cover

在最新版本的PassXYZ中,Google,Microsoft和 Facebook等所用的一次性密码都可以用PassXYZ来操作管理了。以前我一直使用Google Authenticator和Microsoft Authenticator来生成一次性密码分别用于登录相关账号。Google Authenticator用于登陆Google,Facebook和GitHub等账号,Microsoft Authenticator专门用于登录Microsoft账号。由于我之前使用的是苹果手机,后来换了一款Android手机,使用后发现中国的手机因为没有Google Services,所以无法安装Microsoft Authenticator,而Google Authenticator虽然可以安装,但工作却不正常。还有一个麻烦的问题是,即使手机可以安装这两个应用,我所有账号的OTP都必需要重新设置,因为无法将原设置从苹果手机导入到新的Android手机上。

因此,在开发PassXYZ时,我就考虑把OTP功能加入到PassXYZ中以方便使用。PassXYZ使用的是KeePass数据库,如果将所有的OTP设置都保存在KeePass数据库中,同时使用PassXYZ来产生一次性密码,我所遇到的问题就都可以迎刃而解了。因为在Android,iOS和Windows 10上都可以使用PassXYZ,跨平台使用不成问题,同时各种数据导入的问题均可以通过云存储同步和备份加以解决。

双因素认证与一次性密码 (OTP)

为了让更多用户更好地了解如何正确使用PassXYZ来管理一次性密码,在介绍PassXYZ的一次性密码管理功能前,先介绍一下什么是双因素认证和一次性密码。

双因素认证(Two factors Authentication或简称2FA)是多因素验证中较为常用的一种验证方式,即除了用户名密码外,还需要提供另一个身份验证方式来识别用户。目前流行的双因素认证方法中,较为常用的是基于一次性密码(One Time Password 或者简称 OTP)的验证方式。

基于一次性密码(OTP)的验证方法主要有两种形式,一种是通过短信发送一次性密码,另一种是通过专门的应用来产生一次性密码(比如Google Authenticator或PassXYZ)。这两种形式,本质上是一样的,区别仅在于用户获取一次性密码的方式不同。它们各有优缺点,所以大多数互联网服务会同时提供这两种验证机制,以便用户根据自己的需要选择其一。

关于其他多因素验证方法的介绍,您可以参阅另一篇文章“什么是多因素验证?为何要使用多因素验证来保障密码管理的安全?”。在这里,我们主要讨论的是基于rfc4226和rfc6238实现的一次性密码。

实现OTP的标准

由于OTP是最经济且易使用的双因素认证方式,基于rfc4226和rfc6238的一次性密码验证方法被广泛使用在大量的互联网服务中。比如Google,Facebook,GitHub,Dropbox,Aliyuan和Microsoft等,都在使用这种双因素认证方式来保护用户账户安全。

什么是rfc4226和rfc6238?RFC是英文Request For Comments的缩写,它的意思是等待评审的推荐标准。很多互联网标准都是由RFC衍生而来的。rfc4226和rfc6238就是如何产生一次性密码的推荐标准。

为何要使用2FA

为什么要使用双因素认证?因为单纯的用户名和密码的验证方式,是非常容易被黑客攻克的。比如最近发生的Facebook用户资料泄露事件,有大约5000万的用户资料因为系统缺陷而被黑客获取。如下图截屏所示,就是最近收到的Facebook官方的警告信息。

facebook_2fa_02

由图中高亮部分可以看到,黑客的攻击是利用系统缺陷绕过了用户名和密码,直接劫持了用户的账号来获取用户资料的。这时如果启了用双因素认证,就可以大幅地提高黑客劫持账户的难度,从而保护自己的账户安全。

那么,如何启用双因素认证呢?我们下面还是以Facebook为例,来介绍如何开启双因素认证和如何使用PassXYZ来管理和产生一次性密码。

使用PassXYZ存储账户信息

在开启Facebook的双因素认证之前,需要先建立一个Facebook账号。当拥有了一个Facebook 账号后,应该先将相关资料用PassXYZ记录下来。如下图所示,可以在PassXYZ的模板中找到Facebook,然后建立一条关于Facebook的记录。

facebook01

点击上图所示的选项就可以编辑Facebook的账号信息,具体模板显示如下图。

facebook02

Facebook账户相关的信息有名称、邮箱、密码和移动电话号码等。任何额外的资料都可以记录在最下方的便签(Notes)中。填好信息后可以点击右上角的存储按钮来存储记录。右上角共有四个按钮,依次分别是:

  • 扫描–用于扫描设置当前账户OTP的二维码
  • 附件–可以添加图片或相关文档
  • 取消–取消编辑
  • 存储–存储当前记录

其中的扫描按钮,稍后,我们马上就会讲到。

开启2FA

当我们存储好账户信息后,就可以继续去开启Facebook的2FA了。开启2FA需要在电脑的浏览器中找到Facebook的设置,页面如下:

facebook_2fa_01

在上图中,我们可以看到一个”Use two-factor authentication”的选项。选择其右边的编辑键,得到以下页面。

facebook_2fa_03

这时,您可以选择使用OTP应用(Authentication App)或短信(Text Message)来生成OTP。如果选择OTP应用的话,就会看到下面的弹出窗口。

facebook_2fa_04

现在,您有两种方式来设置OTP应用:扫描左边的二维码,或输入右边的OTP编码。在PassXYZ中,我们可以选择前面所讲的,在Facebook条目编辑中的扫描按钮来导入OTP设置。当我们成功导入了OTP设置后,便可以在PassXYZ的菜单中选择OTP看到下面的页面了。

otplistpage

上图中显示的Facebook一栏,就是我们导入的OTP设置产生的。在Facebook一栏中,显示的六位数字为可以用作二次验证的一次性密码。目前多数的OTP设置一般是每半分钟或一分钟更新一次编码,由各个服务提供商自行设定。数字编码下面显示的时间线表示的是当前编码的有效时间。

