Password Locket

Pages: 1234
Hello cplusplus community,

My company ShanKoDev has recently developed a small but highly effective app called Password Locket. If anyone has ever forgotten a password and found the process of recovery difficult in certain cases then this little utility might be of interest to you.

Although this app is very small and simple with regards to its functionality and components, the encryption employed therein however is far from being simple and straightforward. The encryption used was not taken from one of the currently existing algorithms but was also developed completely in house by us.

We would therefore appreciate it if anyone on this site could help us verify the encryption level security of it. Typically the movies show there exist people with abilities that can crack virtually any encryption. Somehow I believe that is science fiction but would like to see if there is any element of truth in it. Currently the developer who created it claims that he self will not be able to recover a lost password even with having all the algorithm at his disposal. We therefore believe this app is secure but this could be due to our own abilities being inadequate at solving this but would appreciate someone on this site (or refer us to someone who has) could show us otherwise.

Just post the git repo we can download the source from.

Oh, and if your developer hasn't read this, they need to.
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html

Last edited on
closed account (z05DSL3A)
The encryption used was not taken from one of the currently existing algorithms but was also developed completely in house by us.
Why would you not use a tried and tested algorithm in favour of a roll it yourself approach?
Currently the developer who created it claims that he self will not be able to recover a lost password even with having all the algorithm at his disposal. We therefore believe this app is secure but this could be due to our own abilities being inadequate
The point of using a standard algorithm such as AES-256 or Blowfish is that they were produced by professional cryptographers and reviewed by their peers. In the case of AES-256, it had to win in a contest against other algorithms, and it was selected as the overall best.
Additionally, these algorithms have been in use for many years, and there are no reported cases of recovering a plaintext. They're as good as it gets.
@salem c: thank you for the response. My developer has not seen this particular article but is aware of the various encryption techniques and pitfalls discussed therein and thus claims that he has guarded against all of them.

On this basis he claims his own inability to crack this algorithm due to all pitfalls being avoided.

He also claims that he is aware of a variety of reverse engineering techniques and asserts that he has taken extensive steps to guard against it.

He therefore claims that reverse engineering of this app would be near impossible and would appreciate verification on that as well.

If it then can be confirmed that this app was not effectively reverse engineered and/or cracked then we will be able to claim that it is secure relative to the conditions imposed.

We can then reveal the source code and further test its security as well as have the anti reverse engineering components scrutinzed and perhaps improved upon.

You can claim all you want, but all you posted was snake oil buzzword bingo.

No s/w is immune to reverse engineering given an adversary with sufficient motivation.

Further, if you want to release the s/w with the blind hope that no-one knows how to defeat it, then anyone who does manage it will keep that knowledge to themselves.

https://www.bbc.co.uk/news/uk-33676028
There's a lot of advantage to be gained from knowing how to break something, which the wider populous either believes is secure, or has no way of verifying.

> Currently the developer who created it claims that he self will not be able to recover
> a lost password even with having all the algorithm at his disposal.
If you genuinely believe this, then there's no point hiding the source code.


No one is going to take seriously an encryption application that won't reveal its source.
I'm sorry, but at this point you've inadvertently revealed that you guys don't know Cryptography 101.

If you want to see how to do a password manager properly, take a look:
https://keepass.info/
https://sourceforge.net/projects/keepass/files/KeePass%202.x/2.42/KeePass-2.42-Source.zip/download
Let us all marvel at the "professional" website for ShanKoDev. (*giggle*)

http://www.shankodev.com/

Oh, yeah, I am so inspired to give them lots of money now. *roll eyes*

Maybe this is not the OP's company, no real way to tell since there is no link.

Doing a 'net search for "Password Locket" comes up bupkis.
I don’t think ridiculing people or their businesses are a friendly way to welcome new members.

OP should be aware by now that his developer has taken him for a ride.
He can decide whether or not to accept that assessment on his own. An unpleasant experience is not likely to sway him, though.

@Ang
You have given money to your developer to develop something he cannot prove is secure. The reality is, his algorithm can be cracked, and easily, by people who know what they are doing.


But the real problem you will face is Litigation.

You are trying to sell cryptographic security.
When the algorithm is cracked (not “if”), a lot of people are going to want their money back.

If someone important enough loses stuff because they were using your developer’s algorithm, you may even get sued, or worse.

Don’t get your ass handed to you on a platter because you believe your developer is too smart for everyone else.

For some extra reading, here is a useful perspective by the guy who invented Twofish.
https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign

If you can legally do it, I suggest you just use an existing cipher, like TwoFish. Then you can promise actual, verifiable security to your customers.


