Frequently Asked Questions

This is a password lock box system, unlike any other we've found.


What is the 3rdKey.com multi-layered approach to security?

We use multiple layers of security to protect your data:

  1. Private, user-specific, encryption keys which keep your data safe from a site-breach
  2. The latest industry standard SSL/TLS (HTTPS) to keep out prying eyes
  3. Input fields are encrypted
  4. Block Cross-Site Scripting
  5. and Request Forgery
  6. A key known only to you, prevents Man In The Middle attacks
  7. Why use three keys instead of just one?
  8. Using drop-down boxes for parts of your 3rd key prevents Key Captcher attacks

What are, and why have, user-specific encryption keys?

What is a key-captcher attack, and how can 3rdKey.com stop them?

How does 3rdKey.com keep data safe in the event of a site breach?

What is SSL? TLS? HTTPS? Why does 3rdKey.com use it (them)?

What if someone breaks HTTPS SSL/TLS? It has happened before

3rdKey.com is a little different than most web sites that use secure connections to communicate with browsers, when it comes to security, "we don't trust anything."

Just a couple years ago, in 2014, SSL version 3.0 was broken, and the industry had to come up with a new method of keeping internet communications secure. Hence TLS was created, and quickly version 1.0 became 1.1, which then became 1.2. Which is the current standard, and is believed to be impenetrable.

But here at 3rdKey.com, we're not so quick to just accept things. We think "if it was possible to break SSL 3.0 then maybe it's possible to break TLS 1.2 as well." In which case, we want a way to keep your data safe, even if TLS 1.2 (or whatever the current standard might be) is broken.

But, even more to the point, any secure communication that relies on a Certificate Authority can be breached if someone using the browser has seen a certificate warning and clicked "use this web site anyway". Sometimes this can "mean that the Web surfer is being redirected somehow to a fake Web site." --ComputerWorld

And here's where it gets really scary... If you go to a web site that you trust, and get a cerficate warning, and click through to the web site, accepting the certificate, you're also accepting the Certificate Authority that signed that certificate. This means that any other certificate signed by that Certificate Authority (real or fake) will now be accepted at any site you visit, or any Man-In-The-Middle attacker that intercepts your communication (like a public WiFi).

Or, if you are using an internet cafe, someone else, some time in the past, could have clicked through to a web site accepting a certificate and Certificate Authority, that now means that you accept a certificate that isn't for the site you're visiting.

So, even though you verify that a site is using HTTPS over TLS 1.2, you can't be certain that someone else isn't listening in, or even modifying your communications, because the certificate could have been faked.

That's why 3rdKey.com does more than just use HTTPS over TLS 1.2. We encrypt the communication further, through our own algorithm, and require your 3rd key to decipher the communication.

Sources: Microsoft / digicert / ComputerWorld / InMotionHosting / MakeUseOf


What is Cross-Site-Scripting (XSS) and how does 3rdKey.com block it?

In short, Cross-Site Scripting (XSS) is the idea of using a script from one server to read or manipulate something on another server.


Explain Cross-Site Request Forgery (CSRF), and how 3rdKey.com prevents it.

This can be confused with Cross-Site Scripting, the effect is about the same, but the method is quite different.

In XSS the scumBag.net virus site has stolen Dave's log in by reading goodSite.com's cookies, in CSRF scumBag.net 'guesses' that Dave is logged in to goodSite.com, and sends it instructions.


What is a Man In The Middle (MITM) attack, and how can 3rdkey.com block it?

Why does 3rdKey.com use three keys instead of just one?

How does using the 3rd key shut down a Man In The Middle (MITM) attack?

What is a Diffie-Hellman secret key exchange?

Isn't there a back-door to our encryption algorithm? isn't there a way to read the data without the keys?

Odds are, if you're asking this question, you've forgotten your encryption key(s) and want 3rdKey.com to recover your data for you. Sorry.


More information about how your data is protected against a site breach by 3rdKey.com


Why not use local storage? / Why not store passwords on my handheld device?

The shortest answer to this question is a question, "what happens if you lose or damage your device?"

How will you recover your passwords if the only place you have them stored is no longer useable?

And if someone finds your phone, will they then have access to all of your accounts on all of the sites you visit?

