Blog

Are you ready for what's already looking to be an exciting year? We are! First, work. More than ever, employees have been working from home and many will remain there due to necessity and many by choice as more and more businesses embrace remote work. Technologies will help to facilitate this telecommuting work model transition, and for many the quality of life will improve. For every company, it's even more important now to ensure that anyone accessing the corporate systems is educated and aware of the increasing security threats. At PasswordWrench, we are proud to provide the best password management system that exists on the market - a tool that does not steal your passwords since no passwords are recorded. We continue working hard to devise simple solutions that resolve huge problems.

Everyone has, on average, over critical 40 passwords to manage. Our expert recommendation is NOT to use tools of convenience that record them, such as in the browser, e.g. Google Chrome, or other password managers that auto-log you into systems, and we also recommend that you use a unique password for every site. It's also important to keep changing them regularly. If you have difficulty in remembering them and coming up with complex ones that are difficult to guess by hackers while still conforming to a site's minimum password requirements, our password manager is there for you.

There is a lot of noise lately about technologies that want to eliminate passwords, creating a "password-less" world. We are advised in the strongest terms to heed caution about these bright, shiny new things. Any authentication must go through some type of validation, and in a password-less approach, the validation is handled by the password-less provider. This means that they are now in total control of your authentication, and they can decide whether you should have access or not. In a normal password login approach, the validation is handled directly by the service provider that you want to use. It's also important to note that all "password-less technologies" are no more than a 2FA or a MFA technology without the initial username/password factor authentication. We provide a 2FA solution that can be converted to a password-less solution if you absolutely require it, but we do not recommend any password-less approach.

The highest recommended method for authenticating into any system is by using a password, something you know, combined with a 2FA method, which is something you have. The password protects you against any external validation provider that could deny you access wrongfully, while the 2FA protects you against someone that could know or record your password. If you keep changing them on a regular basis, and make sure that they are unique and complex, the need to add a 2FA also decreases significantly.

We are working to find simple solutions to all these threats, and would be happy to demo our products to you at your convenience. Schedule a demo using our calendar: https://calendly.com/passwordwrench/demo.

Our 2FA mobile app is now live! PasswordWrench listened to our customers who have been requesting a smartphone Two-Factor Authorization mobile application. For the past several months we have been busy building & testing one of the most secure 2FA application in the industry. We just launched the Android version, and shortly we will release the iOS version as well.

The PasswordWrench 2FA mobile app resolves many existing security issues in the 2FA/MFA market. Working hard to address these issues while making an app that’s user friendly and secure were our top priorities. 

First, this 2FA mobile app is easy to use, a factor that is important to us as well as to our customers. The time it takes to set-up the app is down to one click. Our 2FA technologies are built around a downloadable/printable Password Card that works similar to a bingo game, and with this new mobile app, you don’t even need to download the Password Card anymore. A unique Password Card is generated for every login. Simply find and plug-in the coordinates – anyone can do it. 

Next, we bring more security than existing TOTP applications, as we resolve the vulnerability that TOTP apps have during the set-up process. Hackers can easily grab screenshots of the keys or the QR Code shown on the screen when you are using a TOTP app, and if they do, all PINs generated from that app are easily replicable on the hacker’s side. With the ubiquitous use of cameras everywhere, this problem is becoming a more prevalent concern in the cyber security community. We have eliminated this threat. 

Our solution also checks for potential phishing and middle-man attacks during the second-step login validation, something that no TOTP app does. We synch our validation with the server, validating our 2FA PIN using our provided API, which is of course seamless to the user. 

And finally, our app resolves issues related to the clock from the smartphone that requires proper synchronization properly from all TOTP apps. Sometimes, when generating a PIN from a TOTP app, the PIN will fail, even when valid, due to the clock on the device be off by few seconds. Our app fixes this issue as well.

If we hear about any other issues or problems that the industry and businesses are facing, be sure, we will be on those as well. 

The app can be found here.

While it’s all the hype these days to breathlessly discuss eliminating passwords, passwords remain commonplace and nearly ubiquitous, despite agreement across the board that passwords, when used alone, remain the weakest link in the security chain.

What would a password-less world look like? Putting the hype aside, realistically it’s:

• Irresponsible
• Costly and not available to every participant
• Not going to happen anytime soon; over 300 billion passwords to manage

What could go wrong? Let’s explore.

