The What?
The Enigmer. Enigmer is a bit different way of managing your passwords. Firstly, Enigmer helps you to create unique, long and complex passwords easily. Secondly, Enigmer makes the use of those passwords quite simple. Need to change your password? Okay, a few clicks and you're good to go. That's Enigmer.
- So, it's just another password manager?
- What's the difference between password manager and Enigmer?
- Password creator needs my help?
- There's salt? Why and what about pepper?
- Okay, what about the password saving weirdness. Why won't you just save my password?
- And all of this is used from the browser extension?
- Okay, sounds good. Anything else I should know about the Enigmer?
So, it's just another password manager?
Well, not exactly. Yes, it generates good passwords and makes it simple to change them if necessary. Yes, it writes them down for you, partially. And yes, it helps you to use those passwords without really remembering them. So, it looks like a password manager, but it's really not. There are multiple great Password Managers out there, Enigmer isn't trying to compete with them.
What's the difference between password manager and Enigmer?
Password creation: Enigmer uses user input and user browsing behavior to create good and unique passwords. There's no button that says "create a new password", it's created on the fly. Enigmer needs your help to create it.
Password saving: Enigmer doesn't save your actual passwords. It contains half of the information that's needed to recreate your password. Only piece that's missing is user input.
Password usage: You don't need any external programs to use your passwords. All you need is lov.. uhm ... a browser extension.
Password creator needs my help?
Yes, Enigmer needs a lot of assistance from the user to create a good password. The first step in password creation is to collect some random stuff, this is called the salt. The best way to collect this random stuff is from the user, because computers are a bit stupid when it comes to randomness. Random data is collected from the user browsing habits, e.g. the sites you have visited previously and browser bookmarks (don't worry about your privacy here, this information is used in sort of way that's its impossible to find out, where you've been browsing, see here for more information).
The second step is to get some user input. This input could be called a semi-password.
The Third and last step is to combine the salt and the semi-password. The result is the real, good password.
The way these passwords are created, is nothing new. The innovation of the Enigmer is that now the user can use this system to create his/her passwords.
There's salt? Why and what about pepper?
Well, I just like to spice things up :-) Strictly speaking, salt is a term used in a certain type of login system. A lot of web services uses (all of them should use) this kind of system, when they save your passwords to their databases. When a user logs in to the web service, the user input is sent to the service. The service then combines it with some user specific piece of information (user name, e-mail address, registration date, etc.), called the salt, and compares the result with the data in their database. If they match then the user is allowed to log in.
So, the salt in a sense adds something to the password so that it becomes something very different. It's also noteworthy that by changing the salt, the result becomes very different. This makes changing passwords regularly a bit simpler, because by changing the salt, you'll get a new password (user input stays the same).
It's impossible to know the result if you don't have both pieces, the salt and the user input. It's also impossible (at the least, very difficult) to break down the result back to it's basic components (the result isn't just a simple user input + salt operation, usually something called a hash is calculated from them).
Enigmer creates these salts for you automatically. Salts in Enigmer are unique strings of characters and that guarantees, your passwords are always different from each other. You may use the same input to all the services you log in, but the resulting password will always be different because of different salts.
Okay, what about the password saving weirdness. Why won't you just save my password?
Because security matters. As explained previously, Enigmer uses random data, called salt, and user input in order to generate the password. This means that the password depends on two unrelated things. It's only when they are combined, then the real password is revealed. So, in order to protect the real password, Enigmer saves the other half (salt) and leaves the other one to the user. If one of them get's stolen/leaks out, the bad guy can't do anything with it.
Basic principle behind the design of the Enigmer is, that it (nor I as the designer) doesn't want to know your real passwords. Why should you trust your password to anyone except yourself? Enigmer knows the other half, but the other one comes from the user and it's never saved anywhere or sent to anywhere outside the user's computer.
If some hacker get's the other halves (salts) from the Enigmer, they can't do anything with them.
On the other hand, If the user accidentally reveals his/hers half of the password, it's useless too. In that case the bad guy must get the other half from the Enigmer as well.
I'm not saying that it's impossible to steal/hack both pieces of information, combine them and reveal your password. Of course it's possible (I don't know how to do it, but I'm sure it's possible). I'm saying that Enigmer creates another layer on top of the password and the bad guys have to make the extra effort to get that solved. In other words, the cost of the password is higher, is it even worth it for the criminals anymore?
Enigmer needs user input, like a password, in order to create a password? What? I thought Enigmer was supposed to create it for me!