Some password safes allow you to back up your password to the cloud, so you can recover them to a new device should yours fail. I don't know what you do between when you lose your device and when you get a new one set up though.

And what if you use multiple devices, maybe one at work, a desktop at home, an iPad on the road, and sometimes your phone? Some password safes do allow you to share your passwords across your devices, using the cloud.

If you're using the cloud for cross-device sharing or for backup, you need to rely on the safe storage of your passwords. And trust that your passwords will be safe even when that web site is breached


How can 3rdKey.com say that your passwords are safe in the event of a web site security breach?

3rdKey.com are unique in that we don't keep your encryption keys in our database.

This means that even if a hacker were to breach our security and obtain all of our files, and decipher our proprietary encryption algorithm the only way they can decipher your passwords is if they know your encryption keys, both of them, and in the correct sequence.

They could, if they managed to steal our algorithm, decipher the "reminder" text that 3rdKey.com has stored for you. Which is why you want to be careful about what you put in your reminder text. But the only way to decypher your passwords would be to brute-force their way through your encryption keys, which is why 3rdKey.com recommend complex encryption keys.

Even if they manage to brute-force their way into finding out one person's passwords, those keys won't let them access anyone elses passwords.

Again, 3rdKey.com doesn't know your encryption keys, we don't store them anywhere, except temporarily and even then 3rdKey.com keep them split in parts.


Why not populate passwords?

This is the most aggravating part of our system, why can't you simply click on one button and have the password safe software populate the log in form?

There are several password safe applications and sites that do exactly that, so why not?

Why, instead, do 3rdKey.com help you to copy the password to the clipboard, so you can paste it in yourself.

Here's the main reason: In order to populate a form the application has to know the URL, and the user name, and the password(s). So it has to know everything required to access that site. Any application that knows enough to access a secure site should be treated with extreme caution.

In order to prevent hackers from ever getting into your accounts, 3rdKey.com does not store URLs or user names, 3rdKey.com does not keep encryption keys on our server, 3rdKey.com has a proprietary encryption algorithm, and each user's information is kept with complex encryption keys, unique to each user.

Additionally, and this is something that I don't believe other password safe systems have addressed very well at all, by requiring a plug in within a browser to read and write data into a browser window, the browser has been opened to access by any application or web site. This is a virus waiting to happen.


Why use a multi-step log in process?

Three reasons actually, first, by asking for two different keys, in a random sequence, 3rdKey.com are making it far more difficult for an automated system to provide the correct responses.

And second, by sending and receiving two seperate forms worth of data, that are not the same "event" on the network level, 3rdKey.com are making it near impossible for a network sniffer to connect these two forms and record both of the encryption keys.

And finally, 3rdKey.com actually add some semi-random characters to each of your encryption keys which makes the algorithm just that little bit more secure.

This is not the same as Multi-Factor authentication (wikipedia).


Why store part of the key in a cookie and part in a temporary database?

3rdKey.com combine your two encryption keys, plus some semi-random characters, into a long, single encryption key.

3rdKey.com doesn't want to store this key anywhere, because it's what allows our algorithm to decrypt your stored data. So what 3rdKey.com does is encrypt it using our proprietary encryption algorithm, then split the result into two parts, then put one part in a cookie on your computer, and the other part is put in temporary storage on our server.

Neither part can be decrypted without the other - that's one of the advantages of our proprietary encryption algorithm - and none of your data can be decrypted without this key fully decrypted.

If someone read the cookie on your device, they would only have one part of an encrypted key that can not be decrypted.

If someone read the temporary storage, they would only have one part of an encrypted key that can not be decrypted.


Why do 3rdKey.com keep your keys apart from each other?

To let you in on a little secret, in order to decrypt something our algorithm has encrypted, you need to take one character from the start, and one character from the end, and combine them, and then decrypt that result. So if you only have the front part or the back part, you don't have half of each character.

By keeping them separate 3rdKey.com prevents anyone from ever decrypting your passwords. To do so, they absolutely have to have both of your encryption keys.


Why don't 3rdKey.com store your Encryption Keys (password)?

By not storing your encryption keys, either of them, 3rdKey.com can't decrypt your passwords without you entering your keys.

Many sites store data in their database in a form that can be retrieved and processed by their software. Even if you're not there. But our systems can not read your data without your encryption keys.