There are many companies, organizations/coalitions, and industry experts working on bringing forth password-less technologies. One of the positive goals of this effort, alongside heightened security, is that by minimizing the amount of steps in the authentication process, secure logins are more convenient for users. There are many technologies today that can be used to achieve that, including SMS, OTP, FIDO/FIDO2 (CATP), biometrics, and other proprietary technologies.

To access this loop successfully, the user must have something on them such as a Smartphone, USB Key, a PIN generator, or something that they are, such as their own fingerprints or other biometrics. The server where the authentication must take place requests from the user their PINs, fingerprint, keys etc., and validates this information by calling the third-party provider of these password-less technologies. The vendor then provides the final positive or negative answer back to the server. At that point, if successful, the user is allowed to access the system.

What could go wrong? The main issue using these technologies is the requirement of using a third-party validator, and trusting that they are going to provide the correct answer. This creates an inherent reliance on their technology, as well as each member of their staff. It only takes one bad actor in a company to create havoc. The second main issue is that this third-party vendor can impersonate the user without their knowledge. The third-party validator will have no problem generating the PIN or token or returning a false positive to the system and thus providing the final positive validation to the server in the authentication process. Doing that, the vendor can access the system and access all the user's data. It remains a huge security risk and in the realm of possible breach points.

In other articles we’ve discussed more about the pitfalls of third party devices in greater depth. There are also time and cost issues associated with third party devices, as well as accessibility constraints.

But “risk” is exactly what is in contention here by removing the “something you know”? And the subsequent question is, how can that risk be eliminated? What is your company’s risk tolerance, truly? And even that of the individual user? The answer will surprise many - by using a password. If a third-party vendor tries to impersonate the user, they don't know and will not have the password necessary to complete the authentication process. That's why we continue to question the experts that are trying to bring us this password-less world. It is possibly irresponsible and devious, akin to hiring the proverbial fox to guard the henhouse.

In addition, assuming that this wave will continue, realistically it will take many years, 10-20 even, given the propensity for slow adoption, because there are over 300 billion passwords in use today, and changing the behavior of users is not easy to do. To facilitate adoption also requires that every platform must adopt higher standards and more sophisticated procedures, and frankly many of them can’t or simply won’t due to technical inexperience or lack of skills, costs, user friction and other obstacles.

The best and many experts agree: the ideal solution is to use both: a password and a 2FA / MFA combination. The 2FA brings the extra level of security, especially if someone knows your password, and the password will eliminate the risk that the 2FA/MFA provider can impersonate you or share that data with others to do so.

Today, Microsoft has announced that it will support USB keys that allow you login to everything without a password. Their goal is to create what it calls a “passwordless future”. We believe that the concept of having a "passwordless" future is good, but it comes with security issues and caveats. Google announced something similar few months ago.

First, it requires a piece of hardware that you need to carry with you at all times or, like many do, stick it to your computer so you don’t lose it. What happens if you lose it? You are going to be stranded until a replacement arrives. You have to remember that your life online will be dependent on this piece of hardware manufactured by someone you don’t know. It’s "passwordless", but not without effort. You have to stick it into a USB port, and you need a compatible USB port. Most people do, but there are some who don’t have a smartphone yet or aren't allowed to use them in security areas, so it won’t work for them. It's also possible to have malfunctioning issues with the USB drive then again, you’d be forced to wait for a replacement or fix. And instead of carrying that USB device around, we've seen many leave it in their USB drive or taped to their computer for convenience reasons. Then of course anyone who has access to that computer will be able to login and impersonate that user. There won’t be any security at all in that case.

Second, not a lot of security folks are delving into how these USB drives are manufactured. They can be compromised by a virus at any time between when they are manufactured to when you receive them by mail or buy from a store. This has already been reported numerous times.

• https://www.zdnet.com/article/ibm-warns-of-malware-on-usb-drives-shipped-to-customers/
• https://arstechnica.com/information-technology/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
• https://www.sentryo.net/usb-flash-drives-serious-cyber-threat-industrial-systems/ 

Third, which we believe it’s the most important point of all, if you use a third-party device to validate your authentication, you are depending on that third party to provide an accurate response. In security, you have to measure risks, and consider worst case scenario probability. It’s possible that eventually everyone on earth will be using third party validators such as a USB drive, and the entire world will depend on third parties to validate their authentication, and it’s also possible that the entire market consolidates into one major player and that major player becomes a bad actor (or has an employee with nefarious intentions). If that happens, you will be able to authenticate only if they want to, no matter if your authentication is valid or not. This is obviously an extreme end result, but the consolidation of much of the manufacturing processes are already taking place worldwide. The only thing that exists today without the need for a third party to validate your credentials is the username and passwords. The password is a direct relationship between you and the site you want to authenticate to, and it can be replaced at anytime. There is no third party necessary and that risks mentioned are not present. So, passwords, realistically, aren't going away any time soon - at least not without some major security risks of which every VP of Engineering, CISO, CIO, and IT manager should be wary. 

