Skip to main content

Introducing hushnote

This weekend I decided I wanted to fix my password problem. That is, I wanted my passwords secure and managed in the cloud.

Let me introduce hushnote, yet another host-proof, web-based password and secret information manager. I was inspired by the simplicity of Aaron Boodman's halfnote and Brett Cannon's Oplop. Combining the two felt natural.

Here is my suggested usage pattern for hushnote:
  • Think up a master password and enter it into the "Oplop password" box.
  • Think up a label (for instance, "hushnote", "foo", or "spam") for hushnote and enter it into the "Oplop label" box (which replaces the password box after entering your password). The Oplop algorithm will generate a new hushnote password for you based on the combination of your master password and hushnote label.
  • Copy the password into the "hushnote password" box and fetch your encrypted note.
  • Now, use the encrypted note to store your Oplop labels for other sites or any other secret information you want to keep track of.
Hushnote handles all hashing, encryption, and decryption locally in the browser. Your passwords, labels, and notes are never sent to the server unencrypted. Hushnote is served over SSL so you can be confident that it is actually hushnote you are connecting to and that it hasn't been modified in flight by any meanie-pants hackers.

The source code isn't complicated, but here's the highlight reel:
  • Your hushnote password is hashed to check if it matches the password used to encrypt the content stored on the server. This is sent along with the first AJAX call to retrieve your note.
  • Your hushnote password is then used to decrypt the content retrieved from the server.
  • Finally, your hushnote password is used to encrypt the note. Your encrypted content and password hash are sent to the server in the second AJAX call.


  1. Sweet! It would be nice if it didn't show my passwords in plain text as I type, though. (Happens in Chrome on Linux and Chrome on Windows at least).

    And another question from the paranoid peanut gallery: it seems that unless we want to audit the Javascript *every time* we use hushnote, we're basically relying on you staying honest/secure. (SSL just tells us that we're really connected to; it doesn't assure us that what's hosted there is what we want).

    In other words, it seems like info stored on hushnote is only as secure (for all users) as Damon's personal Google Account password. When Evil Hacker {Wom,M}an hacks your google acct, they can then upload different code to hushnote that has an identical UI but that sends (say) my oplop master password and my hushnote label straight to the baddie.

    If not, then it seems like the right thing is to use a different oplop master password for hushnote than for everything else, and to only store things like oplop labels in my hushnote file.

    Am I missing something?

    Thanks for writing this. If I can satisfy my paranoia, it will noticeably improve my life. :)

  2. @Will The plain-text password is a known issue. I just haven't found a way to fix it that I like yet. As for verifying that the content of hushnote hasn't changed, I gave it some thought. I don't think it's possible to do that without having out-of-band monitoring or checking of the content. A browser extension would be ideal. In the mean time, I can offer you this script. Also, I use Oplop to generate my hushnote password. If a baddie did change the source of the page, he could send himself anything he wanted (passwords, labels, notes, etc.).


Post a Comment

Popular posts from this blog

XBee ZNet 2.5 Wireless Accelerometer

I managed to put together a wireless accelerometer the other night using my two new XBees, an Arduino XBee shield, an XBee Explorer USB, an ADXL330, and some Python. I struggled a bit with some of it, so here's what I learned: First, a parts list. XBee 2mW Series 2.5 Chip Antenna Arduino XBee (with XBee Series 2.5 module) XBee Explorer USB ADXL330 I'm not sure exactly what the specs are on the XBee that comes with the Arduino shield. But, it is definitely a series 2.5. The first thing to do is to configure and upgrade the firmware on your XBees. To do that, you'll need X-CTU (for the firmware upgrade at least, but it's also nice for configuration) which, unfortunately, is only available for Windows. But, it works fine from VMware. First up, the XBee we'll hook up to the computer to read incoming data from the accelerometer: Plug one of the XBees into the Explorer (it's also possible to do this from the Arduino shield by shifting the two XBee/USB jumpers to U
Read more

Android Recipes and Snippets

I've put together a small collection of Android recipes. For each of these recipes, this is an instance of Context (more specifically, Activity or Service ) unless otherwise noted. Enjoy :) Intents One of the coolest things about Android is Intents . The two most common uses of Intents are starting an Activity (open an email, contact, etc.) and starting an Activity for a result (scan a barcode, take a picture to attach to an email, etc.). Intents are specified primarily using action strings and URIs. Here are some things you can do with the android.intent.action.VIEW action and startActivity() . Intent intent = new Intent(Intent.ACTION_VIEW); // Choose a value for uri from the following. // Search Google Maps: geo:0,0?q=query // Show contacts: content://contacts/people // Show a URL: intent.setData(Uri.parse(uri)); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); startActivity(intent); Other useful action/URI pairs include: Intent.ACTION_DIAL , tel://8675
Read more

Email Injection

Not so long ago, I ran a wiki called SecurePHP. On that wiki, there was one particular article about email injection that received a lot of attention. Naturally, with all the attention came lots of spam. As a result, I disabled editing of the wiki and content stagnated. Still, the email injection article remained popular. About a year later, the server that hosted SecurePHP died and I never had a chance to hook it all back up. I saved the article though and I'm reposting it now. It may be a bit old (I've been away from PHP for a long time), and I didn't write all of it, so feel free to leave comments about needed updates and corrections. Though this article focuses on PHP, it provides a lot of general information regarding email injection attacks. The PHP mail() Function There are a lot of ways to send anonymous emails, some use it to mass mail, some use it to spoof identity, and some (a few) use it to send email anonymously. Usually a web mailform using the mail() funct
Read more