Recovery Codes

紧急恢复码(Recovery Codes)是在紧急情况下用来替代OTP的。比如,手机临时无法正常工作时,或在使用短信OTP时遇到网络原因无法收到短信时,此时,就可以使用恢复码来应急。

在PassXYZ中设置好OTP后,可以在Facebook的2FA设置中选择最下面的选项Recovery Codes,来生成一组紧急恢复码。恢复码一般一次产生10个,它们与OTP类似,也是一次性使用的密码。产生的恢复码可以记录在PassXYZ中Facebook条目的便签里,以便查找。因为恢复码是一次性的,每次使用后,应将使用过的恢复码从便签中删除。

PassXYZ和PassXYZ Cloud的Beta测试

为了得到更多用户对PassXYZ新功能的反馈,PassXYZ和PassXYZ Cloud的最新版本都开放了Beta测试,欢迎有兴趣的用户参加。

PassXYZ的Beta测试版本可以通过下面链接在苹果商店,Google Play和Windows商店中安装:

iOS:

Android:

Windows 10

Windows商店也提供PassXYZ的Beta测试版,但没有公开的测试链接。有兴趣的朋友可以发邮件到下面的邮箱获取Beta测试版本:passxyz@foxmail.com。请在邮件中注明您的Microsoft账号邮件地址。

总结

本文介绍了什么是双因素认证以及最常使用的双因素认证验证方法一次性密码(OTP),并在此基础上以Facebook为例,介绍了如何使用PassXYZ来同时管理账户信息和设置与之相关的OTP。用户在使用网络服务时,可以使用PassXYZ来查询账户信息,同时也可以直接用PassXYZ来产生二次验证所需的OTP。PassXYZ所支持的OTP产生机制与Google Authenticator相同,都是基于rfc4226和rfc6238实现的,支持Google,Facebook,GitHub,Dropbox,Aliyuan和Microsoft等常用互联网服务所需的二次验证方法。


扩展阅读:

PassXYZ是一款跨平台的密码管理软件,可以运行在安卓和苹果手机以及Windows 10上。
PassXYZ基于著名的开源软件KeePass开发,所以兼容KeePass数据格式。PassXYZ的核心代码可以在开源社区GitHub上获取。PassXYZ最大的特点是通过提供大量的个人信息记录模板来分享和传递良好的使用习惯。PassXYZ个人信息管理软件和PassXYZ公众号的目标是通过两者的结合来推动和提高公众的个人信息管理水平。

您可以通过苹果应用商店微软应用商店Google Play华为应用商店搜索关键字PassXYZ来下载该应用。如果您想获得更多模板或对个人信息安全及管理有兴趣,可以搜索关键字PassXYZ关注公众号。您也可以通过微信号passxyz_kpclib来添加此公众号。PassXYZ公众号专注于个人信息安全及管理的相关知识。

This article introduces how to export and import data files in PassXYZ. Although PassXYZ is developed on top of KeePass library, it is a cross platform application. KeePass can only run on Windows. To take care of various platforms, PassXYZ has to utilize the features provided by different platforms to implement the functionalities for import and export.

As KeePass is a Windows application, it operates files directly. This is a common behavior for Windows application, but not for Android or iOS. Modern mobile platforms like Android or iOS use application sandbox to protect the user data. Mobile applications have very limited access to the file system. Windows 10 introduces Universal Windows Platform (UWP) application which also uses application sandbox. This is very similar to Android and iOS from the point of view of file system.

As the data files of PassXYZ stored in the application data area can take the advantage of application sandbox, the security of user data can be protected by the system itself. For the user data in the application data area, the system also provides the following features:
1. Data backup, Android and iOS can backup user data to the cloud, such as Google Drive or iCloud.
2. System utility, the users can use the utilities provided by the operating system to process user data. For an example, iOS users can use iTunes to import and export user data.
3. Data security, operating system uses data sandbox to isolate user data for different applications to provide better user data security.

Since all data files are stored in the application data area, PassXYZ uses the concept of users instead of using data files directly. To exchange data across devices, PassXYZ provides import and export functions to perform the relevant tasks.

Naming convention of PassXYZ user data files

When PassXYZ user starts to use PassXYZ, PassXYZ will run through a registration process to create the username and password for the user. There will be a data file which matches each username. The naming convention of the data file for a user is shown below:

1
pass_d_{ encoded username }.xyz

or

1
pass_e_{ encoded username }.xyz

The file name extension of PassXYZ data file is .xyz. The prefix of data file indicates the file type.

  • The data file with the prefix “pass_d_“ indicates that this is a normal data file.
  • The data file with the prefix “pass_e_“ indicates that this is a data file with Device Lock enabled.

The user name is a part of the data file name, but it is encoded. The reason why we want to encode the username is because the requirement for the file name is different in different operating systems. With the encoded username, we can bypass the operating system requirements for the file name so that the users can use any username as they like.

