Welcome to the SrsPass documentation

Useful Links

• SrsPass Web App

• Telegram Chat Group

What is it

Quite simply, it's a secure password generator/manager you have full control over. Built upon an open specification and released as FOSS that can be audited by anyone. In terms of control, the password generation happens completely on your device, and are based upon the backup phrase generated uniquely on your device (seeding any generated password with 128-bits of secure randomness) and your own provided unlock password, which also secures these parameters on your device.

Unlike competitors, none of your data is needed or requested by us for SrsPass to work. All we do is develop the app and serve it to you. Your passwords are always "synced" between devices, even those offline, just re-use the same parameters. We designed it like this on purpose, it is stateless and deterministic.

Its security is achieved through a novel combination of modern cryptographic primitives. These are more deeply explored on the Tech page. By embracing this openness, we are avoiding a dangerous yet common pitfall amongst other "security" providers; security through obscurity, usually an indicator that the security model is lacking or even broken, and may depend on this obscurity as its fundamental security principle.

Everyone, including malicious actors have full access to our code and spec. Unlike almost all other competitors, we are confident enough in the fundamentals of our specification and implementation, and invite competitors and security experts to review and audit these themselves. At its root, the spec relies on 2 modern and secure cryptographic primitives, AES256-GCM for authenticated encryption and Argon2id for key-stretching. And in reality, is the de facto combination backends should be using to your secure passwords. However, as you will see in the Breaches section relying on others to do this for you, even from top companies, proves to be a fool's errand.

SrsPass instead provides users with the full capability to secure their own accounts, ultimately minimizing and isolating account breaches. No more having to spend weeks trying to secure other accounts because one was breached... all your other passwords are safe thanks to the design. And to re-secure the password of even the breached account, all you have to do is increment the index parameter for that password.

In regards to ownership and control, we believe that secure passwords are a fundamental human right, thereby the core is FOSS, by having the code and software released under a license meant for maximal user empowerment.

Why should I use it

If our What section didn't make it clear, we think it's the best password manager. Albeit, we'll first start off with helping you understand why you absolutely need some sort of password management system and then what differentiates us from the rest and why to choose SrsPass.

Short

Password managers are essential

• Most people use weak passwords
  • 83% of Americans use weak passwords¹
• Because humans suck at
  • generating proper randomness needed for secure passwords²
  • memorizing even one cryptographically secure password, let alone dozens of completely different ones³
• Too many companies and websites suck at
  • securing your passwords in storage⁵
  • securing your passwords in transit⁶
  • password requirements
  • general security: refer to list of company breaches, you have likely been affected by yourself

Shortcomings of the rest

• Closed-source & security through obscurity⁹
  • NEVER consider such a manager if you care about your security
  • unfortunately, this is the case for a vast majority of password managers
• Use old, weak, or obsolete cryptography
• All-in-one targets for hackers
• No password customization & control or limited at best
• Archaic stateful vault-centric design
  • if a storage device is corrupted, and you have no backups, your passwords could all be gone
• Require a persistent internet connection
  • a red flag, avoid any services that require this during password generation or saving and can't work purely in a client-side only setting
• Large attack surface & technical debt especially with multi-platform implementations
• Lock you in and make your credentials depend on a single vendor
  • if the vendor disappears, so may your passwords
• Dismiss your privacy & require sign-up
  • many collect analytics across all facets, including a number of open-source options

SrsPass is the solution

• Always Private
  • we don't collect or need your e-mail, name, or any personally identifying information
• Secure by Design
  • based on system similar to bitcoin HD wallets, securing up to $1,000,000,000,000
• Uses only Modern & Secure Cryptographic Primitives
  • AES256-GCM
    • the standard for encryption
  • Argon2id
    • purpose is to strengthen passwords
• Deterministic, Stateless, Secure
  • strong passwords for your eyes only, that you don't need to remember
• One Cross-platform Codebase, works anywhere with a browser
  • secure your passwords, wherever you are
• Full Password Generation Control
  • can generate a usable password even the most unconventional password requirements
• Open-Source
  • absolute requirement for security software, yet most aren't
  • transparent and open development
• Unstoppable Software that works Offline
  • once you have the app, it can run completely offline from that point on
  • it is not dependent on our servers for any of your password management

