Best Ai-Fi Security PracticesAi-Fi SecuritiesPasscodes and Private KeysPassword ManagementSelf-reliancePasswords as Digital AssetsHierarchy of PasswordsOrganizing PasswordsComposition of PasswordsExampleA Password Strategy for PractitionersPassword Strength MeterzxcvbnMiniLock Key Stretching
Ai-Fi.net is designed to protect your cyber identity and digital assets. The tools and utilities under the Ai-Fi security architecture implements the following:
Various on-device "safes", including:
Digital safes containing secrets protected by the SuperLocks, either through the Multi-Share Secret Distribution (Shamir's Secret Sharing) or the Krypton Tokens in the Ai-Fi Incognito Cloud. They provide Ai-Fi Domain security taking advantage of your private devices and resources, and accessing the anonymous/pseudonymous storages in the Ai-Fi Incognito Cloud, which are popularly adopted to protect many different kinds of recovery seeds for a variety of cryptocurrencies.
The Ai-Fi Wallet, containing:
3 above is the foundational privacy and protection implements built into Ai-Fi, based on which those "safes" in 2 are constructed. The functions provided in 2, the SuperLocks, offer the linkage between the Ai-Fi Central and the Ai-Fi Incognito Cloud, which allows anonymous access to independent safes residing in the cloud, accessible only through strong cryptographical keys.
The centerpiece of the Ai-Fi protection architecture is the mobile app Ai-Fi Central that provides the interface to the Ai-Fi security infrastructure. Its safety is guarded by three things: the phone's inbuilt passcode/touch-id, an additional second passcode required when entering into the app, and the physical security through your possession of the phone. This protection through Ai-Fi Central is foolproof for all intents and purposes as long as you are in possession of your phone. In the unfortunate event of losing your phone, your Ai-Fi data may be "wiped" along with all other iPhone data. Your data won't end up in the wrong hands as long as the "wipe" is triggered in time. After the wipe, all your Ai-Fi assets are still recoverable by fetching and applying your Ai-Fi recovery passphrase for your Ai-Fi Wallet saved at the initial installation of Ai-Fi Central. (Apple iCloud would take care of the rest if you are on an iPhone, in which case you need to submit your iCloud password to enter.)
There obviously exists a window of vulnerability between the time of losing your phone and the time it is wiped or recovered, depending on the strength of your Touch ID, Face ID, passcodes, or passwords. This window may be quite long, especially when the loss event is the consequence of a "targeted" attack that swiftly turns off the power before taking the phone to an attack lab for offline analysis. Your Ai-Fi Central app remains vulnerable until the app is "recovered" by the original recovery passphrase and then "rekeyed" to render previous DigiVault and key stores useless.
For the rich and paranoid who are not comfortable with putting all eggs in one basket, Ai-Fi offers another protection mechanism based on the latest Threshold Signature technology that fights off this "Single Basket Attack" by making use of redundant components, which involves two pieces of hardware.
Not many of us are fans of the classic login/password scheme. Fortunately, underlying all the Ai-Fi protection mechanisms is the application of Public Key Cryptography at a strength level comparable or stronger than that protecting all the cryptocurrencies, or Bitcoins in particular, achieving the pseudonymity at the same time. This lifts us out of the stone age of passwords. It also works smoothly with and in complement to any multi-factor authentication schemes.
Modern protection scheme of one's digital assets based on Public Key Cryptography is considered foolproof. The success of Bitcoin and other cryptocurrencies are directly accredited to this technology. Clearly, its effectiveness hinges on the way we safeguard our private keys. Even though considered stronger than passwords, private keys must be physically recorded since they are too long to memorize.
In the case of cryptocurrency wallet, the ingenious scheme of condensing all the keys under a deterministic hierarchy (BIP-0032) condenses all the private keys to a single "seed passphrase" for recovery, which is usually in 12 or 24 words and is still beyond the grasp of our memory. This seed phrase, therefore, also creates a "hot potato" issue, outside the wallet protection schemes. Most of the apparatus on the market for "saving" them are not much more than a "paper vault".
