1. HOW IS MY DATA ENCRYPTED?
All your data (usernames, passwords, labels, etc..), even the association between credentials and labels are encrypted with a random symmetric key (called Master Key) with a length of 128 or 256 bit (depending on your selected encryption algorithm). The encryption algorithm can be chosen when you create a new vault but can also be changed later for an existing vault (since 1.7.x). Supported are: AES 128/256, Blowfish 128/256 and ChaCha20. Note that depending on your current Android version you may not see all options. Default is AES 128 which is supported by all Android versions and in most cases strong enough with a reasonable performance.
The Master Key itself is encrypted with your PIN (min 6 characters of your choice, not necessarily digits) combined with an at least 28 character long Master Password. Both are hashed together (with an additional vault specific random salt, SHA-256) and passed to a Key Deriation Function (PBKDF2 with HMAC SHA-1 or SHA-256) with a configurable count of iterations (default 100.000) to derive a secret key to en- and decrypt the Master Key.
In addition to that the Encrypted Master Key is again AES-encrypted with an internal Android key (managed by Androids Trusted Execution Environment or TPM). This is to make it more difficult to extract the data from the phone storage.
If it appeals more to you to store your master password on the device it is strongly recommend to enroll biometrics (e.g. fingerprint) before. This ensures the stored master password can only be accessed with your biometric (managed by the OS).
Furthermore when a password or key is read from storage into memory it remains there decrypted as long as it is used (shown) by the app. After that it is erased in memory. This reduces the risk of having keys or passwords in memory heapdumps. (It is a very unlikely scenario that another spy app scans your memory even if you use a non-rooted phone. But in terms of rooted phones this feature helps a bit to increase security. But anyway, if you have a spy app on your phone you should consider your phone as hacked and put them into garbage, because a spyware app can also access your display content and read keyboard interactions.)
2. HOW ARE PSEUDO PHRASES GENERATED?
Pseudo Phrases aim to sound like real words, or like potential real words, to make them easier to read and to type. In most spoken languages there are consonants and vocals. And a general rule may be: after a consonant follows a vocal and vice versa. This is a very simple rule but with that a lot of pseudo phrases can be generated. To enlarge the number of combinations another general rule is applied, which says that after a vocal may follow one other vocal. To illustrate that: it could generate tuples like “ab” and “ba” but also “aa” but not “bb”.
To enlarge the combinations again a Pseudo Phrase Word has 4 characters that consists of exact two tuples. Both tuples can be pronounced like syllables, e.g “ba_ab”, “ba_ba” or “ab_ba”. It can also be “ab_aa” or “ba_aa”. Having “babb” (as one syllable) seems usual, therefor for the second tuple double consonants are allowed if the last character of the first tuple is a vocal.
With these simple rules ANOTHERpass generates Pseudo Phrases with different word count. But it is secure? To generate one pseudo word (4 characters) there are 79.296 combinations. To generate the same 4 character word with all possible lower case letters without any applied rule we would have 456.976 combinations, 6 times more. Considering all typical password characters including lower- and upper case letters, digits and common special chars we get around 33 million combinations, so much much more! How can Pseudo Phrases be secure? It is about the length! ANOTHERpass generates one more word (4 characters) for all Pseudo Phrases in comparison to the ordinary password generator. In our example the combinations of a two-word Pseudo Phrase is 79.296 * 79.296 = over 6 billion!
But does this also work for usual passwords with a length of, e.g. 12 characters and all kind of mixed characters? That would have over 2 * 10^22 combinations. Pseudo Phrases with 12 + 4 extra chars AND containing a digit and a special char as well we would have over 4 * 10^21 combinations, so less, but still secure! If you want to takle this gap just generate with one more word. So by just adding one or two more words to each password Pseudo Phrases become similar or even more safe then usual passwords.
Example: A Pseudo Phrase password with 5 words, one digit and one special character (length is 22) has 4.7^26 combinations. That is an entropy of 88 bit and would take many billion years to be cracked by a super computer!
Sure, you could argue to just add 4 more characters or more to an ordinary password as well. Yes you can do that and it is even more secure but still very hard to read and type. You will loose the advantage of that! At the end you have the choice between both and it is on you what you prefer.
3. WHAT IS A NFC TAG AND DO I NEED IT?
If your device comes with the ability of NFC you can use so called NFC tags as storage for passwords and credentials. You can buy such tags for a low amount from your electronic retailer. Please inform yourself which NFC chip types are supported by your device! Ideally buy one with NDEF support. I suggest a capacity of 924 bytes to be able to export the Encrypted Master Key or Encrypted Credential Records, e.g. NTAG 216.
Without NFC you can fallback to QR codes, which can be stored as image files, shared through other thrust-worth apps or otherwise copied from your device (e.g. by a scanner or copier) or even just printed out on paper.
You can also use both technologies if that appeals more to you, for instance to have multiple backups. Use the in-app feature to verify your QR codes and NFC tags to ensure the app is able to read it when needed!
4. SHOULD I PROTECT MY EXPORTED MASTER PASSWORD WITH A CODEWORD?
It sounds weird to protect a password with an other password, even if it is called codeword. But imagine the Exported Master Password as physic key to your vault. If it falls in the wrong hands only your PIN protects the vault to get broken, but a PIN may be short! And since for regularly usage you should better use Master Password Tokens, the Exported Master Password could be placed in a real vault and could be protected with an additional password/codeword, which you may note on a piece of paper in your documents at another place. So it is again on you if you want to do that. If you have chosen a short and handy PIN it could make sense to protect it.
