Stop.PassGo! v2.1.8 September 2006 by Richard Lewis Please report bugs and suggestions to Richard Lewis (lewisr@cyberdude.com) Table of Contents 1. Introduction 2. Installing Stop.PassGo! 3. Using Stop.PassGo! 4. Password Best Practice 5. About Blowfish 6. Disclaimer 7. Issues 8. Upgrading Stop.PassGo! 9. Issues with WIN32API 10. More Information 11. Credits 1. Introduction Stop.PassGo! is a secure, multi-user password storage utility compatible with all recent Windows versions (95/98/SE/ME/NT/2K/XP). Stop.PassGo! allows you to safely share and store passwords to web sites, computer systems and bank accounts that we all accumulate over the years. Retrieval of this information is controlled by a master password for each user but you can share access to systems without revealing passwords. More on this later. Each user stores passwords and other details in a single encrypted file. I use it to store hundreds of web site and computer system passwords and update it regularly to suit my needs, so I thought you might like it too. Good practice should be followed when creating any password but this is especially true of your Stop.PassGo! master password. See "Password Best Practice" below. You can store password hints as well as other data relevant to the password or web site. You can also export the password to the clipboard or to an external file for ease of use although this practice is discouraged in highly secure environments. Stop.PassGo! uses Blowfish, a symmetric cryptosystem using variable key lengths up to 448 bits. Under normal circumstances you should expect that a supercomputer would take several years to crack your password, at which time you would already have changed it, right? 2a. Uninstalling Stop.PassGo! I recommend that you uninstall previous copies of PassGo! since newer versions tend to prefer a "clean slate". To do this go to Start, Settings, Control Panel and choose the Add/Remove Programs option. Select PassGo! or Stop.PassGo! from the list of installed software and click the Remove button. If you recieve a message during the uninstall that asks you to remove some software component then click the Remove button for each of these pop up messages. It is unlikely that removing these will affect any other applications running on your machine so you will be fine. In the billion-to-one chance that some other application is affected you may need to reinstall that application or reinstall Stop.PassGo! to get it going again (although this is incredibly unlikely). 2b. Installing Stop.PassGo! You can install Stop.PassGo! by one of three methods. Either a) download and run the installer (SPGsetup.exe) or b) download and unzip (PassGo_2.x.y.zip) or c) if you already have a copy installed on a machine, you can copy all the files that are in the installation directory (by default C:\Program Files\PassGo!). If you are copying files from one directory to another on the same machine then no other action is required however if you are copying it to another machine you will need to register DLLs and type libraries as follows. Method 1: Install Stop.PassGo! and uninstall WITHOUT removing the additional components Method 2: Run regdll.bat file to first register the DLL and then run the type library registration utility. To use the utility means locating the file called SHELLLNK.TLB which should be found in your SYSTEM32 direcory of your Windows installation where Stop.PassGo! was originally installed. If you get stuck send email lewisr@cyberdude.com 3. Using Stop.PassGo! The splash screen showing the PassGo! logo at startup can be bypassed by clicking the popup when it appears or by pressing any key on the keyboard. Stop.PassGo! likes running on a machine with a resolution of more than 256 colours. If your screen resolution is less than 256 colours then Stop.PassGo! is going to look kind of ugly. If you get your password wrong three times, Stop.PassGo! will exit to prevent automated attempts at entering a password. Obviously some kind of bute force attack is always possible, as is software that may circumvent this three attempt limit but this should a) discourage the merely curious and b) make it more difficult for the determined hacker. It also means that you should choose a very good password for your Stop.PassGo! master password. Test out Stop.PassGo! by entering a username of "test" and a password "test" (without) the quotes, to see how it all works. When you are ready, create your own userid. A request from one user (thanks Tina) suggested that it would be nice to be able to share password files but did not want the receiver to see the passwords behind the mask. No problem! Now you can set an “unmask password” that (once set) requires the user to enter a password to unmask the password field. To access this feature, click the Options menu and select Set Unmask Password. You will be asked to enter a password. Once this password is set, when you click the Unmask Password button, you will be prompted to enter the unmask password first. If you enter the correct password, you will uncover passwords hidden by the asterisk character. OK, so its secure, but security is only as good as the password - how do I choose a good password? 4. Password Best Practice Strong passwords have the following characteristics: • Contain both upper and lower case characters (e.g., a-z, A-Z) • Have digits and punctuation characters as well as letters • e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./) • Are at least eight alphanumeric characters long • Are not a word in any language, slang, dialect, jargon, etc • Are not based on personal information, names of family, etc • Shouldn't include any part of a user account name Try to create passwords that can be easily remembered but still adhere to these rules. See Stop.PassGo! User Guide in C:\Program Files\PassGo!