Enigmer needs the other half in order to be able to create the real resulting password. User input is that second half which is supposed to keep separate from the first half, the salt (see previous chapter). No one said how long or complex the user input should be. I'd highly recommend that your input is long and difficult to guess (I won't be giving any specific guidelines, use your common sense). In case your salt-data get's stolen and the bad guy tries to guess your input, it's very beneficial if your input was long and complex. The criminal might try to use brute force -type breaking software to guess your input, but it wouldn't matter, if your input was difficult enough.
The resulting (real) password is guaranteed to have enough length and complexity no matter what the user input is. If your input is the letter 'a', the resulting password might be 32 characters long and contain all the different types of characters (uppercase and lowercase letters, numbers and special characters), depending on Enigmer settings. If your input is 'the brown fox that jumped over the hedge and found a moose', the resulting password has all the same properties as the previous one, latter example is a bit harder to guess and is there for the preferred one. Of course the input can contain all the different types of characters, like the resulting password itself. It doesn't have to be a password-like input, just difficult enough for any stranger to guess. Use your imagination.
And all of this is used from the browser extension?
Yes. After the setup, Enigmer works behind the scenes and won't bother you in any way. You can manage password properties (length, characters, etc.), password salts and everything else from Enigmer Settings.
Okay, sounds good. Anything else I should know about the Enigmer?
There are a few very important things that you should be aware of before you start using Enigmer.
First a few things about the current state of the Enigmer:
- Enigmer is in beta. There might be weird things that make it impossible for you to login to a web service by using the Enigmer, you might even lose all your passwords. I'm very sorry if that happens. Although I can't get your passwords back, you can help me by reporting about the problems.
- At the moment, the only way of using Enigmer is through Firefox and Chrome/Chromium desktop versions. I'm planning to create an extension for the Edge and Firefox / Chrome mobile versions.
After a lot of information about the usefulness of the Enigmer, I have to be honest: there are some cons in Enigmer which affects the usability of the tool (unfortunately security and usability may never hold their hands together). Some of them are by design, some of them might be fixed in later versions. Nonetheless, I think Enigmer is a good solution for security minded individuals and you have to consider yourself, if this list is too much for you to handle:
- Enigmer can only be used to login to web services. You can sort of use it when you for example log in to your external e-mail software, but it's not even worth mentioning it. Enigmer is designed for the web services inside your browser only.
- You might not know your real passwords (this is the single biggest weakness of the Enigmer and it's there by design). Unless you write your passwords down somewhere (Enigmer has a feature that shows you the real password), you are dependent on the Enigmer to calculate the password for you.
This also creates a dependency-problem. If you don't write down your passwords (writing passwords down is of course highly unrecommended, but maybe you can use some password manager for backing them up) and you start using Enigmer with a web service, from then on you will always need Enigmer to log in to it. For example, you can't use a public computer to check your social media account events. The real passwords are calculated in Enigmer and you need it on the other computer as well (plus you need the Enigmer settings file from your home browser).
- At the moment, there is no mobile version from the Enigmer. So the previous point also affects most of the services you use from your cell phone.
- If you lose Enigmer settings, your passwords are gone. There's no way to recover passwords from the Enigmer if you lose the settings-file. This file contains all the salts (previously mentioned random data) and they can't be recovered afterwards. Losing the salts means that Enigmer can't calculate the passwords and that means your passwords are unrecoverable. It's very important to keep an up-to-date backup from the settings file (or save the passwords to some password manager software).
Someone might suggest here, that the settings should be saved to some sort of cloud service and Enigmer should read the settings from there. No worries about losing the file. Yes, I admit that it's a great idea, but I'm not going to implement that sort of system, because I have a few problems with it:
I personally don't want to be that involved for your passwords. Yes, I made the tool, but all the information is under your control. I wouldn't like to save half of my password information to the outside service provider because why should I trust them? Why should anyone trust a service hosted by me? You can't go through it's code and say, it looks secure enough. If (or maybe when) that service get's hacked, all the settings would be lost. Not to mention any technical problems that accidentally could wipe out all the critical password files. I have no skills to implement that sort of system that would be reliable enough.
Second problem is more obvious: how would you login to that system? With a password? So you would need a password in order to get your password. Sounds like an online password manager. Sorry, I'm not going to do that.
After reading all of this, I hope you're still keen on using the Enigmer. You can start by going through the Guides-section, starting from Installation (Guides - Installation).