Passwords are unequivocally the most used entry point to anything online, and the most unsecure. Users know this. Companies know this. And hackers certainly know this. To create complex passwords is important, but managing them – remembering them, updating them, etc. – is cumbersome. Password managers help, but are they secure? Given the rampant data breaches that seem to occur every few weeks – and those are only the ones we hear about – how can giving all your passwords to a password manager be smart? Forsaking security for convenience: is there a better way?

Let us dissect why passwords aren't going anywhere – at least not yet, as well as a novel solution to solving the problem of password management while still maintaining security.

Download Full PDF Article

Nearly 67% of CISO’s (Chief Information Security Officers) surveyed confirmed their blaring concerns about their companies falling prey to data breaches and cyber security attacks. If you don’t treat this seriously, your job could be at risk.  And a secure password is the first line of defense to avoid getting hacked.

As cyber hackers become more advanced in their skills, and tech companies, with all of their best intentions, embrace a ‘transparent’ and ‘agile’ way of operating, data breaches and password leaks are inevitable occurrences.

From a business perspective, this could mean:

• Losing valuable data to third parties and competitors with bad intentions.
• Identity theft.
• Losing precious customers, leading to instability and company failure.
• Losing complete control over your company’s management and administration.

Naturally, there is a solid need to create, store and manage passwords to protect your company’s most precious, confidential and highly vulnerable assets. Passwords are the keys that unlock the doors to these assets, and only you should have them.

The problem with using any third party device or app for passwords is that it’s always subject to the risk of being hacked. Not only do third parties applications cost money, they could malfunction, leaving the customer stranded.

In this article, we’ll cover some valuable insights on the smartest way of creating & retrieving passwords and avoid getting hacked.

Let’s get right in!

Create & Retrieve Passwords Securely: The Silver Bullet. 

It’s no surprise that you need a password manager. The 2 most important functions of a great password management tool, usually, are:

1. To help you create a strong complex password.
2. To help you save & retrieve it safely & securely.

Let’s talk about (1). Creating a complex password that’s also easy to remember is hard for the normal human brain. Usually we think of a combination of words, expressions and numbers or special characters to create a password, which is too easy for a hacker’s brain to unveil.

Clearly, you need a better way! 

An effective way of creating complex, yet ‘memorable’ passwords is to use a password card. It’s basically a card with an assortment of letters, symbols and numbers arranged in rows and columns, like the one below:

Generate a password card and give it a name to get started. Then, draw a line across a row or column, or draw any shape like a square or triangle across the card, and soon you’d have a very complex, yet memorable password based on the characters your drawn line or shape includes.

You could also use the password manager to auto-generate a random password for you, which is especially useful if your password needs to meet specific character requirements.

But why create a password this way and how does it prevent data breaches? 

Password cards are a combination of random and unique characters, not easy enough to guess by someone else. They’re also printable cards you can keep in your wallet. Even if another person saw your password card, it would be nearly impossible to guess what your password is!

With this method, the password manager isn’t really creating the password for you, but only helping you create a password that only you can later remember. Which brings us to point (2).

If you save your password somewhere, the point is, it’s still ‘accessible’. 

That’s the whole reason why passwords get hacked in the first place! Because they’re stored somewhere. 

But, using the password card method, your password can be retrieved using a ‘password hint’ which tells you what combination of characters are included in your actual password. So the only thing that gets saved on your password management tool is the ‘password hint’ to help you remember it.

Simply put, if your password is all the characters in an L-shape on the card, your password hint could be “L shape from A3 until A15 and then P15” (look at the image below). Of course, you could create better hints than that!

The reason why your passwords are highly secure this way is because they’re actually not stored anywhere, so there’s no chance of them being hacked. All that the password management tool is doing is enabling you to come up with a good password, and then helping you remember it. Simple, yet effective.

This helps resolve the problem of losing all of your passwords in case your password management application gets hacked.

So how can you optimize the value from your password management tool?  

