1. HOW IS MY DATA ENCRYPTED?
All your data (user names, passwords, labels, etc..), even the association between credentials and labels are encrypted with a random key (called Master Key) with a key length of 128 or 256 bit (depending on your selected encryption algorithm). The encryption algorithm can be chosen when you create a new vault. Supported are: AES 128/256, Blowfish 128/256 and ChaCha20. Note that depending on your current Android version you may not see all options. Default is AES 128 which is supported by all Android versions and in most cases strong enough with a reasonable performance.
The Master Key itself is encrypted with your PIN (min 6 characters of your choice, not necessarily digits) combined with a at least 28 character long Master Password.
In addition to that the encrypted Master Key is again AES-encrypted with a secret Android key (managed by the operating system). This is to make it more harder to get the data from the phone storage.
If you decide to store your master password on the device it is strongly recommend to enroll biometrics (e.g. fingerprint) before. This ensures the stored master password can only be accessed with your biometric.
Furthermore if a password or key is read from storage into memory it will be there decrypted as long as it is used (shown) by the app. But it will be erased in memory if it is not needed anymore. This makes it harder to heapdump the apps memory and find keys or passwords there. (It is a very unlikely scenario that another spy app scans your memory even if you use a non-rooted phone. But in terms of rooted phones this feature helps a bit to increase security. But anyway, if you have a spy app on your phone you should consider your phone as hacked and put them into garbage, because a spyware app can also access your display content.)
2. HOW ARE PSEUDO PHRASES GENERATED?
Pseudo Phrases aim to sound like real words, or like potential real words, to make them easier to read and to type. In most spoken languages there are consonants and vocals. And a general rule may be: after a consonant follows a vocal and vice versa. This is a very simple rule but with that a lot of pseudo phrases can be generated. To enlarge the number of combinations another general rule is applied, which says that after a vocal may follow one other vocal. To illustrate that: it could generate tuples like “ab” and “ba” but also “aa” but not “bb”.
To enlarge the combinations again a Pseudo Phrase Word has 4 characters which consists of two tuples. Both tuples can be pronounced like syllables, e.g “ba_ab”, “ba_ba” or “ab_ba”. It can also be “ab_aa” or “ba_aa”. Having “babb” (as one syllable) seems usual, therefor for the second tuple double consonants are allowed if the last character of the first tuple is a vocal.
With these simple rules ANOTHERpass generates Pseudo Phrases with different word count. But it is secure? To generate one pseudo word (4 characters) there are 79.296 combinations. To generate the same 4 character word with all possible lower case letters without any applied rule we would have 456.976 combinations, 6 times more. Considering all typical password characters including lower- and upper case letters, digits and common special chars we get around 33 million combinations, so much much more! How can Pseudo Phrases be secure? It is about the length! ANOTHERpass generates one more word (4 characters) for all Pseudo Phrases in comparison to the ordinary password generator. In our example the combinations of a two-word Pseudo Phrase is 79.296 * 79.296 = over 6 billion!
But does this also work for usual passwords with a length of, e.g. 12 characters and all kind of mixed characters? That would have over 2 * 10^22 combinations. With Pseudo Phrases with 12 + 4 extra chars AND containing a digit and a special char as well we would have over 4 * 10^21 combinations, so less, but still secure! If you want to takle this gap do just generate with one more word. So by just adding one or two more words to each password Pseudo Phrases become similar or even more safe then usual passwords.
Sure, you could argue to just add 4 more characters or more to an ordinary password as well. Yes you can do that and it is even more secure but still very hard to read and type. You will loose the advantage of that! At the end you have the choice between both and it is on you what you prefer.
3. WHAT IS A NFC TAG AND DO I NEED IT?
If your device comes with the ability of NFC you can use so called NFC tags as storage for passwords and credentials. You can buy such tags for a low amount by your electronic purchaser. Please inform yourself which NFC chip types are supported by your device! Ideally buy one with NDEF supprt. We suggest a capacity of 924 bytes to be able to export the Encrypted Master Key or Encrypted Credential Records, e.g. NTAG 216.
Without NFC you can fallback to QR codes, which can be stored as image files, shared through other thrustworth apps or otherwise copied from your device (e.g. by a scanner).
You can also use both technologies if that feels more safe for you or to have multiple backups. Use the in-app feature to verify your exported data to ensure you can read it if needed!
4. SHOULD I PROTECT MY EXPORTED MASTER PASSWORD WITH A CODEWORD?
It sounds weird to protect a password with an other password, even if it is called codeword. But imagine the exported master password as physic key to your vault. If if falls in the wrong hands only your PIN protects the vault to get broken, but a PIN may be short! And since for regulary usage you better use Master Password Tokens the Exported Master Password can be stored in a real-life vault and can be protected with an additional password/codeword, which you may note on a piece of paper in your documents. So it is again on you if you want to do that. If you have choosen a short and handy PIN it could make sense to protect it.
