Privacy Friendly Password Generator App

With Privacy Friendly Password Generator you can generate different passwords for all your accounts while remembering only one master password.

How to use Privacy Friendly Password Generator:

  1. Add an account
    Start by adding an account to Privacy Friendly Password Generator. To add a new account, please click on the plus button in the bottom right corner. This button opens the add dialog.
    The following data can be stored in the account:
    • Account name: Name or URL of the (web) service the password is used for.
    • Username (optional): Different usernames help to identify different users using the same (web) service.
    • Character Set: You can choose which symbols will be contained in the password. At least one of the following options must be chosen: lower case letters, upper case letters, numbers, special characters.
    • Length: The length of the password can be set between 4 and 25.
    • Password version: The password version helps to generate different passwords in case an account is updated without changing the data or the master password. If no password counter is set it is set to one.
  2. Generate passwords
    The generator can be opened with a click on the account in the list. Then the master password must be entered. Please take care to choose a strong master password. The master password should not include any personal data like birthdays. It also should not include any character sequences that can be found on the key board. Try to make the master password as long as possible for you. If needed you can write it down and keep it in a safe location.
  3. Update accounts
    The update dialog can be opened by a long press on an account. In this dialog all data can be edited by the user. In case nothing is changed the password version is automatically increased by one, such that the generation of new password is possible. After saving the account data the user has the possibility to generate the old and new password in one screen to facilitate the updating process. For this generation the master password is required.
  4. Delete accounts
    Accounts can be deleted by a swipe from the right to the left side. If you wish to delete all accounts at once you can do this in the settings menu.
  5. Expert mode
    The expert mode is available in the settings menu. There parameters of the PBKDF2 algorithm can be changed. It can be chosen between the three hashing algorithms SHA256, SHA384 and SHA512. The number of iterations can be set between 1000 and 10000. Be aware that changing these parameters affects all passwords. Thus, Privacy Friendly Password Generator will generate different passwords. The parameters for the Bcrypt algorithm cannot be changed.

 

Per default Privacy Friendly Password Generator does not copy passwords to the clipboard but this can be switched on in the settings. The content of the clipboard can be accessed by any application on the devices and thus could get stolen by a malicious application. We recommend to clear your clipboard by copying something different after the interaction with the password is finished.

 

The generation of passwords is based on the combination of the key deviation function PBKDF2 and the hash algorithm BCrypt.  

The master password serves as a seed for the PBKDF2 algorithm. Password version, account name, username and device ID (in the settings the users can choose whether the passwords are bound to the device. If the setting is not chosen a default string is used as device ID) are concatenated to a string and form the salt for PBKDF2.

The result of PBKDF2 is encoded into a special version of Base64 which is compatible with BCrypt and not longer than 22 characters. The master password also serves as a seed for the BCrypt algorithm. The result of the PBKDF2 hashing with the string $2a$10$ as prefix (this is required for BCrypt, the 10 is the round value) forms the salt for BCrypt.

As the prefix and the salt are also part of BCrypt's resulting string they are removed from the resulting byte-array. This byte-array is used to deterministically choose characters out of the character set from the user's parameters.

In the following points the Privacy Friendly Password Generator-app differ from other similar apps:

  1. No permissions 
    Privacy Friendly Password Generator does not require any permissions. 
  2. Protection of passwords
    Privacy Friendly Password Generator does not store any generated password, nor does it store the master password. For the generation of password a stateless algorithm is used. This means that the passwords only exist during the generation and are not stored in the program after the application has been closed. Additionally, the app prevents devices from taking screenshots.
  3. No advertisement
    Many other free apps in the Google Play Store dazzle annoying advertising which also shortens battery life.

 

Download the App

We offer several ways to download the app:

  • Official Google Play Store (Feel free to provide feedback, see contact. We would be pleased to receive a positive rating if you like the app)
  • F-Droid Store - (The F-Droid Store is an open source software store where you can download the APK-file of the app. Apps installed that way won't receive any updates, unless you regularly download the newest version from the F-Droid website or use the official F-Droid Store App).
  • If you are interested in the development of apps or the source code, you can find it at GitHub

 

Screenshots

Screenshot

Publication

Assistance in Daily Password Generation Tasks: Karola Marky, Peter Mayer, Nina Gerber and Verena Zimmermann. In: 3rd International Workshop on Ubiquitous Personal Assistance, 2018.