\PassGo!UserGuide.doc or PassGo!UserGuide.pdf. 5. About Blowfish Blowfish is an open source encryption technique that replaces the DES encryption standard. It uses variable length keys up to 448 bits in length so it is incredibly difficult to break. Blowfish is embedded in many secure applications by major vendors including Novell (iFolder), Linux (2.6 kernel), F-Secure (SSH & VPN), Symantec (Intruder Alert), Tivo (Digital Video Recorders), UltraScan (fingerprint biometrics) and many others. Blowfish was designed in 1993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analysed considerably, and it is gaining acceptance as a strong encryption algorithm. Blowfish is unpatented and license-free, and is available free for all uses. Bruce Schneier is an acknowledged leader in the field of cryptography - just use any web search engine and look for his name. The Blowfish VB port with file support, hex conversion, speed string concatenation and overall optimisations for Visual Basic was carried out by David Ireland between 2000 and 2002. Blowfish is considered one of the strongest encryption algorithms on the market and is much faster then the IDEA cipher. It supports variable length keys up to 448-bits so this cipher is recommended for high security risk related solutions since it is unpatented and free for use. 6. Disclaimer Although I may provide ad hoc support for this product, this does not imply a warranty. You should expect that any loss of data is as a result of stupidity on your part so take responsibility for your own actions and please don't sue me. 7. Issues Be very careful when decrypting your password data. It goes without saying that leaving your passwords lying around or printing them out is probably not a good idea. To ensure that trojans, spyware and keyloggers cannot be used to capture keyboard input, you should be running current virus protection software and a personal firewall that are kept up to date. I recommend that you run your PC behind the corporate firewall or if on broadband at home, use a hardware router/firewall like the Linksys WRT54G. In addition to this is you want to remain secure you should run the following software and keep them up to date: McAfee or Symantec Anti-virus, SpyBot Search & Destroy, Trojan Remover, Adaware. Run comprehensive scans at a minimum of weekly intervals and you should be confident of being relatively safe. Many equivalent software brands are available but I cannot vouch for these. Anything else is just guess-work. You have been warned. You will need the VB6-SP6 runtimes for this to work - they are bundled with the setup CAB file and can be downloaded from pretty much anywhere if you decide to copy Stop.PassGo! to another machine after have installed it. 8. Upgrading Stop.PassGo! If you have a previous version of Password Keeper, PassGo! or Stop.PassGo! then this version is file compatible with all previous versions. This means that your data will survive the upgrade. Stop.PassGo! Upgrade steps: a. Optionally save your *.ENC file(s) to a temp area e.g copy "C:\Program Files\PassGo!\*.ENC" C:\TEMP\*.ENC b. Uninstall the old version using Control Panel Add/Remove Programs and select Stop.PassGo! c. Install the newer version. d. Optionally copy *.ENC files back e.g. copy C:\TEMP\*.ENC "C:\Program Files\PassGo!\*.ENC" e. Run Stop.PassGo! and login as usual. You will need to remember your password and I have no way of finding out what it was, so no begging emails please! 9. Security and the WIN32 API It is interesting to examine the text value retrieved from a window such as a textbox. When a textbox is used as a password field the text is displayed as asterisks or some other character. However, when retrieved via the SendMessage API with the WM_GETTEXT message the actual unencrypted value is displayed. Thus, your passwords are not very secure if spyware using this API call is running on your machine. A workaround is to subclass the form holding the password textbox. By subclassing you can trap the WM_GETTEXT message and discard it so SendMessage simply returns an empty string. Microsoft has fixed this loophole in Windows 2000 SP3 and later operating systems. 10. More Information For MS Word or PDF formatted version of the documentation see PassGo!UsersGuide.doc or .PDF. For more information about cryptography see the Internet references above and read "using_crypto.txt" provided with this distribution. 11. Credits. Many thanks to all contributors here who shared their code via the Internet. Original VB6 source: Asif Iqbal (great498@iname.com ) Blowfish cryptography: Bruce Schneier (schneier@counterpane.com) Blowfish API updates: http://www.cryptosys.net or http://www.di-mgt.com.au Blowfish VB Class: David Midkiff (mznull@earthlink.net or mdj2023@hotmail.com) MD5 Message Digest hash: Robert Hubley (RFC 1321) MD5 Hash Class: David Midkiff (mznull@earthlink.net or mdj2023@hotmail.com) MD5 ActiveX: Antonio Ramirez Cobos (tonydspaniard@hotmail.com) VB Blowfish algorithm: David Ireland (sales@di-mgt.com.au) VB4 file wrapper class and menu hacks: Steve McMahon (www.vbaccelerator.com) Early crypto controls: David Midkiff (mznull@earthlink.net or mdj2023@hotmail.com) Microsoft CryptoAPI components: Antonio Ramirez Cobos (tonydspaniard@hotmail.com) Internal XML Manifest: Voodoo Attack (voodooattack@hotmail.com) Toolbar icons based on original art by Foood’s Icons www.foood.net Conversion, maintenance and interface design by Richard Lewis (lewisr@cyberdude.com) Testing and feature requests from Bob Wood and Tina Dyke. Massive Oversized Disclaimer THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NOS LTD OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Of course, you should send me a note if Stop.PassGo! doesn't meet your expectations. Regards Richard Lewis lewisr@cyberdude.com