By not keeping your encryption keys, 3rdKey.com ensures that if someone were to obtain your data, they can't decipher it to know your passwords.


Why store passwords on a server?

"Any site will eventually have it's security breached, right? So why store passwords on a server? Why not keep them on a private device? Or at least on a thumb drive?"

"Its not about if a web site will be breached, but when."

These are two very compelling questions, and it would take a lot of convincing for me to want to store my passwords in the cloud. And that's exactly why I wrote this web site.

I wanted a system that allowed me to:

My first try was to generate random passwords and store that in a Windows Encrypted file. That works, except if you're somewhere that doesn't allow you to plug in a thumb drive.

Then I put the file on my phone, and that works, except that I have to read the phone and type the characters into the web page I'm logging in to. With the file backed up to a thumb drive, and not using lower case L (because it looks like a one) or capital O (because it looks like zero), then this works, as long as I don't lose my phone and someone is able to get into it to read my passwords.

That's when I decided to store the passwords in an encrypted file on a server, and while I'm at it, have the software generate random passwords, and be able to search, and store the result in the clipboard so all I have to do is paste into the form I'm logging in to.

The key thing though was to encrypt the data in a file that no-one will ever be able to decrypt. So the next several months were spent investigating encryption algorithms, and I came to the conclusion that the best algorithm would be proprietary


What makes our encryption algorithm unique?

There are several things that make our algorithm unique, in addition to several tried and true processes 3rdKey.com incorporates some very unique features that no other encryption algorithm we know of utilizes.

Using our algorithm, with or without an encryption key will not produce the same result twice. A very short word, of four characters, for example, produces 6 million different encrypted results. Longer words or phrases increase in complexity astronomically.

Using an encryption key changes the result completely, and a single character change from the encryption key during decryption returns a completely different result, usually resulting in the complete failure of the decryption algorithm.

When decrypting, every character is dependent upon multiple characters within the encrypted string, so any single character missing from the encrypted string results in a completely different result.

3rdKey.com are so confident in our algorithm, we have an Algorithm Trial page that anyone can use, and that has a challenge, with a reward posted.


Encryption Key recommendations

What you use for your encryption keys are critical, as they're what keep your passwords safe.

There are two types of "passwords" that are difficult to hack.

Entirely random are too difficult to remember, and that's why you want a password lock box system. That leaves"seemingly" random words or phrases. You want words or phrases that are easy for you to remember, but are impossible to guess. And you want a few of these, that you then string them together to make a random list of words or phrases.

What kinds of words are easy to remember but impossible to guess?

The point is to find something that you can remember easily enough, but that someone else would not be able to find out about you, even if they knew you very well. So don't use your anniversary, even from a previous marriage (like you'd want to be reminded of that every time you log in).

The reason they need to be random, and varied, is that hackers use databases to attack passwords now, a database of names, a database of places, etc. But if you've mixed up the words so that they're random, databases won't work because they need to know all the words in the list, and if some of the words are numbers (like dates or a phone number or a license plate), the database method falls short.

Let's assume you've selected list that's something like "Marilyn Roscamond, QS07 WDE, 2136764532, Maggie Mae Marvin, 12/12/1978". Now just split them into two parts, so that part one becomes "Marilyn Roscamond, QS07 WDE" and part two becomes "2136764532, Maggie Mae Marvin, 12/12/1978". And you have your two encryption keys. You don't need to use spaces or commas or slashes if you don't want to, and you can insert other special characters if you wish, maybe after the 1st character of each word. That's up to you. The point is that if you've selected some seemingly random words or phrases, it's near impossible for hacker to guess the words, so they're forced to use a brute-force attack.


What is a "brute-force" attack

This is where a hacker tries to guess a password by using all the possible combinations of passwords, one at a time, until they eventually discover the one that works.

If you're using seemingly random encryption keys you've forced them to try every character in every position.

