Skip to main content

Introducing hushnote

This weekend I decided I wanted to fix my password problem. That is, I wanted my passwords secure and managed in the cloud.

Let me introduce hushnote, yet another host-proof, web-based password and secret information manager. I was inspired by the simplicity of Aaron Boodman's halfnote and Brett Cannon's Oplop. Combining the two felt natural.

Here is my suggested usage pattern for hushnote:
  • Think up a master password and enter it into the "Oplop password" box.
  • Think up a label (for instance, "hushnote", "foo", or "spam") for hushnote and enter it into the "Oplop label" box (which replaces the password box after entering your password). The Oplop algorithm will generate a new hushnote password for you based on the combination of your master password and hushnote label.
  • Copy the password into the "hushnote password" box and fetch your encrypted note.
  • Now, use the encrypted note to store your Oplop labels for other sites or any other secret information you want to keep track of.
Hushnote handles all hashing, encryption, and decryption locally in the browser. Your passwords, labels, and notes are never sent to the server unencrypted. Hushnote is served over SSL so you can be confident that it is actually hushnote you are connecting to and that it hasn't been modified in flight by any meanie-pants hackers.

The source code isn't complicated, but here's the highlight reel:
  • Your hushnote password is hashed to check if it matches the password used to encrypt the content stored on the server. This is sent along with the first AJAX call to retrieve your note.
  • Your hushnote password is then used to decrypt the content retrieved from the server.
  • Finally, your hushnote password is used to encrypt the note. Your encrypted content and password hash are sent to the server in the second AJAX call.
Labels:

Popular posts from this blog

Python on Android

Note: This post is out of date. If you'd like to run Python on your Android device, please see my Android Scripting Environment project. Here's an early Christmas present for all those Python fanatics (self included) out there! With a lot of help from my friends (thanks Manuel and Thomas !) I managed to install Python 2.4.5 on my G1. It's still rough around the edges, but I think it's a good start. Klaus Reimer has a nice overview of how to cross-compile Python . My instructions borrow a lot from his. Download and build the Android source . These directions assume that you have installed the source to /android_src . Download and build the Python 2.4.5 source . These directions assume that you have installed the source to /python_src . Make copies of python and pgen for use later in the build process then clean up. $ cd /python_src $ cp python hostpython $ cp Parser/pgen Parser/hostpgen $ make distclean Apply the following patch to the Python source. diff -r -c -b P...
Read more

Email Injection

Not so long ago, I ran a wiki called SecurePHP. On that wiki, there was one particular article about email injection that received a lot of attention. Naturally, with all the attention came lots of spam. As a result, I disabled editing of the wiki and content stagnated. Still, the email injection article remained popular. About a year later, the server that hosted SecurePHP died and I never had a chance to hook it all back up. I saved the article though and I'm reposting it now. It may be a bit old (I've been away from PHP for a long time), and I didn't write all of it, so feel free to leave comments about needed updates and corrections. Though this article focuses on PHP, it provides a lot of general information regarding email injection attacks. The PHP mail() Function There are a lot of ways to send anonymous emails, some use it to mass mail, some use it to spoof identity, and some (a few) use it to send email anonymously. Usually a web mailform using the mail() funct...
Read more

Review of Fable III

Damon says : Fable III is the most disappointing sequel since The Kingdom of the Crystal Skull . Laura says : I was disappointed. The worst part was that the game was okay - maybe a 6/10 or 7/10 thanks to the Darkness Incarnate quest. It wasn't great, but it wasn't so poor that I felt I could legitimately hate it. The graphics are fun if cartoony, the sound is good, the gameplay is easy , the customization is almost non-existent, and the story is mediocre at best and boring at worst. Oh, and for some of the achievements you need an Xbox Live account, which annoys me to no end. The environment in Fable III is as rich as ever. Plenty of different regions, all with different climates, peopled by various citizens/denizens/enemies that change as you play. As always, the people of Albion are incredibly chatty, but since Lionhead seems to have supplemented the new stuff they recorded with all the random NPC comments from Fable II, there is enough variation to not driv...
Read more