Import of data file

PassXYZ users can import PassXYZ data file (.xyz) or KeePass data file (.kdbx) through “Sharing“ function on Android, iOS or Windows. As an example, we use Android system to explain the import process. The import process on iOS or Windows is similar to that of Android.

sharing

From the above figure, when a file is selected, it can be shared to PassXYZ or PassXYZ Cloud through “Sharing“ menu.
After selecting PassXYZ in the “Sharing“ menu, we can see the below page in PassXYZ.

importdata

If the selected file is a PassXYZ data file, the user name in the data file can be decoded and displayed on the page. If it is a KeePass data file, we need to give a new user name before import. By clicking the “Import“ button, the data file can be imported to the PassXYZ data area.

Export of data file

To export a PassXYZ data file, the system “Sharing“ function can be used as well. From the below figure, we can see that there is an “Export database“ option in the Settings of PassXYZ. After clicking the “Export Database“, the system menu for Sharing will be displayed. The users can choose their preferred options, such as Bluetooth, Email or Cloud Storage etc. to transmit the data file to other devices.

export

Export data files through Sharing can be used on Android, iOS and Windows. For different platforms, we can also use the platform specific functions to export or import data as well.
On Windows 10, the data file of PassXYZ or PassXYZ Cloud can be accessed directly from the below folders. As you can see, it is very easy to either import or export data files on Windows.
1. PassXYZ data file
%USERPROFILE%\AppData\Local\Packages\13783RogerYe.PassXYZ_ffxtg61znt7pw\LocalState
2. PassXYZ Cloud data file
%USERPROFILE%\AppData\Local\Packages\13783RogerYe.PassXYZCloud_ffxtg61znt7pw\LocalState

For iOS, the users can use iTunes to import or export data files as below.

itunes

After launching iTunes, we can choose File Sharing from the menu on the left hand side. A list of application which the data files can be accessed will be displayed. Select PassXYZ in the list, the PassXYZ data files will be shown in the PassXYZ Documents section. Now, the date files are ready for import or export.

Hope this article will be helpful when you import or export PassXYZ data files.


PassXYZ is a cross platform password management software developed using KeePass. PassXYZ can run on Android, iOS and Windows 10.
If you are interested in the personal information management, please add PassXYZ Wechat public account by searching the keyword PassXYZ or link it using Wechat name passxyz_kpclib. The source code of KPCLib can be found at GitHub at https://github.com/passxyz/KPCLib.

You can also find more information about PassXYZ on its website and install it from Google Play, Apple Store and Microsoft Store.

本文主要介绍PassXYZ数据文件的管理和导入导出功能。虽然PassXYZ是基于KeePass开发的,但为了让普通用户更容易使用,开发者在KeePass的基础上进行了一些改进,以适应多平台的需求。

首先,KeePass的用户是直接对文件进行操作的,这对普通的Windows应用来说没什么问题。但是,当我们想在Android,iOS和Windows上让用户都有类似的体验时,直接的文件操作会带来一些问题。Andriod和iOS为了用户数据的安全都使用了类似“沙箱”的概念,用户数据在应用之间是相互隔离的。特别是iOS,在加入文件管理器前,iOS用户是不会直接操作文件的。对Windows用户来说,PassXYZ提供的是UWP应用。UWP应用与普通Windows应用的主要区别就是,用户数据在应用之间是相互隔离的。这与Android和iOS应用非常相似。

PassXYZ的数据文件是存储在各平台所指定的应用数据存储区。这样做的好处是,PassXYZ可以跟本平台的应用一样具有一些系统本身提供的功能,而不需要另外开发。这些系统提供的功能包括:
1. 数据备份,Android和iOS都提供用户数据的备份功能。如Google提供将用户数据备份到Google Drive上,iOS的用户可以用iCloud进行备份。
2. 系统工具,可以使用系统提供的工具来处理用户数据。如在iOS上可以使用iTunes来导入和导出数据。
3. 数据安全,由于应用数据是相互隔离的,数据安全由操作系统保障。

因为所有数据文件都存储在应用数据存储区,所以PassXYZ使用的是用户的概念来管理数据文件,并使用导入和导出功能让用户可以在不同设备间传输和同步数据。

PassXYZ用户数据文件的命名规则

当第一次使用PassXYZ时,PassXYZ会要求指定一个用户名和密码。每个用户名都有一个数据文件与之对应。数据文件的命名规则如下:

1
pass_d_{用户名编码}.xyz

或者

1
pass_e_{用户名编码}.xyz

PassXYZ数据文件的扩展名是“**.xyz”。文件名前缀表示数据文件的类型:前缀“pass_d_”代表的是普通数据文件;前缀“pass_e_**”代表的是开启了数据锁的数据文件。可以注意到,用户名的部分是进行了编码处理的。之所以要对用户名部分进行编码,一是因为不同系统对文件名可以使用的字符集要求不同,二是为了消除命名用户名时对字符集的限制。

数据文件的导入

用户可以导入PassXYZ的数据文件或以.kdbx结尾的KeePass数据文件。导入文件可以通过系统的分享功能来完成。下面以Android系统为例来说明,在iOS和Windows上的情况是类似的。

sharing

如上图所示,当选择了一个文件后,再选择系统的分享功能,将会看到底部的分享菜单。在菜单中选择PassXYZ或PassXYZ云来导入数据文件。

如果选择了PassXYZ,将会看到下图所示的导入页面。

importdata

这时,需要给要导入的文件指定一个用户名。如果是PassXYZ数据文件,如上图,导入时会自动识别文件中的用户名编码,并解码将其显示为可识别的用户名,直接选择“导入”就可以导入当前的数据文件了。

