Stateless Password Manager Usability

Every once in a while, the concept of a simple password manager that needs no storage and no state comes back around. The details differ but the basic premise is always the same. Instead of saving your passwords and encrypting them with a key derived from a master password, these password managers generate passwords on the fly by hashing a master password with the website name. To get your password back, you simply need to remember your master password and the exact name you used for any specific website.

It’s an intriguing technical idea but it sacrifices security and usability. I won’t touch on the security issues here as there are far more qualified people than me that have already addressed this topic. Instead I will focus on the significant usability concerns that would send any user looking for an alternative within days if not hours.

  1. There is no indication if you have used this password manager for a particular website. This may be considered a privacy feature, but can make migrating passwords from different managers more difficult.
  2. Saving multiple passwords for a single website is cumbersome. Since your only input is the website name, you have to include the username in the website name if you want to save multiple passwords for a single website. But what happens if you didn’t plan ahead and saved your first password without the user name? You now have to change the password.
  3. Some websites have weird password requirements. If the default password generation scheme doesn’t fit exactly, you’re out of luck. This can be solved by adding the password rules to the website name, but then you have to remember the rules and type them every time you need your password.
  4. You can’t change a password without changing the website name. Periodical password changes are still required by a lot of websites and even strong passwords can leak by human error. This leaves the user having to remember more than website name but the password iteration. Is it github1, github2 or github53 now?
  5. It is impossible to change your master password without changing all the passwords for all websites you’ve used with the password manager. The master password is directly used to create all those passwords and when it changes, all passwords must change too. To make matters worse, you don’t have a list of websites you’ve used with this password manager. This essentially means you have to remember and try multiple master passwords until you get the right one.
  6. Any security update or bug fix that alters the password generation algorithm will require all passwords to be changed. Standard password managers can simply rebuild their database but since there is no database here and the master password directly affects everything, all passwords must be changed.

All these issues combined mean you have to change your passwords way more often than usual, have to plan ahead a lot, and be very consistent or risk losing your passwords. It requires far more attention than I would be willing to pay just to get a cool stateless solution. At the end of the day, this solution is just not user-friendly.

Hypervisor Hunt

After getting burnt by Hyper-V, I decided to go for the tried and true and installed VMware Player on Windows 10. I had to install Ubuntu again on the new virtual machine, but it was a breeze thanks to VMware’s automated installation process. Everything that was missing in Hyper-V was there. I was able to use my laptop’s real resolution, networking over Wi-Fi was done automatically, audio magically started working, and even performance was noticeably better.

After a few weeks of heavy usage, I started noticing some problems with VMware. Every once in a while the guest OS would freeze for about a second. I didn’t pay too much attention to it at first, but it slowly started to wear on me. I eventually realized it always happens when I use tab completion in the shell and the real cause was playing sounds. It’s still progress over Hyper-V’s inability to play any audio, but it was not exactly a pleasant experience.

The other, far more severe issue, was general lack of performance. It just didn’t feel like I was running Ubuntu on hardware, or even close to it. I experienced constant lags while typing, alt+tab took about a second to show up, compiling code was weirdly slow, video playback was unusable, and everything was just generally sluggish and unresponsive. Overall it was usable, but far from ideal.

Today I finally broke down and decided to give yet another hypervisor a shot. Next up came VirtualBox. I didn’t have high expectations, but VMware was starting to slow me down so I had to try something. Installation was even easier since VirtualBox can just use VMware images. Then came the pleasant surprise. Straight out of the box performance was noticeably better. Windows moved without lagging, alt+tab reaction was instantaneous, and sound playback just worked. Once I installed the guest additions and enabled video acceleration, video playback started functioning too. I still can’t play 4K videos, but at least my laptop doesn’t crawl to a halt on every video ad.

As a cherry on the top, VirtualBox was also able to properly set the resolution on the guest OS at boot time. In VMware, I had to leave and enter full screen once after login for the real resolution to stick. Switching inputs between guest and host in VirtualBox is also easier. It requires just one key (right ctrl) as opposed to two with VMware (left ctrl+alt).

