The Espionage

Many people are too scared to use a password manager because they do not trust the service. I will show you a trick to get of all the privacy you shall ever need. We will use partial passwords. Partial passwords are the power supreme!

Step 1 - Edit Passwords at the Real Websites:

Let’s say I have an E-trade account. Say my E-trade username is Stockinator and my password is m@dddMONEY. Those are decent credentials. Now I establish my partial password. Use the partial password as a suffix which goes on the end of the normal password. I used to have a 1997 Camry (not really). 1997camcam sounds pretty good. I log in to E-trade. I change my password from m@dddMONEY to m@dddMONEY1997camcam. Now we are talking password, baby! Repeat this process at other websites of importance. Remember, we haven’t touched the Password Manager yet.

Step 2 - Edit Passwords On The Password Manager:

I clicked on a Google Ad that said “Store Your Passwords Online With The Devil”. Sure why not. So I signed up and put all of my credentials in my online account at satan-stores-passwords.com. When I added E-trade to my favorites, I entered my username as Stockinator and my password as m@dddMONEY. Months later a scandal breaks. Turns out satan-stores-passwords.com was running a shady operation. Who knew? All of my accounts are compromised. Not quite, broseph. My real password over at E-trade is m@dddMONEY1997camcam. My E-trade account is safe. I was storing a partial password. I can get even sexier. I could store my partial password as a fake password in a fake favorite. Now I don’t even have to remember it. Well sort of. I still have to remember which favorite is the fake. You get the point.

Advantages of Partial Passwords:

• Eliminate the need to trust the password manager.
• Critical passwords become twice as strong.

Disadvantages:

• One more thing to remember.
• Problems with any kind of automated authentication.

Share It!

This is the first in a series of posts explaining the challenges behind building Spyshakers. The first thing I want to say is that I spent eight months in the dark thinking this thing through. Eight months in the dark is a long time to think about anything. Some days I would come home infuriated. Infuriated because I couldn’t prove things. How can you prove that you really don’t know what your customer’s credentials are? How can you prove it, Grant? On the first day I couldn’t. On the last day I couldn’t. Somewhere in there I started to believe that proof doesn’t exist in the real world. I can find reasonable doubt. I can find burden of proof. Isn’t that interesting. I did not know the opposite of reasonable doubt until I did a search for “not reasonable doubt”. Up came a legal term called “burden of proof“. Attaching the word “burden” seems to indicate proving things in the real world is very hard. Clearly someone has thought this through before. Maybe proof is impossible?

So we move on to the next best thing. If we can’t establish as fact, we can try to convince. Can I get a witness! That is when I found out about the Truste organization. You can see the Truste Mission Statement. Because we can’t prove, we use Truste as our primary witness. Compliance with their program is not easy. They are like a super witness! I hope that our compliance in their program helps to establish trust. I am always pursuing more witnesses. The Better Business Bureau is probably next. It never hurts to have several super witnesses haha.

So establishing witnesses is important for trust. What exactly are we establishing trust for? Well, Spyshakers acts as a password manager. The process needs trust to interact. Trust is dependent on the secrecy of your passwords. How is this done? We do not store your master password. We store a one way hash of it (like a footprint). Your master password lives on your computer (technically in the parameter string). Computers only see it. Administrators do not. It decodes and encodes all secrets.

This makes Spyshakers garbage in garbage out. You send garbage to Spyshakers. We store garbage. You request garbage from Spyshakers. You get garbage. The master password turns the garbage into gold along the way. We love storing garbage in our database. That means it is not as appealing to hackers. Now you know!

Share It!