunny Saini
www.SunnySaini.com
Suncrypt v1

Suncrypt v1

Unique passwords using Scrypt(N=1024, r=8, p=1). Computing time is usually about 1s. Default Password Length = 25 for 139 to 160 bit security and PIN Length = 8 for up to 26 bit security. Password Length = 60 gives about 386-bit security (60*log86/log2). (Note that password length is not sufficient for strong passwords. Use mixed characters in passwords including Caps, smalls, numbers and special characters).



Output-Verification Table:

DomainMaster PwdGenerated PwdGenerated PIN
sZHel .. yW&d37980859
ssL,zA .. GMf449480901
P2*0 .. u:b020740408

Virtual Keyboard Issues

Virtual Keyboard is a good choice to input passwords as it prevents from keyboard-logger attack. If you input your master password in Cyber-Cafe or other untrusted computer, there is a chance that a keylogger might be installed in such untrusted computer. Typing master passwords with physical keyboards then may compromise your master password. Even, Windows On-Screen keyboard (osk.exe) is not immune to such keyboard loggers as tested by me. In such case, use the Virtual Keyboard. Virtual Keyboard will give protection from Physical Keyboard loggers.

The way "Suncrypt v1" works is not fully supported by this virtual keyboard however, it can still be used by using the following techniques

    First Method:
  • Input master password using Virtual Keyboard and then domain/site using physical keyboard
    Second Method:
  • Input master password using the Virtual Keyboard.
  • Input one more character using physical keyboard at the end of your master password.
  • Press Tab key or touch other input box. A password shall be generated.
  • Now, remove the last character of your master password and again press tab key or touch somewhere else.

Why Use "Suncrypt v1"?

  • Only one master password to remember. Practically, it is not possible to remember large number of passwords. Hence "Suncrypt v1" brings the aid to generate unique passwords using only one Master Password. Now, need of any password manager to store passwords is eliminated. All the passwords can be dynamically generated using "Suncrypt v1" with just one Master Password.
  • Drag & Drop. Drag & Drop fascility of generated passwords/PINs to the desired location without copying to the clipboard. Copy/paste, although still availabe. Note that drag & drop is more secure than copy/paste.
  • Power of Scrypt. For Master Password based unique password generation, Scrypt is better than pbkdf, pbkdf2, HMAC, SHA2 (SHA-256, SHA-512,...), etc.
  • Strong Scrypt Parameters. Good Scrypt parameters N=1024, r=8 and p=1 are used which may be regarded to be very safe till next 70 years or till Real Quantum Computers are invented.
  • PINs. PIN generation. In today's life PINs are needed for ATM cards, phone screen locks etc. and are unavoidable.
  • Choice of password length. Desirable generated password length, default length being 25.
  • Equally weighted characters. All characters in the character set are weighted equally and there is no character that shall never be included in the generated password.
  • No bad character used. Bad characters " < > \ ` { | } which are not always supported by some websites are dropped and not used.
  • Good Character Set Choice. Character set of "Suncrypt v1" uses the following 86 characters that are accepted by almost all websites A-Z a-z 0-9 @ & % ? , = [ ] _ : - + * $ # ! ' ^ ~ ; ( ) . / This character set is also used by some other good programs e.g. masterpasswordapp.com.
  • High Security. The theoretical security with these 86 characters and generated output length of 25 characters, is 161 bits (25*log86/log2). Practically, Keepass 2x program shows 139 to 160 bit security for various samples of generated passwords. AES-256 bit encryption uses 128-bit blocks only. Thus, 139-160 bit security is sufficient.
  • High Security Comparison. In masterpasswordapp.com only the encrypting key is derived using Scrypt. All other passwords are derived using simple HMAC-SHA-256 techniques with the same derived encrypting key that serves as a secondary Master Password. Thus, if in near future HMAC-SHA-256 is cracked, the secondary master password of masterpasswordapp.com shall be deduced and all of your accounts on various websites will be compromised without the need of knowing your master password. In "Suncrypt v1" all passwords are generated dynamically, using Scrypt only and hence, the security to the Master Password is very strong.
  • JavaScript Local working. Security is further made stronger by generating all passwords locally on your device. This can be verified by first opening this webpage and switching off the Internet. The passwords and PINs will still be generated without any Internet connection. The offline working html file can also be downloaded and can be used to generate passwords by opening it in a good web browser. Please check the hash sum before using the offline copy.