Oh, and you should fire your developer for wasting your time and taking your money. If he were an actual cryptography expert, you could drop his name and people all over the world would go “wow”. He would make his algorithm publicly available, and would never give you promises about his abilities to crack his own cipher. The experts themselves aren’t that arrogant.

So the final assessment you must make is: is it worth the financial distress you will be in when the algorithm is broken?

Hope this helps.
Last edited on
Do not use written-in-house encryption.
Last edited on
@Duthomhas:
I don’t think ridiculing people or their businesses are a friendly way to welcome new members.

Thank you for your decency in this regard. I did not appreciate the rude / arrogant and near personal insults hurled at me by the previous members who responded.

You have given money to your developer to develop something he cannot prove is secure. The reality is, his algorithm can be cracked, and easily, by people who know what they are doing.


Thank you for letting us know that there is such people who can crack this app easily, however lets not judge a book by its cover - lets pretend I know what I'm doing. Our initial request was after all to get this app cracked as is (without source code) and since your site came highly recommended we believed that you would welcome this challenge having members with the relevant skills or know people who do. This app encryption algorithm has already been verified here in South Africa - we do at least posses those skills (verifying an encryption algorithm when given the source), but what we don't claim to have is the WOW factor skills as portrayed in many movies highlighting CIA, FBI, NSA style cracking, ie without having source code ... etc.


So, since there exist people who can crack this app's encryption easily we would welcome it and you will have the opportunity to throw it in my face.
Otherwise if this app's security and in particular it's "application shielding" cannot be compromised then I would appreciate it if you would be fair in admitting it.
If not, I guess then it's my ass on the line - litigation and everything else that goes with it!!!


Cheer guys
Angie out
Ang wrote:
So, since there exist people who can crack this app's encryption easily we would welcome it and you will have the opportunity to throw it in my face.

Alas, therein lies the problem. I do not have the skills to crack your app. (Probably.) I don’t know whether any forum member here does. And even if I did, I am not interested in cracking your app.

See, the people who do this stuff are a fairly closed society, and they spend almost all their free time doing it.

And, frankly, they are not interested in messing with your closed-source application. They do not care about your financial interests. Unless you are willing to pay one of them a good sum of money to crack your program, it won’t happen.

These experts do it for fun, see, and you have not provided them with any useful incentive to do it.


That said, they have also given the world a lot of knowledge about this stuff, and how hard it is to get it right. Failed crypto is regularly in the news. In fact, over on stackexchange (where you should have started this thread) are regular questions about rolling your own crypto, and the answers are typically about the same: don’t, because you will screw up.

Extant, safe crypto algorithms exist because hundreds of experts from around the world have spend countless hours cracking at it and fixing its weaknesses. Those algorithms that stand stay. Those thousands of algorithms that don’t stand get tossed, never to be heard from again...

…except in software claiming private, in-house security, because the developer thinks he is smarter than hundreds of experts from around the world that eat, drink, and breathe this stuff.

You’ve been had.

Whether you want to believe it or not. It is the very definition of hubris.


You would be better to use one of the existing cryptographic protocols for your application, and advertise that fact, than to claim magic, in-house, no-one-knows-how-it-works-but-you security. To people who know anything about basic cryptography, that just outs you as a noob.

Sorry I cannot give you what you want to hear.
You're mistaking "can't be cracked easily" with "can't be cracked at all".

It is very unlikely anybody is going to spend weeks or months of painstaking effort to reverse engineer all the code for no reward, just because you dangle the carrot in front of us.

The professionals here can command $100 per hour for their time, and you just rolled in saying "give me $50,000 worth of your time to look at my app". If you're asking people to work for $0, the very least you could do is make it easy for them by handing over the source.

What you're really testing is that no one is going to waste their time on this, and congratulations, you've established that.

No, the reward will come later, when high value targets are using your application.
Someone will break your little scheme without bothering to tell you that they have done so. Because the incentive to make that effort is there.
Your clients lose, and you're in the dock.

> This app encryption algorithm has already been verified here in South Africa
By who?
Have they published their results?
Did they have the source code?

You keep clinging to the "without the source code" as if it were some magic sauce.
It isn't.

Very basic cryptanalysis of the algorithm, by non-experts: http://www.cplusplus.com/forum/lounge/253734/
Last edited on
Extant, safe crypto algorithms exist because hundreds of experts from around the world have spend countless hours cracking at it and fixing its weaknesses




You would be better to use one of the existing cryptographic protocols for your application,




With all due respect, wasn't ssl encryption cracked/violated thereby the invention of tls.

And wasn't ssl designed and tested by these experts you refer to?


Seems to me like there stll exist room for improvement.regarless of who create it.