5. SHOULD I EXPORT MY MASTER PASSWORD OR STORE IT ON THE DEVICE?
This depends on your personal security feeling. In general it is saver to export it than storing it, although it is of course stored AES-encrypted with an Android key (managed by the operating system). In addition to that, since v1.4.0, the Android key is protected with a biometric/fingerprint if supported by your device.
If you want to be maximum save you should export the Master Password protected with a codeword as NFC tag and put it into your analogue vault or under your pillow. You will need it if you want to import a vault from a file. Then create a Master Password Token and export it to a NFC tag as well and carry this with you to login, e.g. on your keyring. If your device doesn’t support NFC you can do export these via QR codes. But note, when you save the QR code on your device, all other apps could potentially read it. To avoid that you could scan the QR codes with another device (e.g. a photo camera or a paper scanner / copier) and persist it somehow else (e.g. print it).
6. I CHANGED MY FINGERPRINT. NOW MY STORED MASTER PASSWORD IS GONE.
This is a security feature from Android. Imagine a hacker gets access to your phone and enrols his own fingerprint. Then he only needs your PIN to get your passwords. To avoid this, stored master passwords that are authorized by biometrics are invalidated.
7. HOW CAN I BACKUP MY VAULT?
Since the app is designed to work offline you can just export all your data as JSON file. You can choose where to save the file. Remember when saving it on your device, all other apps could potentially read it. You can also share or send it with another thrustworth app. The JSON file contains all data of course encrypted with the master key. The master key itself can be part of the file as Encrypted Master Key. If not contained you should export the Encrypted Master Key separately with the app as NFC tag or QR code. Do this once at the beginning and put it on a safe place to later backup your vault without the Encryped Master Key. Note, that you will need to backup the Encrypted Master Key again when you change your PIN or the master password.
You can import/restore a vault file either after a fresh new app installation or into your current app vault.
To do former you need the app without any vault been created. Here you can choose to create a new vault or to import an existing vault (file). Choose last to select your vault file and have, if needed, your Encrypted Master Key with you. After successfully import you have to login to the vault like usual with PIN and the master password. If the master password is protected you will need the according codeword. Be aware that Master Password Tokens are not valid for the imported vault (they are not part of the JSON vault file for security reasons).
To do latter, just select “Import vault file” from the app menu and select your vault file (must have same Vault-Id). In the following screen you can select which data should be re-imported. I can also preview its content by clicking on it.
8. CAN I EXPORT MY CREDENTIALS TO OTHER APPS?
You can export/share each credential to other devices running ANOTHERpass as well. You can also export credentials encrypted as NFC tag or QR code for backup or security purposes. So you could export critical credentials and then delete it from your vault. Every time you need it you just scan the NFC tag or QR code to access and use it. Of course you can import it again into your vault. Note that encrypted credentials can only be read and imported from vaults with the same Master Key (same Vault-Id).
9. I FORGOT TO CHANGE A PASSWORD ON A WEBSITE AFTER CHANGING IT IN THE APP. IS MY PASSWORD LOST?
No. If you generate a new password and save the credential afterwards, the recent password is not gone. You can restore the last saved password by clicking on “Change” and then in the options menu (3 dots) click on “Restore last password”.
10. HOW CAN I CLOSE THE OVERLAY WINDOW?
Just drag the window to the top of the display until a red cross appears and drop it there. When you drag it to the left edge, you can just go back to the app.
11. WHAT IS THE DIFFERENCE BETWEEN LOCK AND LOGOUT?
When you click on the lock icon you have to login again just with your PIN. If you logout, the app is closed and you would have to login with PIN and master password (if not stored on the device). So it is a question of your own safety feeling if you need to lock or logout after usage.
12. I FORGOT MY PIN. WHAT CAN I DO?
Sorry, to hear. You can just try to remember. There is no recovery. Same goes for the master password.
13. I LOST MY MASTER PASSWORD TOKEN. WHAT TO DO?
If you haven’t stored the master password on your device you need either your Exported Master Password (as NFC tag or QR code) or your noted real master password to login. Then go to “Quick access” / “Create Master Password Token” to create a new one. The old token will become invalid after doing this and cannot be used anymore to login. Export the new created token and carry it with you for login.
14. THE NEW-BUTTON HIDES THE OPTIONS MENU/DELETE BUTTON. PLEASE HELP!
This is due to the Material-design by Google. But you can move the New (+) - button away. Just long click on it and drag it away.