making the roaming future


mr -

Passwords are hard to keep up with, aren’t they? I’ve been trying to handle this for a long time in different ways. You can keep a notebook with all of them written down, most often used ones sticked to your desktop monitor on post-its or try to memorize at least some. More organized individuals use password managers, where a master password protects a database of entries containing login data, passwords, credit card numbers and their expiration dates and CVVs. Those in order to be easily accessible must be synced across different devices, backed up and stored off-site for extra security.

What if we kept one master password and let our device generate an account- or site-specific passwords needed on-demand? It’s definitely not a new idea, though I’m not entirely sure why not a very popular one. Perhaps there’s a gap between the notebook/post-it and password database approaches I’m not aware of?

Regardless, I came up with an extremely simple solution in form of an app I made and already published to App Store. I present you PolyPass.

For now, it really is extremely simple as it doesn’t keep any data on your device, so you have to type in your master password every once in a while.

The password is generated using a PBKDF2 algorithm set up so that it iterates 50000 times in order to derive the final password.


Currently the passwords generated are composed of only letters (four four-letter groups). In the next version it will be possible to choose one of three strength settings, because some websites and, frankly, my company’s security policies, still live in the dark ages of thinking that slapping a digit or special character here and there protects your password from modern brute-force attacks. Nowadays it’s mostly length that really counts, especially when it’s guaranteed that your simple password is not easily-guessable or a dictionary-based one. For the extreme among you, third option will contain letters, digits and many different special characters.

Another thing I’ll add is storing the master password in device’s keychain and protecting it with Touch ID if available and set up, so it’s not needed to retype it every time the app starts. I’m still on the fence whether I should also enable that keychain item for iCloud Keychain syncing. For now it will be local-only for sure.

The other problem is that if you base your final password on a combination of a master password and website’s URL or email address, assuming you’re using only one password strength setting, it will always be the same password. And I know sometimes a password change is required, not only in corporate settings, also as a good security practice. The solution for that is helping out by adding another password parameter - revision. I haven’t figured this out yet how to make it a well-rounded feature in terms of usability, but I’ll get there eventually.

tags: passwords polypass security