Maybe it will be better to stop judging this app's merits based on your assumption of our lack of abilities in this field.



because the developer thinks he is smarter than hundreds of experts from around the world that eat, drink, and breathe this stuff


Nor me or my developer claimed to be better than 100's of the worlds best experts in this field. You are the one making these insinuations and
these are seemingly based on the probability that you already downloaded and afer testing this app realized that your own abilities to crack this is
insuffcient. Or put another way you at least have enough ability, along with some of those great experts you talk about, to have already seen that
this encryption is not the crackable type of stuff you assumed it was going to be. ...

Thank you though for being honest with me by letting me know that you don't have the skills to crack this app and most likely don't believe any of the other
members on this site are capable as well. To be honest, after I received my first rude, condesending responses from this site, I was personally convinced that none
of you here are capable in this field to the level we are contemplating. Strangley enough though after claiming your inabilty in this field and that coupled with your claim that nobody will spend the time to do this for
us for free, you guys still ended up spending time on an old algorithm that isn't allowing you to crack this app (otherwise you woul have been raving about it by now already). However, since you do not speak for
here is the direct link for Password Locket: http://www.shankodev.com/PwdLocket_files/PwdLocket_Installer.zip in case there are others here that can do better or would just like to give it a try.


Very basic cryptanalysis of the algorithm, by non-experts: http://www.cplusplus.com/forum/lounge/253734/

So just to be clear, your great dicovery / analysis did not allow you to crack this app and most likely wont help you even if you spend 1000s of years trying to crack it..


Please also stop assuming things about us. If you want to know something, then just ask me directly and thereby avoid all these assumptions which make for bad conversation.

Unfortunately though I did not come here for anyones permission or approval to release/launch/promote this app. Btw in case it was not clear, I am a woman and not a man.
Last edited on
Yes, it is likely that non of the members here will be able to crack your encryption because non of them are doing it for their living.

Generally it is a matter of motivation. Why would someone spend hours or days for no reward?

The likeliness that someone tries to crack your algorithm depends on the content and the spread of your software.

I would think that a good sign of strength of your algorithm would be when your developers cannot decipher such an encrypted file...
closed account (z05DSL3A)
Ang, You have come here and 'asked for' opinion. I think that the general consensus is that security through obscurity is not a good approach.

You ask me to put trust in a free bit of software without showing the source and saying keep your secrets there. The ability of your developer is unproven in the security realm and neither is ShanKoDev. The way you are complaining about the responses you are getting still doesn't give me any faith that this is worth my time to investigate and definitely not worth actually downloading and using.

Ang wrote:
Please also stop assuming things about us. If you want to know something, then just ask me directly and thereby avoid all these assumptions which make for bad conversation.
Publish the algorithm and the implementation?
We would therefore appreciate it if anyone on this site could help us verify the encryption level security of it.

This post should be in the Jobs section. You are asking us to do QA work for you.

Essentially for free.

The type of help you will get will be as worthwhile as the money paid for the work.
So just to be clear, your great dicovery / analysis did not allow you to crack this app and most likely wont help you even if you spend 1000s of years trying to crack it.
I couldn't crack the algorithm because I spent a grand total of two hours on it. Not to boast, but at a rough estimate I'd guess it'd take me a week or two to crack it. But why would I want to do that?
Would anyone in the crypto community care if I managed to crack an algorithm by a nobody? No.
Are you going to pay me to crack your algorithm? My guess would be "no", but if you're willing to pay me I'm willing to discuss hourly rates with you.

With all due respect, wasn't ssl encryption cracked/violated thereby the invention of tls.
SSL is not merely an encryption scheme, it's a secure communications protocol, including key exchange. As such, its security requirements are more difficult to meet than those of encrypting data at-rest (e.g. in a password manager, or in full-disk encryption). Try looking up cases of AES being broken.

But, let's suppose that AES was broken tomorrow. That would not be a compelling reason to use your algorithm.
"Studies have found car seatbelts don't actually prevent any deaths. Welp! May as well travel by sticking a rod of dynamite up my ass and lighting the fuse!"
It's not a very convincing line of reasoning.
@Angie
You are clearly not interested in the advice that you asked for. The advice is:

    Use a known crypto like AES-256 or TwoFish.

Benefits to you:

  • Free to use! (Yay!)
  • Have not been broken by international experts in crypto.
  • Great advertising to sell your application’s security.
  • Likelihood of future litigation destroying you is effectively zero.

Your current, inexplicable course of action, however, seems to be:

  • Use an algorithm already broken by non-experts
  • Future financial ruin (with potential to be much worse, i.e. jail time)

Why? What is your end goal here? To make the best application possible that will net you millions? Or to waste money on a nice website promoting a product that will be panned by knowledgeable reviewers and destroy any reputation ShanKoDev hopes to create? Presumably you are aware that this thread on this site is already in the top five Google results about your company? You are already ruined.

Unless you fix it.
Pages: 1234