• You can set password reminders to regularly change your passwords.
• You can share your passwords securely with internal staff members as only they’d know the answers to the password hints you’d create.
• You can use the tool offline too, since all you really need is your password card which you can print easily.

Remember, never divulge your passwords to anyone, including a password management tool. There are plenty of cases of password management apps being hacked, as they’re a ‘hackers paradise’. You might as well avoid these pitfalls!

Use a tool like PasswordWrench as an enabler, and not a storehouse of valuable information waiting to be hacked. Try PasswordWrench for free, and be safe.

Our latest update has even more security and privacy features for advanced users or anyone who’s serious about security online and any user protecting the most sensitive information.

The first update revolves around the display of the Password Card. In previous versions, when a Password Card is created, the characters are displayed on a grid which is what defined the Password Card. Some of our users mentioned they’d like to see a feature or setting so that the characters would be hidden by default to increase security. So we listened and implemented this feature through an optional Rules Policy that you can define and manage within your Settings.

When the option “Disable Displaying Characters on Password Card” is enabled, the Password Card will not show the characters on the grid by default.

Next, we also incorporated this feature into our publicly available Password Assistant. For many of our users, the Assistant is the most secure way of protecting their master passwords using our technologies. They will be able to take advantage of this new feature. This will especially be useful when anyone needs to log in from an external environment not under their control, or during a presentation when many viewers might be able to see the Password Cards.

Some of our more hard-core security users mentioned that they would prefer the “Highlight” feature be disabled by default, so we added an option for that in the Settings under the Rules Policies.

And saving the best for last, the new Stealth mode helps to avoid all visual cues. Sometimes you might want to select certain columns and/or rows to construct your passwords using the Password Card editor, but you do not want people to know where you click on the Password Card or any visual cue on the monitor in case someone is looking at your monitor or your moves could be captured on camera. A good example of this is again if you are giving a group presentation or webinar or the like. The password is constructed, but the password field is not shown. You can of course disabled the stealth mode and/or show the password field at any time in your Settings.

We hope you will enjoy using these new security features to keep your passwords and log-ins secure. Feel free to reach out to us at any time with additional features or functionality you’d like to see in PasswordWrench.

Everyone knows by now that SMS is not a secure way to do 2-Factor Authentication, as your phone number can be hijacked, and sending a plain text PIN across 2 different networks increase the risk of interceptions. Many banks resolved those issues by providing an electronic device that generates a PIN. This alternative brings its own issues though. For example if you are traveling somewhere and forget your PIN generator, or lose it, you could be stranded for many days. And it’s not going to be cheap to replace it since they cost money to produce and take a while to ship. Many companies do not want to deal with such sensitive inventory management either. There are also many solutions based on biometrics and artificial intelligence which provide simplicity but with a huge negative; if compromised, they cannot be replaced and forcing you to use an alternative. We’ve seen some big company come out with free mobile application to help you with your 2FA but their goal is to track you down in order to stick Ads in your face. They don’t care about your privacy.

Welcome PasswordWrench’s newest product to the family. Our 2FA allows enterprises to provide a secure 2-Factor Authentication within their system. Our technologies allow any website to offer 2FA without asking their customers to install a mobile application, and without the need to send a text message (SMS). Also, there is no digital PIN devices associated with our solution. PasswordWrench’s 2-Factor Authentication makes it easy to adopt by all users while advancing security to the next level. And did we mention it’s no more costly than any current 2FA solution out there, and significantly less costly than the PIN devices.

Our solution resolves the issues brought by SMS, PIN generators, biometrics/AI, while still offering the highest level of security. Your customers do not need to install a mobile application. In fact, they don’t even need a mobile device at all. How? By using the same Password Card technologies that make it easy for consumers and enterprises to manage their passwords safely. Anyone can replace their Password Cards at any time, and at no extra cost. It’s a renewable technology. You won’t be stranded, and PasswordWrench stays true to its mission – where security and privacy comes first. We still use all the top level security tools at every juncture of the process. The difference is that we free up the user from being reliant on unsecure or costly solutions.

Ready to give this to your development team or tech support to integrate? We have provided an API and SDKs written in JavaScript, PHP, Java, and .NET that allows any developer to integrate our technologies. And of course, we’re always here to help you get started.

Contact us now for a free enterprise quote!

Today PasswordWrench launched our version 2.0 of our Password Manager. We have added several features intended to give our users more security and more options on how they can use our services.