For those critical "hot potato" long private keys or seed phrases, Ai-Fi.net offers a user-friendly secret locking scheme of comparable cryptographic strength as those private keys. This secret locking "Krypton Token" scheme is based on the combination of strong "passphrases" of sufficient entropy and client-side "salts". You may want to learn more about this in the rather lengthy document here, including a Bug Bounty program to attest its validity and robustness.
As practitioners of various Ai-Fi Security tools, some of us at Ai-Fi.net have gradually developed a personal approach towards the protection of a large number of passwords collected during the long stretch of time as we surf the web and connect to various Internet services. Instead of relying on some third-party password management services, we are in the opinion that for privacy protection and warrant-proof guarantee self-reliance is the best policy by taking advantage of the Ai-Fi protection without involving account-based third-party service providers. We believe that Ai-Fi has developed a solid foundation for achieving the goal of self-sufficiency. However, this is not to preclude the adoption of those password management cloud services if we are clear on what we are getting into. The application of Ai-Fi password protection requires slightly more care, as privacy and security often do and demand more on our part.
The objective is to protect the following common categories of digital assets:
The first category is where most of the password managers focus on with Autofill option. Since one's passwords are stored and automatically filled when needed, it is a good idea to also have those managers suggest strong passwords to avoid trivial weakness.
For applications in category 2, most password managers don't offer much since there is no standard to go by in identifying the password data entry in order to automatically enter the appropriate passwords. The best those utilities can offer is just a repository for password record keeping. Our Ai-Fi Central has the DigiVault embedded in our mobile app as a handy repository for this category.
Category 3 is important if one dabbles in cryptocurrencies. The recovery seeds described above are highly critical to our financial security, especially those of us who don't want to outsource the care of our cryptocurrencies to third-party escrow services. This is one of those "hot potato" issues when "paper vault" is not risky and outsourcing them to some third-party password manager services is unacceptable. Otherwise put, this category help protect all those items in the "paper vault", such as the master password for your password managers.
This write-up is to document our strategy in safekeeping all these three categories of digital assets by applying some foundational services we have built into Ai-Fi Central and leveraging a few public and free password managers:
1 and 2 above are supported primarily through the Ai-Fi Central mobile app.
Please follow their respective documentation for details on Ai-Fi Krypton Tokens and SuperLock.
Given enough rope, we eventually hang ourselves with the self-inflicted chaos owing to the undisciplined hording of passwords.
Alternatively, we'd recommend keeping around only a couple of strong "master" passwords and derive the rest by combining them or leveraging other utilities such as Ai-Fi DigiVault. We'd suggest the use of those "master" passwords to unlock the recovery seed for your Ai-Fi Wallet in your Ai-Fi Central app or your Krypton Tokens in the Incognito Cloud managed independently from your Ai-Fi Central app, and derive other secondary passwords from those primary repositories.
Most of us are comfortable in outsourcing those secondary ones to some "Autofill" utilities offered by Google or Apple and just make sure we maintain safely the password for logging into those services. They are effective password managers if the risk of exposing your passwords to the providers is manageable. Keep in mind that it is probably unlikely for Google or Apple to engage in any active attacks on individual accounts unless they are compelled to do so by state actors. This is especially true for Google after its embarrassing account breach in 2018. For banking or financial websites, this leverage of "Autofill" tool is recommended only if those banks and financial institutions offer 2-factor authentication so your accounts may be tied to your other email accounts or mobile phones, in addition to the auto-filled password protection. Obviously this second factor is not part of the same "Autofill provider" in order to rule out the providers as a potential threat/vulnerability. This applies to all other non-financial sites deemed critical enough to warrant multi-factor protection.
For those adopting Google Chrome browser as the "password manager", make sure your Google account password is changed to a new proven strong password and embrace all the security mechanisms offered by Google, including all their security schemes involving your cell, additional email address, Google Authenticator, etc. for multi-factor protection, regardless if your email address showing up in the famous ";--have i been pwned?" site or not. In the case of your email previously "pwned", you may want to sign up for a new email account in order to be severed from all the possible PII and metadata exposures due to previous breaches. With the Autofill feature, there is no reason not to adopt a very strong password.
If one takes advantage of those "Autofill" utilities or password managers built into a computing platform (e.g. Apple iOS) or embedded within the browser, there is little need to sign up for any cloud services to manage your passwords.