5. SHOULD I EXPORT MY MASTER PASSWORD OR STORE IT ON THE DEVICE?
This depends on your personal security preference. In general it is saver to export it than storing it, although it is of course stored AES-encrypted with an Android key (managed by the operating systems TEE/TPN). In addition to that, since app version 1.4.0, the Android key is protected with a biometric/fingerprint if supported by your device.
If you want to be maximum save you should export the Master Password protected with a codeword and put it into your analogue vault or under your pillow. You will need it if you want to import a vault from a file. Then create a Master Password Token and export this as copy-protected on an NFC tag and carry this with you, e.g. attached to your key ring, to be used to login. If your device doesn’t support NFC you can export these via QR codes. But note, when you save the QR code on your device, all other apps could potentially read it. To avoid that you can share the image containing the QR code with a trusted app, e.g. to print or backup it. Or you could scan the QR code with another device (e.g. a photo camera or a paper scanner / copier) directly from your device and store it somehow else (e.g. print it).
6. I HAVE CHANGED MY FINGERPRINT. NOW MY STORED MASTER PASSWORD IS GONE.
This is a security feature of Android. Imagine a hacker gets access to your phone and enrolls his own fingerprint. Then he only needs your PIN to get your passwords. To avoid this, stored master passwords that are authorized by biometrics are invalidated.
7. HOW CAN I BACKUP MY VAULT?
Since the app is designed to work offline you can just export all your data into a file. You can choose where to save the file. or to share it with a trusted app, e.g. to backup it on your NAS server. Remember when saving it on your device, all other apps could potentially read it. The vault file contains all data of course encrypted with the master key. The master key itself can be part of the file as Encrypted Master Key. If not part of the file, you should export the Encrypted Master Key separately with export-feature as NFC tag or QR code. Do this once at the beginning and put it on a safe place to later backup your vault without the Encrypted Master Key. Note, that you will need to backup the Encrypted Master Key again when you change your PIN or the master password or when you change the encryption algorithm of the vault. The app will notify you in that cases.
You can import/restore a vault file either after a fresh new app installation or into your current app vault.
To do former you need the app without any vault has been created. Here you can choose to create a new vault or to import an existing vault file. Click on latter to choose your vault file and have, if needed, your Encrypted Master Key with you. After successfully imported, you can login into the vault like usual with PIN and the master password. If the master password is protected you will be asked for the according codeword. Be aware that existing Master Password Tokens are not valid for the imported vault (they are not part of the vault file for security reasons).
To restore a vault file into your current vault, just select “Import vault file” from the app menu and select your vault file (must have same Vault-Id). In the following screen you can select which data should be re-imported. You can also preview its content by clicking on a single credential.
8. CAN I EXPORT SINGLE CREDENTIALS TO OTHER APPS?
You can export/share each credential to other devices running ANOTHERpass as well. You can also export credentials encrypted as NFC tag or QR code for backup or security purposes. So you could export critical credentials and then delete it from your vault. Every time you need it you just scan the NFC tag or QR code with the exported credential on it. Of course you can import it again into your vault. Note that encrypted credentials can only be read and imported from vaults with the same Master Key and same vault (same Vault-Id).
Besides that you can also export all credentials as CSV file. Note, this CSV file contains all data DECRYPTED! Use this to takeout all credentials and import them to other password managers.
9. I FORGOT TO CHANGE A PASSWORD ON A WEBSITE AFTER CHANGING IT IN THE APP. IS MY PASSWORD LOST?
No. If you generate a new password and save the credential afterwards, the recent password is not gone. You can restore the last saved password for a credential by clicking on “Change” and then in the options menu (3 dots) click on “Restore last password”.
10. HOW CAN I CLOSE THE OVERLAY WINDOW?
Just drag the window to the top of the display until a red cross appears and drop it there. When you drag it to the left edge, you can just go back to the app.
11. WHAT IS THE DIFFERENCE BETWEEN LOCK AND LOGOUT?
When you click on the lock icon you have to login again just with your PIN (as long as the app is not terminated in the background by the OS). If you logout, the app is closed and you would have to login with PIN and master password (if not stored on the device). So it is a question of your own safety feeling if you need to lock or logout after usage.
12. I FORGOT MY PIN. WHAT CAN I DO?
Sorry, to hear. You can just try to remember. There is no recovery. Same goes for the master password if you loose it.
13. I LOST MY MASTER PASSWORD TOKEN. WHAT TO DO?
If you haven’t stored the master password on your device you need either your Exported Master Password (as NFC tag or QR code) or your noted real master password to login. Then go to “Quick access” / “Create Master Password Token” to create a new one. The old token will become invalid after doing this and cannot be used anymore to login. Export the new created token and carry it with you for login.
14. SOMEBODY COPIED MY MASTER PASSWORD TOKEN!
If you have the suspicion somebody copied or just read your MPT you should immediately create a new one or at least invalidate the current.
In order to protect your Master Password Token to get copied by others you can “copy-protect” it when pushing on an NFC tag. With this option, only the original NFC tag is accepted to login, no other tags and no QR codes! To achieve this, the app saves the global unique identifier of the NFC tag and checks it when attempting to login with a NFC tag.
15. THE NEW-BUTTON HIDES THE OPTIONS MENU/DELETE BUTTON. THAT SUCKS!
This is due to the Material-design by Google. But you can move the New (+) - button away. Just long click on it and drag and drop it.