First, we added an audit log for all paid subscriptions. You will be able to know when you logged in/out and monitor other actions on the account. This is an important feature because many accounts on the web gets hijacked without the knowledge of the user because they cannot see someone else logged in and impersonates them to access their account. With this feature, if someone does that, you will see it and you can take action.

Second, we now provide dual-authentication. We are not following the pack as SMS is still unsecure. We instead created a new system using our own Password Card approach. Just simply create a Password Card, print it or download the PNG, and you will use that as your dual authentication PINs. It’s simple, fast and easy. Even better, it does NOT rely on a third party carrier.

Next, you can now share passwords with other people. Sometimes you have an account you are sharing with your spouse, your child, or with colleagues at work, etc. and you want to keep those passwords safe. With the shared password tools, you will be able to use, manage, and share strong passwords. There is no more need to share written passwords or files, and you can manage who accesses which password anywhere in a centralized system. It’s very convenient and will eliminate phone calls asking “what is the password?”

We also added several enterprise features that allow any companies to provide to their employees the best and most secure password manager available. Our product helps companies manage their employees and other users along with rule policies. For example, you can group users into departments allowing a distribution of responsibilities. You will be able to set when passwords should be renewed, and when to warn your users about updating their passwords based on your corporate policies.

We are focused on providing the best and most secure products available and working hard to accomplish this mission. We hope you will like these new features and you are welcome to provide us feedback. We listen to our customers!

Thanks,

Patrick Tardif, founder
PasswordWrench.com

My name is Patrick Tardif and I founded PasswordWrench.com to provide a solution to people where they can preserve their passwords safely without forcing them to trust anyone. The more projects I managed for clients from Fortune 100 to start-ups, I realized how lax a lot of security protocols really are when implemented in daily-usage patterns. Software consulting requires direct access to sensitive data, but it wasn’t until my wife had her identity stolen and watched her go through that ordeal of fixing it that I realized just how vulnerable most people and companies are. Password management systems are great for ease of use, but my first question was – why would I trust another party to owning or managing all of my passwords?

I managed my own passwords for years using my own system. There was a need for me to create a system so that my own passwords will be complex enough and contain characters that match the requirements of the sites I regularly use. Many of those sites require a mix of numeric, upper case characters and symbols and this was becoming very difficult to remember, especially when I followed best practices of changing them regularly and ensuring none of them were identical. I searched for tools to help and discovered a huge fundamental flaw in password managers; I was forced to enter my passwords into their system.

The news is rife with stories of celebrities being hacked, identify theft on the rise, and perhaps more ominously, the NSA, Edward Snowden and all the stories about government agencies spying on their own people. I wondered how I could create a way so that people don’t have to enter their passwords at all - a way that is secure no matter if the system gets hijacked. I figured out a way to do this, and came up with PasswordWrench.com.

I state unequivocally that this is THE MOST SECURE password manager available on the market today. You can create safe and secure passwords using this system, all without having to give away your passwords. How can I legitimize this claim? It’s simple. We do not record passwords in our system; instead, we use an innovative way that uses a hint, and a password card that is unique to you. You can even print your password card and put it in your wallet since it’s designed to be the same size as a credit card.

I created a list of the main threats against identity theft and addressed each of those.

1. You can also use it offline, without any electronic devices. If you use only one computer, for example, and you are not logged in, how can you use a strong password that you can remember without writing it down? Our printed password card will resolve that issue for you.
2. Our system protects you against more sophisticated threats as well. A good example of this is virtual reality, the gaming industry, and new gadgets that being developed that can exert various forms of mind alterations. If you choose to believe the worst, and I have my doubts that government is capable and fast enough to keep up with rapidly changing technologies, then mind reading and control may soon follow. If you use our system, the chances that you remember your passwords of long strings of random characters is low, therefore these types of devices wouldn’t even be able to extract that info from you.
3. Our system will also protects you against hidden, and not-so-hidden cameras. As CCTV and web-enabled cameras become ubiquitous, alongside arming everyone with a mobile recording phone, the chances of your login actions to your sites being recorded of course rises. By using the PasswordWrench system you can bypass that concern.
4. The net that captures thousands or even millions of users’ data at once simply by hacking into a third party site. If you store your passwords in one site, doesn’t that already make you more vulnerable?

As the founder of PasswordWrench and a daily user, I welcome your feedback and opinions. I ask that you check out the site and make the decision for yourself. Who do you trust these days? Zero Trust architecture is our motto. Fixing the problem after it’s a problem is the nightmare we’re trying to help you avoid.