From an idea to a project: Paranoid Shield.

in #security5 years ago

Firstly, we start from the reason why all of us should use a password manager and beyond of a simple whim, truth is that the credentials with we access to different services daily represent our digital identity, as important like the physical identity today, so the use of strong and unique passwords for every one of these services is critical in our globalize life.

Often we read and listen a lot of people wrong, they think that their information is safe, because it doesn’t matter so much and for reinforce this, they repeat to themselves “who would take the time and trouble to get hold of it?” And the fact is that, their information is very valuable both for the economic purpose, as a way to hide much more murky actions.

What can we do?


Knowing a little more the risks of using weak passwords, and even worse, the same password for different services, the way to change this is to use unique credentials of at least 16 characters that don’t have any relationship with us or ours (please don’t use the name of the pet or the date of birth of a relative) and if these are generated randomly, much better. But performing this task manually is cumbersome, that's where a password manager will help us generate them safely.

Which brings us to another point and is:

Where and how are our passwords stored?


Usually, people for convenience store their passwords in web browsers, this being really risky, since the autocomplete function is activated by default in the main browsers and many malicious sites create invisible forms where they are filled in with our data and sent to their servers, without lifting the slightest suspicion before our eyes, coupled with the fact that, unfortunately, it is usual that every day some extension of our browser is removed because it has been compromised or sold to a third party where, depending on the permits granted, they may have access to our information.

A very good option is to use a popular password manager, who usually store our credentials on their servers and who claim not to know our precious passwords; but the truth is that, we do not know that, since in the past some of these have already been compromised; exposing the information of hundreds of thousands of users.

Personally, an additional thing we do not like about this type of cloud services is that they automatically "investigate" if your password has been compromised or exposed on the dark web or in any forum where this type of information is generally trafficked. And that is only possible if they know your master password, that is, they can decrypt your credentials without your intervention, or worse, your passwords are stored in plain text. We don't want to conjecture, but there are several doubts about how and where our credentials are stored in this type of services. It is true that they are usually comfortable because they synchronize all your devices since they point to a server or a cluster, but this usually also carries a great risk.

Although, if we want to be fair, it is still safer to use one of these managers, than to continue using weak and repeated passwords in multiple services, stored in the browser. However, these services that store this type of sensitive information are often attacked by cyber-criminals in search of some minimum vulnerability that allows them to gain this data. And as usually happens in these cases, the customer will be the most affected and the one who finds out last.

We can always find alternatives that allow us to manage our passwords, but from our own computers, that is, locally and completely offline, without sending them to a third party or exposing ourselves to security breaches. There are also many tools that allow you to store encrypted information, and some offer to manage passwords, most of them are not as well known as the platforms that offer services in the cloud and we believe that this lies in the fact that them aren't esthetically so flashy, and often require many technicalities when installing and/or configuring.

With all of that in mind, we decided to develop our own tool to manage our passwords.



Paranoid Shield

Paranoid Shield, is projected as a completely offline solution that allows you to generate strong passwords and store them under the most secure algorithm today; AES 256, with keys that are generated completely randomly, unique to each user and installation; all this in a transparent way for the user, where you only have to worry about remembering your master password.

Because passwords must always be close to their owner.

From the beginning, we decided to use the philosophy of zero knowledge, that is, that developers have no way of knowing the credentials or information stored by the user in the application. Thus, we choose the safest option for the user, however for us, the most complicated, because we must cover several aspects to offer the most common features with which the end user is accustomed (in an isolated environment) such as password synchronization, this becomes a rather ambitious task. But you will ask yourself, would synchronization not imply uploading credentials?

Cloud isn't the only way of sync, since, we are thinking about giving the possibility to upload the encrypted backups to the private Google Drive or Dropbox account of each user, and from there synchronize to their other computers and/or devices, of course, only if that device has been linked to the main device and obviously if the person you want to sync knows the master password and also if you have access to the Google Drive or Dropbox profile where the backup is hosted. It doesn't necessarily have to be these services, if the client has his own server, he can do it from there. But apart from security, our premise is user comfort, which is why we have thought about these two services, which are the main ones for the storage of files and documents.

At the moment, we only have the alpha version for Windows 8/10 but we have planned to cover Android within a few months. We are open to development on other operating systems (OS) such as Mac/iOS and Linux. It will take us some time because we want to offer the best possible experience on each platform, so we have to develop Paranoid Shield in a native language of each OS, although they will all have C++ in common.

For Windows everything related to the user interface (UI) is designed in C # but the core of the operation in C++, this for two reasons; performance and security, since reverse engineering a DLL in C++ is much more complicated than a DLL in C#. Although the decision to develop the core in C++ was more for performance and pleasure than for security since, we could publish the source code of the application and it would still be as safe, because, as we told you the keys that protect the user's credentials are randomly generated.

Some developers who read us, maybe they will say why not develop the UI in Java or Electron and make the application cross-platform? The answer is performance, we want Paranoid Shield to be active at all times without affecting the operation of other applications, since lately both the game launchers or the browsers themselves are consuming almost all the resources on the machines.

Another factor was trying to avoid as much as possible the dump of information from the ram memory, the information in memory while the Paranoid Shield session is active is encrypted and so that this doesn't affect the overall performance, we needed a language with benefits of higher performance. We don't want to say that in Java it cannot be done, most likely it is, but .Net in Windows is more fluid and the synergy between C # and C ++ is more usable in our opinion.

We are currently working very hard to reach stable version 1.0, Paranoid Shield will be an application that will continue its growth independent of its success since it is a tool that has emerged to cover our need to store and securely manage our credentials. We have many ideas and features that we want to include, but at the moment the priority is to make the foundations as safe and stable as possible.

What will happen when the application reaches its stable version?


We will continue to improve and add features.

Will it have a cost or will it be free?


You can always use Paranoid Shield without any cost or registration, only that by requiring a certain amount (not yet defined) of credentials and/or features you must purchase the Pro version, but the Pro version will only require a one-time payment, since the license will be lifetime (per computer) but with the free version you can use Paranoid Shield without problems (we will not freeze credentials neither block backups)


If you wish, you can support us by testing the application and giving us your feedback. From now available in the Microsoft Store or if you prefer from an installer.

Paranoid Shield

by itandfeel

Sort:  

Congratulations @itandfeel! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You received more than 50 upvotes. Your next target is to reach 100 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!