数据文件的导出

数据文件的导出也是通过系统的分享功能实现的。如下图所示,在设置中有“导出数据”选项。点击“导出数据”选项后,可以看到系统的分享菜单。可以选择蓝牙,微信或QQ等将数据文件传输至其他设备。

export

通过系统的分享功能将数据文件导出,适用于所有系统。

除了使用系统的分享功能外,在不同的系统中,还可以使用系统特有的方式导出或备份数据文件。在Windows 10上,所有UWP应用数据都存储在目录:%USERPROFILE%\AppData\Local\Packages。PassXYZ和PassXYZ云可以直接将数据文件同步到下面的目录:
1. PassXYZ的数据文件:
%USERPROFILE%\AppData\Local\Packages\13783RogerYe.PassXYZ_ffxtg61znt7pw\LocalState
2. PassXYZ云的数据文件:
%USERPROFILE%\AppData\Local\Packages\13783RogerYe.PassXYZCloud_ffxtg61znt7pw\LocalState

如果是使用苹果系统,可以使用iTunes导入或导出数据文件。

itunes

当运行了iTunes后,可以在左侧的列表中选择“File Sharing”。有数据文件的应用会列在右手边的窗口中。这时选择PassXYZ就可以在“PassXYZ Documents”中看到数据文件了。

希望以上功能介绍对您的使用有所帮助!


PassXYZ是一款跨平台的密码管理软件,可以运行在安卓和苹果手机以及Windows 10上。
PassXYZ基于著名的开源软件KeePass开发,所以兼容KeePass数据格式。PassXYZ的核心代码可以在开源社区GitHub上获取。PassXYZ最大的特点是通过提供大量的个人信息记录模板来分享和传递良好的使用习惯。PassXYZ个人信息管理软件和PassXYZ公众号的目标是通过两者的结合来推动和提高公众的个人信息管理水平。

您可以通过苹果应用商店微软应用商店Google Play华为应用商店搜索关键字PassXYZ来下载该应用。如果您想获得更多模板或对个人信息安全及管理有兴趣,可以搜索关键字PassXYZ关注公众号。您也可以通过微信号passxyz_kpclib来添加此公众号。PassXYZ公众号专注于个人信息安全及管理的相关知识。

cover

As the data breaches on internet become a serious problem of personal safety of internet users, the old way of authentication using only username and password is vulnerable to the attack. Major network service providers start to use multi-factor authentication to improve the safety of their users.

Multi-factor authentication

Multi-factor authentication or MFA is a method of confirming a user’s claimed identity in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. The evidences could be knowledge (something the user and only the user knows, such as password), possession (something the user and only the user has, such as smartcard), or inherence (something the user and only the user is, such as fingerprint).

The popular multi-factor authentication methods used by the banks are:

  • Username/password together with a smartcard/USB token
  • Username/password together with a hardware OTP token

As mainly two factors for the authentication are used, it is also called two-factor authentication or 2FA. With the prevalence of OTP based authentication, the authentication methods such as software OTP generator, SMS based OTP or app pushing notification are also used by many service providers.

Multi-factor authentication in KeePass

KeePass is a famous open source password management tool. It is especially popular in the community of programmers. The built-in MFA support in KeePass looks simple, but KeePass actually provides the richest support of MFA. Many MFA features of KeePass are provided through KeePass plugins which are developed by various open source developers. The MFA support in KeePass can be divided into the following two categories:
1. Multi-factor authentication to access KeePass database, and
2. Using KeePass to store multi-factor authentication data

In this article, let’s focus on the first category of MFA support. The second category will be discussed separately in another article shortly.

The framework in KeePass to support MFA is through Composite Keys and Key Providers. This is a very flexible framework which allows open source developers to contribute to the KeePass MFA development easily. As such, PassXYZ implements its own Key Provider which can be used together with master password to form Composite Keys to encrypt the database.

Besides the new Key Provider developed for PassXYZ, PassXYZ also provides an easy-to-use user interface so that all users can use this feature without any difficulties.

How to use MFA to improve the safety of PassXYZ database

The Key Provider in PassXYZ is implemented as Device Lock. What is Device Lock? If you used mobile banking app before, you might know that you have to bind the app with your device before you can start to use it. The Device Lock in PassXYZ uses a similar concept to improve the safety of PassXYZ database. When a user wants to create a new database, there is an option to enable Device Lock. If the user enables the Device Lock, the database is bound to the current device. Therefore, even if the hacker obtains the database and tries to break it through brute force, they would find that they won’t be able to do it due to the Device Lock. The possibility to break an encrypted data through brute force depends on the level of encryption. Device Lock is a very strong encryption method comparing to master password. When PassXYZ users use Composite Keys with both Device Lock and master password, there is no chance for a hacker to break the database through brute force. This feature is especially important for the users who choose to store their database on the cloud.

How to enable Device Lock

When the users create a new database, they can enable Device Lock through a switch as shown below at the bottom of SignUp page.

signup-en

After turn on this switch, the new database is created with Device Lock enabled.