With 26 upper case letters, 26 lower case letters, 10 numbers, and more than 30 special characters, there are more than 90 different characters one can use. A password that is one character long, can have 90 different values. A password of two characters long, can have 90 values in the second character for every one of the 90 values in the first character, or 90 times 90 possible values, which is 8100 combinations. A three character password would have 90 x 90 x 90 combinations (729,000), four characters 90^4, etc. In order for a hacker to find an encryption key that could be any length, from 2 to 1024 characters, they will have to try every combination from 2 characters up through the length of the encryption key used. So if the key is 16 characters long, they would have to try all of the 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, and 15-character combinations before they's start on the 16-character combinations. Even if your encryption key were "aaaaaaaaaaaaaaaa" (16 a's) and a was the first character they try in each position, it would take 90^2 + 90^3 + 90^4 + 90^5 + 90^6 + 90^7 + 90^8 + 90^9 + 90^10 + 90^11 + 90^12 + 90^13 + 90^14 + 90^15 attempts before they'd get to the first 16-character attempt. That's 2 x 10^29 tests, if they manage to do a quadrillion (1x10^15) tests per second, that works out to be 6,602,121 years. (By the way, I don't believe there's a computer in existence today that could run our algorithm a quadrillion times per second, but they could use multiple super-computers each doing a portion of the tests) That's the beauty of using long, seemingly random, passwords. If, however they assume there are only a couple special characters, like the underscore (_), the comma (,) and the slash (/), they might test with only 65 characters, and the first 16-character key would be tested after 1x10^27 attemps, or 50,306 years.

But what if the encryption key is 32 charcters long? with 90 characters per position, it's 3x10^60 combinations and 1x10^38 years.

This then is a ridiculous amount of computer power required in order to break the code to get into one person's passwords stored on our site. And once they've broken this code, they have to do it all over again for the next account.

3rdKey.com want to force a hacker to use a brute-force approach to get your passwords, having to guess every possible combination of letters. A brute-force attack will guess every letter in the password, like this... Assume the password is made up of upper and lower case letters and numbers, and maybe one or two special characters, and doesn't include the ones that are hard to read like l (ell) and O (oh) or I (eye) because they're too much like 1 (one) and 0 (zero). That makes 60 possible characters for every position in the password (there could be more or less, depending on what you include or exclude, but 60 is easire for the following maths than 61 or 59). If the password is one character long, there are 60 possibles. If it's two characters long, there are 60 possibles for the first position and 60 for the second position, giving 60x60 or 3600 possibles. Double that to four characters, and there are now 12,960,000 possible passwords (60x60x60x60 or 60^4). If there are eight characrters, there are 167,961,600,000,000 possible passwords. If a hacker were able to steal the algorithm, and the data, and write a program that tested the algorithm with every possible combination of letters, and able to get enough processing power to test 1 trillion (million-million - 1,000,000,000,000) passwords per second, then in just under 168 seconds all of the possible combinations of 8-letter passwords would be tested. But if there are 16 characters, and there could be 15, or 14, then the hacker would have to test 8, 9, 10, 11, 12, 13, 14 and 15 character passwords, it will take that same program 909,730,000 years to test all of the possible combinations.


What are special characters?

Those characters not include in the list of upper and lower case or numbers, they include: ! " $ % ^ & * ( ) _ - = + { [ } ] @ ' ~ # < , > . ? / and space


What should you put in your reminder?

Why 3rdKey.com doesn't store site specific information, like URLs and user names

Using the clipboard to copy your password into your log in form

It allows you to store ecrypted passwords so you don't have to remember all the passwords for all the web sites, applications, or systems that you use.

It utilizes a complex encryption algorithm, which requires two keys to unlock. These keys are not known by anyone other than you.

This means that even 3rdKey.com can not read your passwords, because we don't know your encryption keys.

3rdKey.com does not keep both keys together at the same time.

When you put in one of your encryption keys during the log in process, 3rdKey.com encrypts it, split it in half (approximately and randomly) and store one part in a cookie on your computer and the other part in temporary storage on our server. Then you put in the other of your keys and 3rdKey.com decrypt the first one, combine it with the second, encrypt it, split it, and store part in a cookie on your computer and the other part in temporary storage on our server. Neither of these parts can be decrypted without the other part - the encryption algorithm requires information from both parts. And none of your data can be decrypted without both of these parts being combined and then decrypted. Additionally, 3rdKey.com adds a few semi-random characters into this mix so that we end up with a unique encryption key that we don't keep. Since 3rdKey.com doesn't keep it, if our security were to be breached, and our algorithm "stolen" as it were, the thieves could not decrypt your passwords without knowing both of your encryption keys, which are not stored on our systems.

