Zeros and ones

Interested in the tech behind the Enigmer? It's all in the source code, but to save a bit of your time, here's a small description on some of the stuff behind the Enigmer.

How does it work?

You may have read the guides -section in order to get a feeling how this stuff works. Now, let's dig a bit deeper in to the tech behind the Enigmer. There's no special magic behind it, just an ordinary javascript codebase with a few bugs in it. Let's look at the bigger picture first and then examine a few key point's more closer.

At the moment, Enigmer is an overlay extension in Firefox and regular extension in Chrome/Chromium. That means both are built with JavaScript. It also means I really should upgrade the Firefox version to use WebExtensions API, which is the preferred way of developing extensions / add-ons to the Fox nowadays.File structure

Enigmer stores it's settings to a json-file, located in “user-profile-folder/Enimger" with Firefox. In Chrome, settings are stored in local storage and they can be downloaded to a similar json file. File is formatted as seen in the picture:

As seen in the picture, a group consists of fields and salts. A group has at least one salt, fields are connected to salts with a version number. Multiple fields can be connected to a single salt, a field can use only one salt at a time.

 

Creating Salt

As you may already know, Enigmer uses browsing history and bookmarks in order to create the salt. Basic principle behind the salt creation is that salts should unique to the user and between sites the user visits. In order to do that, I decided to use user browsing behavior and browser usage as the main data source. This meant that user shouldn't be afraid of losing his/her privacy, so it should be also impossible (or difficult enough) to reverse engineer the salts.

This is how it works:

  1. Enigmer asks from the browser, what where the sites where the current user has been browsing in the last 24 hours (currently 24 hours, this might change during the development). When the results are back, Enigmer filters out all the information except for site titles.
  2. Enigmer asks for the latest bookmarks from the browser. Results are filtered again, so that only 5 latest bookmark titles are left (as with the browsing history time, bookmark count may change during development).
  3. Enigmer asks for the current date and time in milliseconds. This ensures that the resulting salt should be more likely to be unique for the user (the amount of entropy in step three is quite low, but it's enough).
  4. All the information is concatenated to a single string which is then used as an input for the MD5-function. The resulting hash is the salt.

Reading user input

A.K.A How does the Enigmer launch and do it's thing?
When I first started playing with the idea of password creating tool, I thought it should be very simple to use. It may have some troubles in the setup, but the daily usage of the tool should be very easy, almost unnoticed.

When Enigmer finds a password field from the page (the field has already been added to the Enigmer), it starts to listen for the login button (submit event). After the login button has been pressed, Enigmer starts to handle the user password. As it turned out, this system didn't work on all the sites, so a backup system was created. You can fire the Enigmer with a hotkey right after the input (currently Shift + Alt + down arrow key). Of course, this is not as subtle firing system as before, but it makes sure, you can use the Enigmer more reliably on different kinds of sites.

Calculating the password based on the salt and user input

Final password calculation procedure is quite simple.
After the user has given the input and Enigmer is launched (through the hotkey or by listening the log in -button), the input and the salt are concatenated and pushed to the MD5 function. The resulting MD5 hash is used as an input to the password algorithm.

At the moment, there's only one password algorithm, which is capable of creating 6-32 character passwords, but it's possible in the future to have multiple different algorithms and have longer passwords.
Current algorithm (called SumOf6) uses the MD5 hash and an array of allowed password characters in order to create the final password.

Resulting password is then printed back to the password-field before the browser sends the information out to the server. This is a bit of a hack and is likely to change in the future. It work's usually quite reliably, but of course some JavaScript-heavy sites are a bit of a problem. Hotkey-solution works for those kinds of situations.