this post was submitted on 15 Aug 2023
27 points (96.6% liked)

Privacy

31982 readers
333 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Any thoughts on this one?

Just in case anyone needs an eli5 (not me, obviously, I totally understood how it works ๐Ÿ™„)


Of course! I'll simplify everything for you.

Imagine you have a toy box with a secret toy hidden inside. This app works in a similar way to hide and protect your secret number (PIN).

How it hides your PIN:

  1. PIN in a Puzzle: The app places your PIN in a puzzle-like grid and fills up the rest with random numbers. It's like hiding a toy among many other toys.

    • Even the app doesn't know where your secret toy (PIN) is in the grid.
    • If someone tries to peek over your shoulder, they won't easily figure out which toy is your secret one.
  2. Special Keyboard: Instead of using the regular way of typing, the app gives you a special keyboard inside it.

    • This makes it hard for sneaky apps to see what you type.
    • Also, the buttons on this keyboard keep changing places, so if someone is trying to see where you touch, they'll get confused.

How it keeps things safe inside:

  1. Magic Lock (Encryption): The app uses a magic spell (called AES) to lock your secret toy so that even if someone gets it, they can't play with it without the magic key.

  2. Secret Name-Tag (Hashing): Every toy (PIN) gets a secret name-tag that only the app can read. It's like writing a name in a language only the app understands.

  3. Strong Password: If you ever forget things and need a backup way to get your toy, the app has a super-strong password system (called Argon2id).

What happens when you use the app:

  1. Starting the App: The app looks for your toys (PINs) using the magic key and shows you their secret name-tags.

  2. Picking a Toy (PIN): When you choose a toy by its name-tag, the app shows you the toy in its puzzle grid, but hidden among other toys.

  3. Adding a New Toy (PIN): If you get a new toy, you can give it a secret spot in the grid and a secret name-tag. The app will use its magic spell to lock it up safe.

In short: This app is like a magical toy box. It hides your secret toys (PINs) in clever ways and uses special magic to keep them safe.

top 4 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

I don't know about this one. I'm not completely sure I understand how to use it, so the documentation could do with improvement for a start. But it seems like you enter your PIN into squares on a grid using a number pad ~~(whose buttons don't seem to change places, though the docs say they do)~~ then fill the other squares with random numbers and save the whole grid. So you are responsible for remembering where in the grid to find your PIN.

What are the colors for? They don't seem to do anything. Am I misunderstanding?

~~Why does it say the buttons move around, when they don't seem to? Again, am I missing something?~~ Edit: the buttons moving around is enabled through the settings screen.

If I'm understanding it right, here's my concern:

If people have to remember where in the grid their PIN is stored, they'll always put it somewhere they can remember easily, and they'll probably use the same location and pattern for every PIN. So if an attacker wanted to brute force a PIN they would only need to try the more popular locations and patterns on the grid, for most users. And once they got one PIN they'd probably be able to get others using the same pattern. So not very good security.

So it seems a bit cumbersome and not very good for security, if I'm understanding it correctly.

I'd rather stick my PINs into my password manager (Bitwarden) and use biometrics to unlock its vault. But perhaps this isn't the point of the app. ~~It claims to move buttons around to protect the PIN from attackers analyzing where you tapped with your fingers, but I didn't find this feature.~~ Biometrics also protect against this to some extent (though fingerprints aren't too hard to acquire), but I do wonder whether I've misunderstood this app.

[โ€“] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Did you already install it? (I didnt)

No idea what the colors are for, but I think you can also use random symbols, not just numbers? And even if it's just numbers that don't change, it will not be the numbers of your actual pin.

And yes, you'd need to remember the patterns. I myself to thst anyway with all my pins.

Somettimes there are card payment terminals with the numbers in a randomized order; I always need to take my phone out to look at a normal numpad so I can remember my actual pin. ๐Ÿ˜…

[โ€“] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

Yes, I installed it. I guess the colors are just an optional memory aid - you could always put your PIN on the same color or sequence of colors, read in the same direction, while the arrangement of colors varies from PIN to PIN.

I think I'm understanding a little better now. The threat model at which this is aimed seems to be people peering over your shoulder while you wait in line at the bank or supermarket. You can call up your forgotten PIN on screen without anyone being able to read it off over your shoulder. If I just store the PIN in Bitwarden it's more secure in storage but it doesn't address this particular threat model.

Given that very narrow threat model, the app is not intended to defend against someone with time to view and analyze your various PIN patterns, and it's not designed for robust and secure backup of your PINs.

There's also the option of requiring user authentication to get into the app (in my case via fingerprint, but it could be via an Android PIN, which you'll just have to remember unassisted). The protects against someone picking up your phone and browsing your PIN patterns, unless you're like me and your family always know how to get into your phone.

So it's not a bad idea if remembering PINs on the spot in public is enough of a concern to warrant installing a dedicated app. But if you just want a place to store PINs, then a password manager still seems more secure and convenient.

[โ€“] [email protected] 3 points 1 year ago

Ah thanks a lot. Yea nothing for me then either. But if it could replace android pin/pattern then it might be something interesting.