Therefore, your encryption keys are critical, and need to be something that a person isn't going to be able to guess. Don't use password1234 or anything like that... The best thing to do is to use a pair of encryption keys that are easy for you to remember, but something that others will not be able to guess. For example, the name of your first crush. It's not likely that you ever told anyone the name of your first crush, and most people remember them quite well. But for someone to guess that that name is, they'd have to find out the names of every person you've ever known, and try them all. Of course they could just try a database of names, but there are a couple things you can do to stop this from working as well (later). Another example might be the license plate number of the first car you remember, whether it was yours or maybe even your dad's. Yet another might be a phone number you remember from when you were a child. Or a lock combination. Come up with four of these names or words or sequences of numbers, you can use more if you want, the more the better. Choose some for your first encryption key and some for your second key. Hopefully you now have ten or more characters for each of your encryption keys. Maybe they're your favourite actress, your first car plate, you're first crush's phone number, name and birthday, and you split them into MarilynMonroeQS07WDE and 2136764532MaggieMae12/12/1978. These would be extremely difficult for someone to figure out, especially if you never told anyone about your crush on Maggie Mae, but rather easy for you to remember (assuming you remember this stuff to begin with).

3rdKey.com has all the standard stuff like a two-step log in process so that sniffers won't be able to put the two parts together, but we go beyond the normal processes.


Why does 3rdKey.com use a multi-step log in process?

How the "safe" works

And why it's truly safe

This is a password lock box system, unlike any other we've found.

 


How do I use the two-key locking system?

When you first set up your account, you're asked for two encryption keys, 3rdKey.com do not keep your keys so they need to be memorable, but seemingly random.

When you log in, you type in one key and press "Log In". Then another form comes up where you type in the other key and press "Log In".

If you've done it correctly, you're logged in and 3rdKey.com have split your keys into bits and put some on your computer (cookie) and some on our server (temporary).

If not, 3rdKey.com only allow a small number of mistakes before we lock your account.

 


You search for the name that you gave when you generated and saved a password.

Click on the link to the search page, verify yourself if required, type some or all of the name into the Name: box, click the Search button.

You'll be shown a list of passwords where the some or all of the name matches the one you're searching for, each one will have a box with the password in it, and two buttons. You can copy the password to the clipboard, or you can change the password by clicking the edit button.

 


How do I change a password?

 


How do I delete a password?
When you first set up your account, you're asked for two encryption keys, 3rdKey.com do not keep your keys so they need to be memorable, but seemingly random.

When you log in, you type in one key and press "Log In". Then another form comes up where you type in the other key and press "Log In".

If you've done it correctly, you're logged in and 3rdKey.com have split your keys into bits and put some on your computer (cookie) and some on our server (temporary).

If not, 3rdKey.com only allow a small number of mistakes before we lock your account.

 


Your passwords are safe, even if our site is hacked

"It's not if a web site will be breached, but when"

We have all heard that adage, and it's probably true, so how can 3rdKey.com honestly say that your passwords are safe when our site is breached?

3rdKey.com expect to be breached. So we've built a proprietary encryption algorithm that protects your password data, because it's unique to you.

Your password data is encrypted using our algorithm with your two encryption keys, and 3rdKey.com does not keep your keys anywhere.

So in the event that a thief obtains our algorithm, and your encrypted data, they still can't read your passwords because they don't have your keys. They will have to try to hack them through brute-force trial and error.

And if you've selected reasonable keys, it will take thousands of years of computer processing.

That's why 3rdKey.com can say with confidence that your passwords are safe, even if our site is breached.

And it's what makes us different to other sites with weak or no encryption of their data.


Why not use local storage? / Why not store passwords on my handheld device?

The shortest answer to this question is a question, "what happens if you lose or damage your device?"

How will you recover your passwords if the only place you have them stored is no longer useable?

And if someone finds your phone, will they then have access to all of your accounts on all of the sites you visit?

Some password safes allow you to back up your password to the cloud, so you can recover them to a new device should yours fail. I don't know what you do between when you lose your device and when you get a new one set up though.

And what if you use multiple devices, maybe one at work, a desktop at home, an iPad on the road, and sometimes your phone? Some password safes do allow you to share your passwords across your devices, using the cloud.