How to use Device Lock enabled database on another device

If the users create a database with Device Lock enabled and want to transfer it to another device thereafter, they won’t be able to access this database in the new device due to the Device Lock. If the users do want to use Device Lock enabled database on multiple devices, they can actually follow the steps below:
1. Transfer the database to another device first
2. Find the Device Lock Key on the current device
3. Scan the QR code of Device Lock Key through the new device

In step 1, there are multiple ways to transfer the database to another device. With PassXYZ Cloud, the transfer is very easy. Users just need to turn on the synchronization of the database on the new device. Other than synchronization through the cloud, users can also export the database through the Sharing function of the system. In the Settings menu, there is an option Export database. By clicking this option, a sharing dialog will be displayed by the system. The users can choose Bluetooth, email or other methods provided by the system to transfer the database to another device. After importing the database, the users will be able to see the login screen as below:

login-en

As you can see, the password field is disabled temporarily in the above login screen. The users therefore cannot just login using master password. A hint is displayed at the bottom of the page which tells the users that a Device Lock Key is needed to access this database. Now the users can click the scanning button beside the password field to scan the Device Lock Key QR code on the original device.

The QR code of Device Lock Key can be found in the Settings of the original device. In the Settings page, there is a Security Settings option as shown in the below screenshot.

settings1-en

After selecting the Security Settings option, a popup window with two options will be displayed as below.

  1. Device Lock Key QR code
  2. Export Device Lock Key to a file

options-en

The users can choose either of the ways to transfer the Device Lock Key to the new device. After the Device Lock Key is imported on the new device, the users can login as usual.

How to enable Device Lock for the existing database

For the safety reason, the users may want to enable Device Lock for their existing database. This can be done through the following steps:
1. Go to Settings and select Security Settings
2. In the popup windows, provide a new username for creating the new database, and click Import

If the Device Lock is disabled, the users can find the Security Settings as shown in the screenshot below.

settings2-en

To convert the current database to a new one with the Device Lock enabled, the users can click the Security Settings. The following page for the data converting will be then displayed.

import-en

In this page, the users need to give the new database a name and click the Import button thereafter to create the new database with Device Lock enabled. After confirming that everything is ok in the new database, the users may choose to delete the old one.

Security Analysis of PassXYZ Device Lock

As above, we have explained what the Device Lock is and how we can use it. Now, let’s do some analysis about the security of Device Lock. It will be hard for most of the readers to understand if we are to analyze the security of an encryption function directly. To make it simple, we can compare Device Lock with the similar implementation in 1Password. Secret Key in 1Password is a very similar feature comparing to Device Lock in PassXYZ. There is an article which introduces what Secret Key is and how it works. Below is a diagram from that article which tells us about Password Entropy and the quality of password.

secret-key-entropy

From the above diagram, we can see that with the combination of master password and Device Lock (or Secret Key), we can achieve more than 128bits of entropy. The Master Password that people can memorize, on average, will only be strong as about 40 bits of entropy. Device Lock or Secret Key doesn’t need to be memorized, so it can be much stronger. With 128 bits of entropy, it is infeasible to guess no matter how much money or computing power an attacker has.

Usually, an attacker tries to guess the password through enumerating all the possible combination of available characters. How long time will each guess take is a key factor to the success of an attack. In the design of encryption, we usually use a Key Derivation algorithm to achieve this. In 1Password, the algorithm PBKDF2 is used. In KeePass, there are many algorithms can be used, such as AES-KDF or Argon2 etc. Since Argon2 is the winner of Password Hashing Competition, it is the default Key Derivation algorithm used by KeePass. Based on the introduction of Key Derivation algorithm, let’s look at another diagram from 1Password concerning Key Derivation algorithm and password entropy.

pbkdf2-crack-times

As we can see from the above diagram, given the complexity of Key Derivation algorithm and password entropy, we can estimate the amount of time to discover the master password under a particular hardware configuration. For the average password strength with about 40 bits entropy, it takes about 2 weeks to 2 months to discover the master password. But, when the password entropy goes above 65 bits, the amount of time needed to discover the master password will be a very large number which is almost impossible for an attacker to complete.

Summary

For the safety of PassXYZ database, it is suggested to enable Device Lock for all new databases. To backup the Device Lock Key, the users may wish to print a hard copy of the QR code and keep it in a safe place. For the users who want to store their database on the cloud so as to take the advantage of synchronization and backup, Device Lock can keep their database much safer. Without Device Lock enabled, the database may be vulnerable under the brute force attack.


PassXYZ is a cross platform password management software developed using KeePass. PassXYZ can run on Android, iOS and Windows 10.
If you are interested in the personal information management, please add PassXYZ Wechat public account by searching the keyword PassXYZ or link it using Wechat name passxyz_kpclib. The source code of KPCLib can be found at GitHub at https://github.com/passxyz/KPCLib.