Detailed

Password managers are essential

• Most people use weak passwords
  • 83% of Americans use weak passwords¹
• Because humans suck at
  • generating proper randomness needed for secure passwords²
  • memorizing even one cryptographically secure password, let alone dozens of completely different ones³
    • 128-bits is considered about the minimum
    • you would need to remember 28 truly random lowercase letters to achieve this level of security⁴
• Too many companies and websites suck at
  • securing your passwords in storage; using weak or improper password storing techniques, making it easier for them to be compromised in a breach⁵
  • securing your passwords in transit; some sites still use only HTTP or other rudimentary connections for sending your passwords⁶
  • password requirements;
    • allowing you to enter easily crackable passwords
    • having some archaic requirements that end up yielding a weaker password⁷
    • at worst limiting your length and other security characteristics to the advantage of hackers⁸
  • general security;
    • it is very complex, and there is no perfectly secure system
    • if you reuse the same or similar passwords, one breached account leads to many or all other accounts being breached
    • Refer to the following for a list of company breaches, you have likely been affected by yourself

Shortcomings of the rest

• Closed-source & security through obscurity⁹
  • NEVER consider such a manager if you care about your security
  • the software you are running is a black box
  • unfortunately, this is the case for a vast majority of password managers
  • this means the internals of what it is doing with your data is a complete question mark, and you must completely trust the developers and vendor of the software, in regards to it doing what they claim it is
  • not open to public and peer security review
  • less eyes on the code, leaves more room for exploitable holes
  • easily susceptible to malicious backdoors, but hard for a user to identify
  • could take just one determined attacker or disgruntled employee to break security
  • this means any data you enter into such an app is at the mercy of the vendor, and must be presumed as compromised, don't be fooled by their veiled convenience
• Use old, weak, or obsolete cryptography
  • as computer hardware keeps improving, older cryptography becomes more and more susceptible to realizable attacks
  • even among those that are open-source, they are using decades old password hashing methods, without any memory hardness¹⁰
    • the most common in use is PKBDF2-SHA256, with normally up to 100k iterations
    • Bitcoin mining utilizes SHA256
    • a single Bitcoin ASIC mining device is able to compute 110 trillion hashes per second
    • These specific devices don't currently target PBKDF2 but should provide a useful illustration on what may be doable with an ASIC that were to retarget that specific algorithmic variation of it
    • If there aren't any significant overheads in remodelling an ASIC to a 100k iteration PBKDF2-SHA256 function, it means it would take this one device less than 4 minutes to run through all possible 8 character lowercase combinations to match against the salt+hash combo¹¹
    • A closed-source competitor ran a contest to crack their vaults using PBKDF2-HMAC-SHA256, secured with a 42-bit strength password, and the first place team took 18 days to crack it with less than a couple dozen GPUs¹²
• All-in-one targets for hackers
  • many password managers claim that you are safe storing any information in them
    • Credit Cards
    • Government IDs
    • Banking info
    • 2FA codes
      • If your 2FA and account info can be obtained from the same place, it's not longer actually two-factor authentication, so it's a terrible practice to do
  • they typically store this information in the cloud (servers accessiable by the wide internet)
  • these vaults are not sufficiently secured, as evidenced by the previous 18-day crack, especially for such a risk setting
  • the servers of these password managers are extremely high-value targets for hackers
  • as breaching them would yield hundreds of accounts and personal information from each of the millions of users
  • to conclude, if such a password manager experiences a breach, you can presume a total breach across all your accounts, especially if you saved two-factor codes on it
• No password customization & control or limited at best
  • unable to choose exact specific characters or format of the password
  • will inevitably run into pages with unusual password requirements, unfortunately many password managers cannot adapt to these forcing you to substitute their generator with your own hand-typed password
  • users have concerns with regards to how passwords are generated in the first place, which happens due to the many specless and cosed-source implementations out there, don't trust black boxes
  • many likely depend on RDRAND or other potentially backdoored or weak RNG, as their lone source for password generation
• Archaic stateful vault-centric design
  • difficult and clunky to manage backups for most users
  • if a storage device is corrupted, and you have no backups, your passwords could all be gone
  • safe vendor-side backup services are hard to implement
  • even a safe service could be breached and turns vendor infrastructure into a high-value target for hackers
  • improper implementation could leave vaults susceptible to trivial compromise, must be assumed with vendors that practice security through obscurity
• Require a persistent internet connection
  • a red flag, avoid any services that require this during password generation or saving and can't work purely in a client-side only setting
  • even open-source code could be compromised and backdoored in a malicious manner to abuse this
• Large attack surface & technical debt especially with multi-platform implementations
  • leaves lots of room for errors, the more you need to maintain, the more chances of problems, inconsistencies, or bugs
  • we don't think this is the right way to go about it... it's simply a case of bad or no design planning, and now being forced to stick with mutiple implementations of the same tool
• Lock you in and make your credentials depend on a single vendor
  • this could be due to closed-source or even a closed or undocumented spec
  • if the vendor disappears, so may your passwords
  • you're wholly dependent on the vendor existing to keep your passwords secure
• Dismiss your privacy & require sign-up
  • many collect analytics across all facets, including a number of open-source options
  • requiring your e-mail is an unnecessary privacy conern at best
  • at worst, it opens all your accounts to getting breached, simply by hacking that e-mail you signed up with