If you're using the cloud for cross-device sharing or for backup, you need to rely on the safe storage of your passwords. And trust that your passwords will be safe even when that web site is breached


How can 3rdKey.com say that your passwords are safe in the event of a web site security breach?

3rdKey.com are unique in that we don't keep your encryption keys in our database.

This means that even if a hacker were to breach our security and obtain all of our files, and decipher our proprietary encryption algorithm the only way they can decipher your passwords is if they know your encryption keys, both of them, and in the correct sequence.

They could, if they managed to steal our algorithm, decipher the "reminder" text that 3rdKey.com has stored for you. Which is why you want to be careful about what you put in your reminder text. But the only way to decypher your passwords would be to brute-force their way through your encryption keys, which is why 3rdKey.com recommends complex encryption keys.

Even if they manage to brute-force their way into finding out one person's passwords, those keys won't let them access anyone elses passwords.

Again, 3rdKey.com doesn't know your encryption keys, we don't store them anywhere, except temporarily and even then we keep them split in parts.


Why not populate passwords?

This is the most aggravating part of our system, why can't you simply click on one button and have the password safe software populate the log in form?

There are several password safe applications and sites that do exactly that, so why not?

Why, instead, do 3rdKey.com help you to copy the password to the clipboard, so you can paste it in yourself.

Here's the main reason: In order to populate a form the application has to know the URL, and the user name, and the password(s). So it has to know everything required to access that site. Any application that knows enough to access a secure site should be treated with extreme caution.

In order to prevent hackers from ever getting into your accounts, 3rdKey.com does not store URLs or user names, 3rdKey.com does not keep encryption keys on our server, 3rdKey.com has a proprietary encryption algorithm, and each user's information is kept with complex encryption keys, unique to each user.

Additionally, and this is something that I don't believe other password safe systems have addressed very well at all, by requiring a plug in within a browser to read and write data into a browser window, the browser has been opened to access by any application or web site. This is a virus waiting to happen.


Why use a multi-step log in process?

Three reasons actually, first, by asking for two different keys, 3rdKey.com are making it far more difficult for an automated system to provide the correct responses.

And second, by sending and receiving two seperate forms worth of data, that are not the same "event" on the network level, 3rdKey.com are making it near impossible for a network sniffer to connect these two forms and record both of the encryption keys.

And finally, 3rdKey.com actually add some semi-random characters to each of your encryption keys which makes the algorithm just that little bit more secure.

This is not the same as Multi-Factor authentication (wikipedia).


Why store part of the key in a cookie and part in a temporary database?

3rdKey.com combine your two encryption keys, plus some semi-random characters, into a long, single encryption key.

3rdKey.com doesn't want to store this key anywhere, because it's what allows our algorithm to decrypt your stored data. So what 3rdKey.com does is encrypt it using our proprietary encryption algorithm, then split the result into two parts, then put one part in a cookie on your computer, and the other part is put in temporary storage on our server.

Neither part can be decrypted without the other - that's one of the advantages of our proprietary encryption algorithm - and none of your data can be decrypted without this key fully decrypted.

If someone read the cookie on your device, they would only have one part of an encrypted key that can not be decrypted.

If someone read the temporary storage, they would only have one part of an encrypted key that can not be decrypted.


Why do 3rdKey.com keep your keys apart from each other?

To let you in on a little secret, in order to decrypt something our algorithm has encrypted, you need to take one character from the start, and one character from the end, and combine them, and then decrypt that result. So if you only have the front part or the back part, you don't have half of each character.

By keeping them separate 3rdKey.com prevent anyone from ever decrypting your passwords. To do so, they absolutely have to have both of your encryption keys.


Why doesn't 3rdKey.com store your Encryption Keys (password)?

By not storing your encryption keys, either of them, 3rdKey.com can't decrypt your passwords without you entering your keys.

Many sites store data in their database in a form that can be retrieved and processed by their software. Even if you're not there. But our systems can not read your data without your encryption keys.

By not keeping your encryption keys, 3rdKey.com ensure that if someone were to obtain your data, they can't decipher it to know your passwords.


Why store passwords on a server?

"Any site will eventually have it's security breached, right? So why store passwords on a server? Why not keep them on a private device? Or at least on a thumb drive?"