I realize these results depend on many things like hardware, drivers, host/guest versions, etc. I bet I could also solve some of these issues if I put some research into it. But for running Ubuntu 17.04 desktop on my Windows 10 Dell XPS 13 with the least hassle, VirtualBox is the clear winner. Let me know if you had different experience or know how to make it run even smoother.

Things They Don’t Tell You About Hyper-V

I really wanted to like Hyper-V. It’s fully integrated into Windows and runs bare metal, so I was expecting stellar performance and a smooth experience. I was going to run a Linux box for some projects, get to work with Docker for Windows, and do it all with good power management, smooth transitions and without sacrificing performance.

And then reality hit.

  1. Hyper-V doesn’t support resolutions higher than 1920×1080 with Linux guests. And even that is only adjustable by editing grub configuration which requires a reboot. The viewer allows zooming, but not in full screen mode. With a laptop resolution of 3200×1800, that leaves me with a half empty screen or a small window on the desktop.
  2. Networking support is mostly manual, especially when Wi-Fi is involved. You have to drop into PowerShell to manually configure vSwitch with NAT. Need DHCP? Nope, can’t have it. Go install a third party application.
  3. Audio is not supported for Linux guests. Just like with the resolution issue, you’re forced to use remote X server or xrdp. Both are a pain to setup and didn’t provide acceptable performance for me.
  4. To top it all off, you can’t use any other virtualization solution when Hyper-V is enabled. Do you want both Docker for Windows and a normal Linux desktop VM experience? Too bad… VMware allows you to virtualize VT-x/EPT so you can run a hypervisor inside your guest. Hyper-V doesn’t.

It seems like Hyper-V is just not there yet. It might work well for Windows guests or Linux server guests, but for Linux desktop guest it’s just not enough.

Mr. Smarty Pants

PestImagine you had an application that gets over 1,000 downloads a day. Imagine that this application’s soul purpose is to create other applications. Imagine those applications are distributed by you users, some bigger some smaller. Imagine those derived applications get downloaded over 1,000,000 times a day. Feeling good yet?

Now imagine someone would offer you 0.001$ for each user that opens one of those derived applications. That’s over 1,000$ a day. 30,000$ a month. 360,000$ a year. Perfect, ain’t that right? You’re sitting on your porch, a beer in your hand, music in the background and the skies are raining green bills. Does it get any better?

Sounds too good to be true? How about we dig in a little? Say, mister money pants… What exactly do I have to do for this money? “Nothing really”, he responds. “All you have to do is include our little library in every derived application your application creates”, he adds. Move a little uncomfortably in your chair and he’ll satisfy you, “it just gives the user nice and unobtrusive advertisements specifically targeted at him”. Sold yet? I sure am!

So you decide to wrap it up. But you still feel a little bit uncomfortable with it. Maybe because you don’t want people to know you’re making money of your free software, or maybe because you still don’t trust this guy too much. What do you do? You move his library a bit further. Assuming your application is called XYZ, you pack money pants’ library into XYZ Media which will be silently installed by your application’s derived applications. No one will know it’s you now. It’s ingenious!

Best deal ever? Right? You dig? Well? No? Why? Come on… You with me or what? Of course not. Why would I ever want to do something like that?

  1. My software is not only free, it’s open-source and is freely hosted on SourceForge. It costs me nothing but time. I’ve got no bills to cover.
  2. I’ve got a job, I don’t need an additional income. I’ve also had my share of incomes from the free software, without the need for deals like that.
  3. It’s completely evil. Besides forfeiting my ever-elusive seat in heaven, it’d also send my software right down the drain. Even if I remove XYZ Media later, no one will ever want to use it again. 1,000 downloads a day? Try one closed project.

As you’ve probably already guessed, I’m talking about NSIS and NSIS Media. NSIS Media is an extremely annoying adware package, or so reports say. It installs itself on both Internet Explorer and Firefox. On Firefox, it installs an extension with a file named NSIS.jar. These browser extensions pop-up advertisements titled “NSIS Media Advertisement” for the user at what appears to be random times. It shows an uninstaller in the Add/Remove control panel, but as long as the carrier program is installed, it’ll just come back.