Drawbacks

  • A few seconds, generally 1s to 5s, are used in password generation. The seconds usage depends upon the speed/memory of the machine used (Computer, smart phone, etc.) and the browser used. However, the security provided by this program overrides the time usage drawback.

Precautions

  • Do not use this program if, on your machine, the initial parts of the generated password and PIN for domain/site = "s" (small letter sierra without quotes) do not match the password and PIN that are given in the first record of "Output-Verification table". This generally happens when JavaScript is disabled in the browser's options or bad web browser is used.

Tips & Notation

For shorter PINs, use first four digits (or as required) of the generated PIN. For longer PINs, execute more times with alphabets e.g. for PIN length = 16 and domain/site name "my door lock" generate two PINs with "my door lock a" and "my door lock b" and then cascade the two generated PINs to make 16 digit PIN.

Write somewhere, the code "SC1(Master_Pwd_Hint, Site name, L)" where, SC1 is short code of "Suncrypt v1" and L is output PIN length if the PIN output is used. For example:

  • SC1(!00, door lock, 16) First, generate PIN for "door lock a" then, for "door lock b" and then, concatenate output1 and output2.
  • SC1(!03, yahoo mail sunnyji) Here, since password is used, L is omitted.

Some websites, e.g. some banks etc, does not accept passwords of more than 16 or so characters. In that case, use first X characters of the password and mention this length by within additional brackets, e.g.:

  • SC1(!03, yahoo mail sunnyji)(16) Here, first 16 characters are used. Additional brackets differentiate it from the PIN length.
  • SC1(!03, some mail sunnyji, nosp) Here, the word "nosp" stands for No special character in the password. "nosp" has to be the third parameter in first bracket to replace PIN length parameter.
  • SC1(!03, some website, nosp)(13, suffix @+!) Here, first 13 characters are the generated ones, and to the generated password, @+! are suffixed to make total length of 16 characters. That is, if the generated password is "Q3VJtC7Cwso08", then the final password will be "Q3VJtC7Cwso08@+!". In general, the second parameter of second bracket contains comments/instructions such as suffix, prefix, etc. The word "suffix" can be ommitted altogether as it is understood that the special characters have to be suffixed. The word "prefix" may be written as "pre" for short. The second parameter of second bracket can be a comment too, for example, "SC1(!03, GoodBank.com, nosp)(13, ,@+! The bank time out period is 30 seconds)" Here ,@+! character sequence is to be suffixed to the generated password. Another example with special instruction "SC1(!03, some website, nosp)(13, Insert ,! after first two characters)" Here the example final password shall be "Q3,!VJtC7Cwso08".
  • SC1(!03, goodsite.com, nosp)(pre %,^&) Here, the default generated password length of 25 characters is used with prefix command to create final password of 29 characters length.
  • Comma should be allowed only in the second parameter of the second bracket. That is, it can be part of suffix, prefix etc. e.g. "suffix ,@!" etc. Don't make comma, part of Master_password_hint or Domain/Site name. The space just after the comma, in the first bracket, is for readability only and is not part of the domain/site name.

Take care of letters I (Caps India), l (small Lima), 1 (number one), O (Caps Oscar), 0 (number 0) etc.


  • If I make changes to this program such that the generated passwords are different, new version webpage shall be added to my website. This, version 1 web page, shall not be removed so that, the old passwords can still be generated by users.
  • For any queries contact me using Contact Box on home page.


  • Message:
    Please donate to my account 1HBnhjJ7D4ErQiDB7CvgcMmuynze5S5A4v to support my long and arduous work.
    Signature:
    H0eLZM67eQ0uSGGPUjwXPAh2N0UlAkYpNzZ3YcnUusoGlgngZi5Zo6YoZfb1syfnPi52YR0zSao3odE4nmRaV9k=

    Suncrypt was made for personal use by Sunny Saini. You may use it for personal use for free but, at your own risk. Sunny Saini shall not be responsible for any data or other loss by direct or indirect use/non-use of this program.

    Please do not forget to paste comments and give star ratings.
    Thanks
    Sunny Saini