"Its not about if a web site will be breached, but when."

These are two very compelling questions, and it would take a lot of convincing for me to want to store my passwords in the cloud. And that's exactly why I wrote this web site.

I wanted a system that allowed me to:

My first try was to generate random passwords and store that in a Windows Encrypted file. That works, except if you're somewhere that doesn't allow you to plug in a thumb drive.

Then I put the file on my phone, and that works, except that I have to read the phone and type the characters into the web page I'm logging in to. With the file backed up to a thumb drive, and not using lower case L (because it looks like a one) or capital O (because it looks like zero), then this works, as long as I don't lose my phone and someone is able to get into it to read my passwords.

That's when I decided to store the passwords in an encrypted file on a server, and while I'm at it, have the software generate random passwords, and be able to search, and store the result in the clipboard so all I have to do is paste into the form I'm logging in to.

The key thing though was to encrypt the data in a file that no-one will ever be able to decrypt. So the next several months were spent investigating encryption algorithms, and I came to the conclusion that the best algorithm would be proprietary


What makes our encryption algorithm unique?

There are several things that make our algorithm unique, in addition to several tried and true processes 3rdKey.com incorporate some very unique features that no other encryption algorithm 3rdKey.com know of utilizes.

Using our algorithm, with or without an encryption key will not produce the same result twice. A very short word, of four characters, for example, produces 6 million different encrypted results. Longer words or phrases increase in complexity astronomically.

Using an encryption key changes the result completely, and a single character change from the encryption key during decryption returns a completely different result, usually resulting in the complete failure of the decryption algorithm.

When decrypting, every character is dependent upon multiple characters within the encrypted string, so any single character missing from the encrypted string results in a completely different result.

3rdKey.com are so confident in our algorithm, that 3rdKey.com has an Algorithm Trial page that anyone can use, and that has a challenge, with a reward posted.


Encryption Key recommendations

What you use for your encryption keys are critical, as they're what keep your passwords safe.

There are two types of "passwords" that are difficult to hack.

Entirely random are too difficult to remember, and that's why you want a password lock box system. That leaves"seemingly" random words or phrases. You want words or phrases that are easy for you to remember, but are impossible to guess. And you want a few of these, that you then string them together to make a random list of words or phrases.

What kinds of words are easy to remember but impossible to guess?

The point is to find something that you can remember easily enough, but that someone else would not be able to find out about you, even if they knew you very well. So don't use your anniversary, even from a previous marriage (like you'd want to be reminded of that every time you log in).

The reason they need to be random, and varied, is that hackers use databases to attack passwords now, a database of names, a database of places, etc. But if you've mixed up the words so that they're random, databases won't work because they need to know all the words in the list, and if some of the words are numbers (like dates or a phone number or a license plate), the database method falls short.

Let's assume you've selected list that's something like "Marilyn Roscamond, QS07 WDE, 2136764532, Maggie Mae Marvin, 12/12/1978". Now just split them into two parts, so that part one becomes "Marilyn Roscamond, QS07 WDE" and part two becomes "2136764532, Maggie Mae Marvin, 12/12/1978". And you have your two encryption keys. You don't need to use spaces or commas or slashes if you don't want to, and you can insert other special characters if you wish, maybe after the 1st character of each word. That's up to you. The point is that if you've selected some seemingly random words or phrases, it's near impossible for hacker to guess the words, so they're forced to use a brute-force attack.


What is a "brute-force" attack

This is where a hacker tries to guess a password by using all the possible combinations of passwords, one at a time, until they eventually discover the one that works.

If you're using seemingly random encryption keys you've forced them to try every character in every position.