SrsPass is the solution

• Always Private
  • we don't collect or need your e-mail, name, or any personally identifying information
  • the app page does not load ANY third-party web assets, only code we've built is loaded
  • TOR-friendly and encouraged for your privacy
• Secure by Design
  • backed by an open and reviewable specification
  • specification was designed with an emphasis on security & simplicity
  • based on system similar to bitcoin HD wallets, securing up to $1,000,000,000,000
    • utilizes cryptocurrency wallet seed phrases, so users can import that as their backup phrase for convenience
      Importing Cryptocurrency Seed Phrase

      It is highly recommend, that if you import a seed phrase which has actual cryptocurrencies on it, to do it on a secure device that is offline during setup. The seed phrase is hashed securely for the purposes of SrsPass after initial setup, which makes the seed phrase irreversible from the browser's storage from that point forward. Therefore, after initial setup, you are okay to continue online.

    • Our password generation design piggybacks onto cryptocurrencies to serve as its honeypot, a $1T honeypot as of 2021
  • no sacrifices for backwards compatibiltiy or inherited gotchas
  • the spec is what password backends SHOULD already be doing to protect you
  • instead of blindly hoping that a vendors backend does this, SrsPass provides users with a front-end so they can be sure their passwords stay secure
  • can and should be adopted by companies that respect your security
• Uses only Modern & Secure Cryptographic Primitives
  • AES256-GCM
    • the standard for encryption
    • anything stored encrypted, is encrypted using this algorithm by us
    • also acts as an additional authentication mechanism
  • Argon2id
    • 2015 PHC Winner
    • KDF or key-stretching function
    • purpose is to strengthen passwords
      • make cracking them very hard and expensive
      • with the right parameters, practically impossible to crack
    • provides multiple parameters for purposes of
      • computation cost
      • memory hardness anti-ASIC
      • anti-parallelization anti-GPU
    • considered improvement over bcrypt and scrypt
    • biggest differentiator is it does not perform better on specialized hardware
      • the weakness of old KDFs, they are slow for clients, but not for attackers with special hardware
      • in other words, it runs comparatively slow for you, but also for any would-be attackers, making cracking your password that much harder and more unlikely
    • used for the key generation in encryption and also used as the derministic randomness oracle in password generation
    • most competitors only utilize a KDF with a compute cost
      • vastly superior to KDF such as PBKDF2 ¹³
      • much cheaper to build specific hardware for cracking them
      • practical software and devices already exist for practically cracking PBKDF2 schemes
• Deterministic, Stateless, Secure
  • strong passwords for your eyes only, that you don't need to remember
  • passwords are generated in a deterministic fashion leading to a stateless design
    • they are made by combining your unlock pass, backup phrase, and the pass parameters
    • this combination is run through the Argon2id KDF
    • the output is not predictable, without knowing the input parameters
    • therefore, the output ends up being random yet deterministic
    • this means, the same input combination, will always yield a matching output, which is what it means to be deterministic
    • thereby, we have no need to save passwords, as they can always be generated in this deterministic fashion, yielding this stateless design and foregoing the need to save your passwords in some files you have to keep safe and backup
• One Cross-platform Codebase, works anywhere with a browser
  • secure your passwords, wherever you are
  • The app is built as a modern PWA
    • with one codebase, we are available on ANY platform with a modern web browser
    • works just like a native app on your device
    • runs completely offline
  • simple and minimal implementation with minimal dependencies to reduce attack surface