You can also find more information about PassXYZ on its website and install it from Google Play, Apple Store and Microsoft Store.

cover

随着网络用户数据的泄露问题日益严重,单纯使用用户名和密码来保护用户资料已不够安全。主要的网络服务都开始使用多因素验证来进一步保护用户数据安全。多因素验证的英文是Multi-factor authentication,常缩写为MFA

多因素验证

MFA是通过结合两个或多个独立的凭证来识别用户,如:用户知道什么(比如,PIN),用户有什么(比如,U盾或密码器),或用户是什么(生物识别,如指纹,虹膜等)。传统的多因素验证通常是通过:

  • 用户名密码和智能卡(U盾)
  • 用户名密码和密码器

来识别用户。

因为主要使用了两个独立的因素进行认证,也叫双因子认证。英文是Two-factor authentication或简称2FA。随着网络科技的发展,其他形式的验证方式也逐渐地被采用,如通过应用推送的一次性密码,通过短信发送的一次性密码等。

KeePass对多因素验证的支持

PassXYZ是基于KeePass开发的密码管理软件。为了提高数据库的安全性,PassXYZ也提供了多因素验证的支持。KeePass是一个开源的密码管理软件,同时也是一个很好的开源密码管理软件开发框架。KeePass的MFA支持分成两部分:

  1. KeePass数据库的多因素验证支持,需要通过多因素验证才能打开数据库;
  2. KeePass本身也可以用来存储多因素验证信息,或当作多因素验证工具使用

本文主要讨论第一种多因素验证的支持。对于第二种,将另行撰文讨论。

虽然KeePass提供丰富的MFA特性,但很多MFA的支持是通过KeePass插件的方式实现的,对专业人士来说这不是个问题,但对普通用户来说使用难度比较大。目前,KeePass插件的安装并没有做成简单的安装程序,而是需要一定的编程基础才能做到的。由于KeePass插件是由不同的开源开发者所提供的,不同的插件完整性和稳定性也大不相同。

KeePass对MFA的支持是通过组合密钥(Composite Keys)和密钥服务(Key Providers)组成的框架来实现的。PassXYZ对MFA的支持正是延用了这个框架,同时充分考虑了普通用户的使用习惯,设计了非常简洁易用的用户界面,使用户开启和使用PassXYZ的多因素验证不会遇到任何困难。

通过使用MFA来增强Pass XYZ的数据安全

在PassXYZ中对MFA的支持主要使用了设备锁的方式,这是对KeePass本身所支持的文件锁的一种扩展。什么是设备锁呢?如果使用过网络银行客户端,你可能知道怎么将应用与手机绑定。一般银行为了用户的安全,需要用户将应用与手机进行绑定后才能使用。PassXYZ设备锁使用了类似的概念。当用户建立新数据库时,可以选择开启设备锁。当开启了设备锁以后,这个数据库就跟当前设备绑定了,即使黑客设法拿到了数据库和密码,也无法打开数据库,因为数据库已与设备锁定。由于在绑定过程中会使用与文件锁类似的超强密钥,设备锁可以非常有效地应对暴力破解。这个特性对需要将数据库放去云存储的用户来说,可极大地提高安全性。

如何开启设备锁

在创建一个新的数据库时,可以如下图所示打开设备锁选项(注册页面的下方有一个开启设备锁的选项)。打开这个选项后,建立的数据库就开启了设备锁。

signup-cn

如何将数据库传输到另一台设备

当用户想在自己的另一台设备上使用开启了设备锁的数据库时,由于设定了设备锁,用户是无法直接打开数据库的。如果想在多台设备上使用开启了设备锁的数据库,需要遵循下面的步骤进行操作:
1. 将数据库导出到另一台设备
2. 在当前设备上找到设备锁的二维码
3. 在导入设备上扫描设备锁的二维码

如果想将数据库传输到另一台设备上,PassXYZ云版的用户在OneDrive上直接选择同步就可以了。除了云同步,PassXYZ或PassXYZ云版的用户都可以在设置中找到“导出”选项。点击“导出”后,可以选择系统所提供的数据传输方法,比如蓝牙或邮件等。由于PassXYZ支持安卓,苹果和Windows 10三个平台,每个平台所提供的选择会略有不同。当成功导入数据库后,在新设备登陆页就会看到如下图所示的界面。

login-cn

这时登陆页面中的密码域是暂时禁用的,下方的提示是告诉用户PassXYZ_KPCLib开启了设备锁,需要同时使用设备锁匙和密码来登陆。点击密码域右侧的扫描按钮,可以扫描原设备锁匙二维码来开启设备锁。

原设备锁匙二维码可以在原设备的设置中找到。在“设置”中可以看到“安全设置”选项如下图:

settings1-cn

选择“安全设置”后,可以看到有两个选项:显示设备锁匙二维码,或将之导出成一个文件,见下图:

options-cn

通过这两种方法都可以将设备锁匙传输到另一台设备上。当成功将设备锁打开后,新设备就可以正常登陆了。

如何在已有数据文件上加设备锁

对于尚未开启设备锁的数据库,在设置中的“安全设置”选项下会显示如下图所示信息:

settings2-cn

如果想将未开启设备锁的数据库转换成开启设备锁的数据库,可以点击“安全设置”项,点击后屏幕会显示一个数据转换的页面,如下图所示:

import-cn

此时,需要给新数据库起一个用户名,然后点击“导入”按钮。当新数据库生成后,旧数据库仍然存在。在确认新数据库成功导入后,即可删除未开启设备锁的旧数据库了。

PassXYZ设备锁的安全性分析

前面解释了什么是设备锁以及如何在PassXYZ中使用设备锁。那么如何来定量的分析设备锁的安全性呢?对于一般用户来说,详细的基于密码学的分析太过专业,很难让普通用户看懂。这里我们可以用比较的方法来说明这个问题。密码软件1Password也有与PassXYZ设备锁类似的功能叫Secret Key。在1Password介绍Secret Key的文章中使用了下面的图表来表示密码强度与数据安全之间的关系。

secret-key-entropy

从上图中可以看到,当使用主密码和设备锁(或Security Key)的组合时,密码强度可以大于128bits。由于密码强度跟记忆的容易性成反比,所以一般不会使用密码强度超过60bits的密码。我们通常使用的密码复杂强度(Amount of Entropy)大致在40bits左右。使用1Password的Secret Key或PassXYZ的设备锁时,密码强度都超过128bits。