One common issue of utilizing passwords is the memory lapse frequently inflicting upon us in the effort of memorizing our passwords. There should only be a small numbers of them to commit to memory. Keeping those passwords organized could go a long way. (Our suggest is to organize them hierarchically.)
The other reason we forget some of those passwords is due to their frequent low usage. This issue may be alleviated by taking advantage of the fact that the longer the password, if created intelligently, the stronger the protection. There is no reason to create all kind of long ones just to make them stronger, at the risk of memory lapse. We could create password subcomponents of sufficient strength for their use cases, and create a long one for more crucial applications by piecing several together.
For ease of recall, structure our passwords as phrases of multiple words that are easy to remember. Most decent websites now offer the entering of blanks for structuring your password as phrases.
This will become clear in the examples below.
P1 is something we are all very familiar with and entered into our desktop or laptop multiple times a day if the screen timeout is configured for power and security.
P2 is easily retrieved, especially when the "Autofill" and "Auto Sing-in" utilities offer a sync option over multiple devices through the network. Many of us take advantage of what Google offers through Chrome browser.
The "salt" adds additional entropy against online hacking if not exposed. It may also be comfortably written down and kept in a drawer.
The following is an example strategy for safekeeping your passwords:
The P1 above takes centuries to crack if attacked offline without throttling. P2 is entered and protected by Google cloud. Although both are used daily on Windows 10 platform in our example, their compromise is still a possibility. However, with the P1 + P2 and extra salt thrown into the mix at the creation of the Ai-Fi Krypton Token on one's mobile phone, the databases, including a variety of crypto wallets, protected by our Ai-Fi Central app, a separate platform away from the Windows or PCs, encapsulated into the recovery seeds, appear indestructible.
In summary, to ward off identity theft, design an indestructible seed/recovery passphrase, memorize it, supplement it with a Autofill tools like iPhone or Google Chrome for web accounts, use 2-factor for critical (bank) accounts, and diligently record all your non-web passwords in the Ai-Fi DigiVault.
There are numerous password strength testers on the web. Some of those are suspected to be rogue password collectors, so take precaution when get out there. Our recommendation is the well known password evaluator zxcvbn site, backed by a technical paper, YouTube presentation and Dropbox. The nice thing about this tester is that it gives critique after the test pointing out the weakness of your passwords.
zxcvbn gives test results based on different attack scenarios. The online attacks apply to our typical sign-in with passwords, which is mostly "throttled" to limit your number of tries per unit time. The offline attacks apply to scenarios when your computing devices were stolen or fell in the hands of attackers, including the many situations when the service providers are compromised that renders the throttling useless.
After playing around this tester for a while, a few rules seem to emerge. Length is all critical with a minimum of 12 characters, all else doesn't have a prayer, as echoed in this Microsoft report.
Sprinkle funny characters and vary letter cases liberally. Repeating or predicable patterns are not effective means of lengthening. A phrase with multiple words separated by blanks works well to achieve long password in utilizing narrative or story telling. For example, "This is my master password part 1" (literally) gets "centuries" in all four categories in zxcvbn tester. Obviously, the suggested practice of "This is my master password part 1" + "This is my master password part 2" will take at least "centuries x centuries" to crack.
You will find it rewarding to play around with the passphrases/passwords easy for you to memorize and then try to simplify it but maintain the same strength. For instance,
All password strength meters rely on various heuristics making educated guess on how the candidate passwords are formulated in users' brain. Those heuristics are as varied as the models they are are based on, their dictionary sizes and the adopted hash algorithms. For instance, both the "one two three four five six" and "how much wood could a woodchuck chuck if a woodchuck could chuck wood" both obtain "centuries" on zxcvbn's score board, which are quite ludicrous with serious consequences if taken on as seed passphrase for Bitcoin wallets.
The key derivation hash function achieves the biggest gain, maximizing the ratio of crack time from 1 to 100,000 with Argon2 as the preferred algorithm. The client-side salt is also a big winner in thwarting the dictionary attack and injecting entropy into the fray without costing much brain power. Ai-Fi.net offers all options in terms of key stretching and salt for our users to adjust their creation of master passphrases. Make sure you understand why we throw in many options and adopt the appropriate level of security per intended application.