Sunday, October 31, 2021

Clearing some mis-conceptions about SimplePass

Clearing some mis-conceptions about SimplePass

1) SimplePass can be bruteforced.

Answer: Yes

Every offline application can be brute-forced like Word/Excel documents or zip files.


2) SimplePass is sloooow!

Answer: Yes, but for a good reason!

        If the current industry-standard SHA-256 algorithm was used and if you had a 6 digit number as SimplePass password, on my laptop, the password database can be brute-forced in 6 seconds on average. 

        But SimplePass uses a way more complex algorithm compared to SHA-256. In the above scenario of 6 digit number being brute-forced, it takes anywhere from 1 - 11 days on average (depending on various factors). The algorithm is complex. The complexity of the algorithm varies depending upon the speed of your machine. The benchmarking happens when you use SimplePass for the first time. The benchmarking result determines the complexity of the algorithm. So, the strength of the algorithm might not be the same for every machine. The strength of the algorithm adapts to the speed of your machine determined when benchmarking for the first time.

        SimplePass is slightly slow for a reason. I am a developer, I had to make a decision between a fast but easily cracked security mechanism vs a little slower (1 - 2 seconds response time, not too bad) but harder to crack security mechanism. I believe that applications should be secure by default. So, I opted for the complex algorithm at the expense of a slightly seemingly slower application.   


3) Why aren't there recent updates for SimplePass? What happened to the roadmap?

       Due to certain reasons, I had to pivot to some other projects. SimplePass is not dead, all the features mentioned in the roadmap would be implemented. Due to certain reasons that I can't mention here, I had to prioritize some other projects. This decision was made sometime during the end of the first week of August. But ALight Technology And Services Limited would always stay committed to building products for the use of every netizen and some if not all of the products would always remain free and complete privacy-focused. For example, SimplePass does not even ask for your email address, no email campaigns/mailing lists. You can use SimplePass without even giving your email. If server-based features are added, things might get slightly different but still user privacy and security would be prioritized.


Clearing some mis-conceptions about SimplePass

No comments:

Post a Comment