According to reports online, it comes with eMule++ and every download from Openwares. The eMule++ installer and each installer I have downloaded from Openwares install two DLLs to the Windows directory. DLL names include wmidext.dll winsdrv.dll, msxmlu.dll and even nvrssid.dll pretending to be shell extension of nVidia. As you can see, it doesn’t really smell too good. But as can be seen in the picture below, it does ask the user for permission, at least with the original eMule++ installer.
eMule++ NSIS Media page
In Openwares installers, on the other hand, there is no such page. So what is this Openwares? It’s a company that would, at least according to their front page, freely repackage your installer with NSIS, publish it on their website and on CNet’s Download.com. The latter seems to be most fertile ground for their deployment.

So is it evil or not? The eMule++ installer page might suggest it’s not. So does NSIS Media’s website, especially the uninstall page. But do they enforce this installer page on all of their partners? It doesn’t seem like they care too much for Openwares’ installers which seem to be pretty wide spread. Add the weird DLL naming and the very peculiar company name choice; and one thing you won’t get is positive credit. More specimens, outside of Openwares, or a direct contact at NSIS Media are required to determine the true nature of the beast.

But we’re not here to discuss the business affairs of this advertisement company. We have gathered here today to discuss my righteousness. Some people actually think I’m responsible for this mess. Probably some just Google up “NSIS” and find my e-mail address as the first result. But some people actually believe I’m behind this abomination. I got everything from polite requests for removal instructions to death threats. My favorites follow.

“As you can see, I am an IBM employee. Somehow the NSIS Media Trojan Horse has invaded my system. Please promptly send me instructions on how to remove it so that I don’t have to report this issue to IBM Legal.”

“CUT THE CRAP (read: spy-ware) !!!” (this one is actually longer, I trimmed it a bit…)

Some even plot a NSIS-Firefox grand conspiracy in their heads.

“Why there is no info on the Firefox / NSIS spyware scandal? Some malicious code installs into Firefox browsers and Thunderbird mail clients via JAR files by abusing a yet unpatched NSIS security hole and the bombards the user with many pop-up windows and downloads further spyware. The Net is up in arms about it, especially in Europe, where Firefox has 20% share in browsing. Firefox developers accuse NSIS developers of indifference and lazyness in fixing.”

All of the above and many more like those, got the appropriate response in the lines of “NSIS is not NSIS Media, go away”. Poor saps, fooled three times in a row. The first time, they’ve downloaded their application of choice from a bad source. Next, they miss the warning signs in the installer or all of those privacy statements. And finally, when reality pops-up in their faces, they miss the word “media” and blame yours truly.

So what have we learned today?

  1. NSIS Media is in no way related to NSIS.
  2. Download only from trusted sources and read carefully what the installer tells you.
  3. kichik doesn’t make 1000$ a day 😦

The need for Unicode

I don’t really know when, but my ISP has apparently installed a spam blocker on their servers. So instead of getting around 50 spam messages a day like I used to, I now get only one message per day. Some days even pass without a single spam message. Spam control at its best.

What does all of this have to do with Unicode? Don’t forget to breath, the answer lies short ahead…

What is Unicode then, and what does it have to do with spam? “Unicode provides a unique number for every character”, Unicode is the future of encoding. Microsoft has seen the bright and shiny future and has implemented Unicode in their Windows NT series. Fortunately, I am using Windows NT and have Unicode, I am part of this glorious future, I have the ability to read Japanese, Korean, Chinese and all sorts of weird languages I don’t understand.

Unlike the great Microsoft, my ISP has not yet seen the future. My ISP has not yet obtained the ability to read Unicode. It has yet to be enlightened. And so, instead of blocking all of the spam, it lets spam encoded with Unicode slip by and I get Viagra ads in Japanese, loan offers in Korean and stock tips in Chinese.

I feel so blessed, I have little to none spam and thanks to Microsoft who has embraced the future, I have the ability to read the spam that I do get… If only I understood Japanese, Korean and Chinese… *sigh*