With 26 upper case letters, 26 lower case letters, 10 numbers, and more than 30 special characters, there are more than 90 different characters one can use. A password that is one character long, can have 90 different values. A password of two characters long, can have 90 values in the second character for every one of the 90 values in the first character, or 90 times 90 possible values, which is 8100 combinations. A three character password would have 90 x 90 x 90 combinations (729,000), four characters 90^4, etc. In order for a hacker to find an encryption key that could be any length, from 2 to 1024 characters, they will have to try every combination from 2 characters up through the length of the encryption key used. So if the key is 16 characters long, they would have to try all of the 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, and 15-character combinations before they's start on the 16-character combinations. Even if your encryption key were "aaaaaaaaaaaaaaaa" (16 a's) and a was the first character they try in each position, it would take 90^2 + 90^3 + 90^4 + 90^5 + 90^6 + 90^7 + 90^8 + 90^9 + 90^10 + 90^11 + 90^12 + 90^13 + 90^14 + 90^15 attempts before they'd get to the first 16-character attempt. That's 2 x 10^29 tests, if they manage to do a quadrillion (1x10^15) tests per second, that works out to be 6,602,121 years. (By the way, I don't believe there's a computer in existence today that could run our algorithm a quadrillion times per second, but they could use multiple super-computers each doing a portion of the tests) That's the beauty of using long, seemingly random, passwords. If, however they assume there are only a couple special characters, like the underscore (_), the comma (,) and the slash (/), they might test with only 65 characters, and the first 16-character key would be tested after 1x10^27 attemps, or 50,306 years.

But what if the encryption key is 32 charcters long? with 90 characters per position, it's 3x10^60 combinations and 1x10^38 years.

This then is a ridiculous amount of computer power required in order to break the code to get into one person's passwords stored on our site. And once they've broken this code, they have to do it all over again for the next account.


What are special characters?

Those characters not include in the list of upper and lower case or numbers, they include: ! " $ % ^ & * ( ) _ - = + { [ } ] @ ' ~ # < , > . ? / and space


What should you put in your reminder?

Why 3rdKey.com doesn't store site specific information, like URLs and user names

Using the clipboard to copy your password into your log in form

It allows you to store ecrypted passwords so you don't have to remember all the passwords for all the web sites, applications, or systems that you use.

It utilizes a complex encryption algorithm, which requires two keys to unlock. These keys are not known by anyone other than you.

This means that even 3rdKey.com can not read your passwords, because 3rdKey.com doesn't know your encryption keys.

3rdKey.com does not keep both keys together at the same time.

When you put in one of your encryption keys during the log in process, 3rdKey.com encrypts it, split it in half (approximately and randomly) and store one part in a cookie on your computer and the other part in temporary storage on our server. Then you put in the other of your keys and 3rdKey.com decrypt the first one, combine it with the second, encrypt it, split it, and store part in a cookie on your computer and the other part in temporary storage on our server. Neither of these parts can be decrypted without the other part - the encryption algorithm requires information from both parts. And none of your data can be decrypted without both of these parts being combined and then decrypted. Additionally, 3rdKey.com add a few semi-random characters into this mix so that 3rdKey.com end up with a unique encryption key that 3rdKey.com doesn't keep. Since 3rdKey.com doesn't keep it, if our security were to be breached, and our algorithm "stolen" as it were, the thieves could not decrypt your passwords without knowing both of your encryption keys, which are not stored on our systems.

Therefore, your encryption keys are critical, and need to be something that a person isn't going to be able to guess. Don't use password1234 or anything like that... The best thing to do is to use a pair of encryption keys that are easy for you to remember, but something that others will not be able to guess. For example, the name of your first crush. It's not likely that you ever told anyone the name of your first crush, and most people remember them quite well. But for someone to guess that that name is, they'd have to find out the names of every person you've ever known, and try them all. Of course they could just try a database of names, but there are a couple things you can do to stop this from working as well (later). Another example might be the license plate number of the first car you remember, whether it was yours or maybe even your dad's. Yet another might be a phone number you remember from when you were a child. Or a lock combination. Come up with four of these names or words or sequences of numbers, you can use more if you want, the more the better. Choose some for your first encryption key and some for your second key. Hopefully you now have ten or more characters for each of your encryption keys. Maybe they're your favourite actress, your first car plate, you're first crush's phone number, name and birthday, and you split them into MarilynMonroeQS07WDE and 2136764532MaggieMae12/12/1978. These would be extremely difficult for someone to figure out, especially if you never told anyone about your crush on Maggie Mae, but rather easy for you to remember (assuming you remember this stuff to begin with).

3rdKey.com has all the standard stuff like a two-step log in process so that sniffers won't be able to put the two parts together, but 3rdKey.com go beyond the normal processes.


Why do 3rdKey.com uses a multi-step log in process?

 
HomeThe SafeFAQChallengePhishingPrivacy Policy©copyright 1997-2017Log InRegister