一般暴力破解是通过尝试所有可能的密码组合来找到真正的密码,所以每次尝试所需的时间是防止暴力破解的另一个关键因素。增加每次尝试所需的时间是目前数据加密软件通用的防暴力破解方法,这种增时算法叫做密钥推导(Key Derivation)算法。在1Password中使用的是PBKDF2算法,而KeePass则支持多种算法,如AES-KDF和Argon2等。由于Argon2是密码哈希竞赛(Password Hashing Competition)中的冠军算法,KeePass采用的缺省算法就是Argon2。基于以上介绍,我们再来看看下面一张1Password的统计图。

pbkdf2-crack-times

从上图中可以看到,通过控制密钥推导(Key Derivation)算法的复杂度和密码强度,我们就可以估算出使用某种计算设备时,破解密码所需的时间。普通密码的强度在40bits左右,破解所需的时间在两周至两个月左右。当密码强度超过65bits时,破解所需的时间已经几乎是天文数字了。

总结

对于PassXYZ的用户,为了保障数据安全,建议使用设备锁,同时可以打印一份设备锁匙的二维码,保留在安全的地方。对要将数据库同步到云端的用户来说,使用设备锁尤为重要。如果不使用,则必需使用强密码以防止暴力破解。


PassXYZ是一款跨平台的密码管理软件,可以运行在安卓和苹果手机以及Windows 10上。
PassXYZ基于著名的开源软件KeePass开发,所以兼容KeePass数据格式。PassXYZ的核心代码可以在开源社区GitHub上获取。PassXYZ最大的特点是通过提供大量的个人信息记录模板来分享和传递良好的使用习惯。PassXYZ个人信息管理软件和PassXYZ公众号的目标是通过两者的结合来推动和提高公众的个人信息管理水平。

您可以通过苹果应用商店微软应用商店Google Play华为应用商店搜索关键字PassXYZ来下载该应用。如果您想获得更多模板或对个人信息安全及管理有兴趣,可以搜索关键字PassXYZ关注公众号。您也可以通过微信号passxyz_kpclib来添加此公众号。PassXYZ公众号专注于个人信息安全及管理的相关知识。

我们经常会在新闻里看到或听到关于用户数据泄露的事件,这些用户数据的泄露会对网站或服务的使用者产生非常严重的安全威胁。作为一个网络用户,您对用户数据泄露的严重程度和这些用户数据泄露事件背后的具体细节,又了解多少呢?

谈到数据泄露,就不得不介绍一下与之相关的几个常用的黑客术语。在与数据泄露事件相关的报道中,经常可以听到拖库洗库撞库这几个词。拖库指的是黑客入侵有价值的网站,把注册用户的资料数据库全部盗走的行为。洗库是指在取得大量的用户数据之后,黑客会通过一系列的技术手段和黑色产业链将有价值的用户数据变现。撞库是黑客通过收集互联网已泄露的用户和密码信息,生成对应的字典表,尝试批量登陆其他网站后,得到一系列可以登录的用户信息列表。由于很多用户习惯在不同网站使用相同的帐号密码,因此黑客可以通过获取用户在A网站的账户信息去尝试登录B网址,这就可以理解为撞库攻击。

黑客获取用户数据的手段(拖库/data breaches)

黑客获取用户数据的手段主要分为社工手段和技术手段。社工手段主要是利用人的心理学特点,通过欺骗或冒充等手段获取信息,比如利用邮件、钓鱼网站等手段获取用户信息。技术手段则是指利用系统本身的漏洞直接侵入目标系统获取用户信息。在实际攻击过程中,黑客往往会混合使用这两种方法。
为了说明拖库,洗库和撞库这三者之间的关系,以下选用了启明星辰安星web 安全运维团队在总结2011大规模数据泄露研究报告中的一张图。这张图非常清楚地说明了这三个环节之间的相互关系。

flowchart01

那么,到底目前网络用户信息泄露问题有多严重呢?

在国内,2016年以前有一个专门曝光用户数据泄露事件的网站叫乌云网。如果留意看新闻的人应该还记得,在2016年之前经常有关于在乌云网上报出的用户数据泄露事件。乌云网曾经曝光的携程支付漏洞和12306网站用户数据泄露事件,目前在百度百科上还可以搜到。但这个由“白帽子们”发起的可以用来衡量网络安全程度的安全问题曝光网站,在2016年被强制关闭了。对于这一事件的评价有着非常极端的两面性,赞同关闭的人认为数据泄露事件曝光后,会有更多的黑客利用被曝光的漏洞进行攻击。反对的人则认为,没有这样的网站,服务提供商不会那么重视网络服务的安全,在提供更多服务的同时,会产生更多的系统漏洞,从而会给网络用户带来更多的危险。但不管怎样,乌云网被关闭的事件说明,黑客使用技术手段大量获取用户资料不是偶发事件,而几乎是网络安全的常态。

当失去乌云网后,网络用户是否真的无法知道当前的用户数据泄露问题有多严重了呢?