  • low code maintenance and technical debt
    • we believe it is due to high tech debt that our competitors are giving their customers push-back on implementing argon2
    • if we need to fix or add something, we only need to change one codebase, and not one for every OS as is the case with Multi-platform implementations
  • all devices with a modern browser work
• Full Password Generation Control
  • you define the exact characters, format, and length your generated passwords can have to fit your needs
  • can generate a usable password even the most unconventional password requirements
  • the spec if fully open, so any sufficiently knowledgeable user can fully understand how their passwords are generated and even replicate the passwords in their own software
• Open-Source
  • absolute requirement for security software, yet most aren't
  • anyone can review and give feedback to the code
  • should offer significantly better security guarantees
  • this license enables anyone to change the code to suit their needs
  • gives users the ultimate freedom over the software they are running
  • transparent and open development
  • no security gotchas obfuscated being obfuscated by hidden code
• Unstoppable Software that works Offline
  • once you have the app, it can run completely offline from that point on
  • it is not dependent on our servers for any of your password management or continued usage
  • our servers only provide periodic opt-in updates for features or fixes
  • in the worst case, if SrsSec goes bust
    • the app will keep working as before, by design
    • the software is open-source and can be forked by others to continue development, and built by anyone at any time from now to the future

List of notable company breaches

• Breaches occur often, even against big names. Here's a condensed list of notable companies that have been breached and your passwords may have been compromised by if associated with them during that time

  • LinkedIn

    • 165 million in 2012
    • most passwords unsecured

  • Yahoo

    • 500 million in 2014
    • 2 years passed until breach was reported
    • 3 billion in in 2013
    • only disclosed 3 years after, during Verizon buyout talks

  • Sony PlayStation

    • 77 million in 2011

  • Rambler

    • 91 million in 2014
    • passwords were stored plain/unprotected

  • Twitter

    • 330 million in 2018
    • glitch that made passwords visible to those with access to their internal network

  • Facebook

    • 540 million in 2019

  • eBay

    • 145 million in 2014

  • AdultFriendFinder

    • 412 million in 2016
    • improperly secured passwords, 99% of them cracked
• This is just a condensed list... see more in this UpGuard article
• Previous such breaches have lead to millions of user's other accounts getting hacked because of password re-use
  • 300k users hacked in 2020 @ Nintendo
  • 500k users hacked in 2020 @ Zoom
• Check out Plain Text Offenders for a live list of sites that improperly store your passwords (over 400 pages long and counting) and an excellent FAQ page touching on some of our previous subjects
• Yearly in just the US, about 20 million people suffer from identity theft that arises from transfer and storage of personal data. The DOJ estimates losses of over $17 billion annually for these individuals, greater than the losses from robbery, burglary, and auto theft combined¹⁴
• By using SrsPass, you're able to stop credential stuffing, which is a top threat for such account compromises and identity theft. The reason it is such a threat is because 81% of users report password re-use and 25% report using the same passwords across a majority of their accounts. And, in 2016 alone, there were 3 billion credentials spilled from online breaches¹⁵

In Summary

It should be clear, you cannot and should not rely on any companies to keep your passwords secure. That role lies with you, and SrsPass provides you with the capability to do just that. It allows you to generate unique, isolated, secure passwords, that should protect you from brute-force attacks and in the worst-case of an account breach, isolates it to just that specific account and ensures your other accounts are not jeopardized.