其实不然,在这方面比乌云网更出名的类似网站还有”Have I been Pwned?”(HIBP)。2013年底,网络安全专家Troy Hunt意识到当时的用户数据泄露已经达到了无法控制的地步,所以他决定与其让黑客独享这些数据,不如把所能获取到的数据制作成可以搜索的数据库,让普通用户也可以很容易地知道自己的资料是否已经泄露了。如果您还没有听说过这个网站,建议您可以去这个网站上检查一下自己账号的安全性。HIBP网站的网址是:https://haveibeenpwned.com。如下图HIBP网首页站所显示,到目前为止HIBP所记录的被泄露的用户数已高达50多亿。

hibp01

除了可以自行去HIBP网站查找自己的用户名和密码是否被泄露以外,目前很多网络服务其实也在使用HIBP的数据来帮助用户提高账号的安全程度。比如,作者本人就曾在登陆GitHub时收到过下图所示的警告信息。

github01

这个警告信息是说,您的账号目前已经可以在HIBP的数据库中找到了,建议更改和使用更高强度的密码。
当您去HIBP中查找后,若发现资料已被泄露,HIBP还能很贴心地告诉您,您的资料是在哪次数据泄露事件中被搜集的,您的什么资料可以在HIBP数据库中找到,如下图所示。

hibp02

用户数据的利用(洗库)

前面我们谈到的是用户数据是如何被泄露的,以及目前用户数据的泄露问题有多严重。那么,当黑客获取到某个网站的用户数据后,这些数据是如何被利用的呢?基本上,被盗取的数据分成两部分:第一部分是以明文形式存储的用户信息,比如,姓名、电话号码、邮件地址等,更严重的可能还包括身份证号码、信用卡、银行账号等敏感信息。黑客可以把这些信息打包出售给不同的非法使用者。第二部分就是加密过的用户密码。为了最大程度地保护用户信息安全,大多数网站一般都是采用加密方式来存储用户密码,而不是明文存储。前面提到的HIBP网站上已泄露的用户密码就是存储的密码Hash值而不是明文。如果您想了解更多关于Hash算法的介绍,可以参考另一篇文章网络信息安全领域中常见的几个概念。黑客需要破解经Hash算法加密后的密码才能使用这一部分数据。用于破解密码Hash值的主要方法是碰撞攻击(Collision attack),维基百科上对Collision attack有非常详细的介绍。当黑客利用Collision attack将破解了的用户密码和用户名配对制成一张表格后,黑客就可以利用这张表来进行第二轮攻击了。

用户数据的再次利用(撞库)

如果不考虑社工手段,黑客使用技术手段获取的用户数据,主要是利用系统漏洞攻击那些防护措施薄弱的网站所得到的。当黑客把用户数据整理成一张可以再次使用的表格时,非常多的网站都可能被攻陷了。这主要是由于用户往往会使用同样的用户名和密码来注册不同的网络服务,这样黑客就可以利用已知的用户信息来获取其他网站同一用户的资料。这也就是为什么很多的用户数据泄露是通过撞库攻击所得到的。

如何保护自己的网络信息安全

所谓道高一尺,魔高一丈。网络上的攻防战争是永远没有结束那一天的。信息安全是服务提供方和用户本身双方的责任。做为网络用户,我们应该怎么办?其实,有很多方法是可以提高网络信息安全水平的,但讲多了,大多数人无法做到。这里只提最重要的三点供参考:
1. 不要使用同一用户名和密码来注册所有的网络服务。这无疑是最不安全的做法;
2. 提高密码的复杂程度。建议使用8位以上,数字、字母和符号的组合密码;
3. 对于重要的账号开启多重验证方法,如密码加短信,密码加OTP验证等。

以上第一、第二点,相信大家已经听过无数遍了。如果做到这两点,就会极大程度地增加黑客的工作量。要知道,黑客的时间也是很宝贵的,当您的防范措施比其他人复杂得多时,黑客可能就会选择放弃,而去尝试下一条数据了。

对于第三点多重验证,这本来是用于对安全性要求很高的网络服务所提供的安全措施,但随着用户数据泄露问题越来越严重,多重验证也逐渐被主流的网络服务所采用了。

什么是多重验证?多重验证是指,当用户在使用网络服务时,需要通过两种以上的认证机制之后才可以使用网络服务。这里讲的认证机制是指相互独立的验证手段。比如,当用户输入了用户名和密码后,系统提示还需要输入短信验证码。通常,当用户在陌生或新设备上登陆账户时,系统就会要求两种以上的认证机制。多重验证能更有效地保护用户账号安全。

多重验证根据复杂程度可以分成很多种,比如安全性最高的基于不对称加密算法的U盾,被广泛应用在银行业中。在一般的多重验证手段中,更常用的是邮件、短信、密码器、软件密码器或基于常用设备的应用推送等。这些常用的验证手段多数是基于一次性密码(OTP)的验证方法。随着国内互联网行业的飞速发展,一些具有创新性的多重验证方法也逐渐在国内流行开来。比如基于常用设备的二维码识别,这本来是微信和支付宝率先使用的验证和支付手段,目前很多国内银行的网银登陆也开始支持二维码扫描登陆了。除了二维码外,比较特别的验证方法还有,微信支持声纹验证,支付宝和百度支持面部识别等。由于多重验证方法种类繁多,无法逐一介绍,下表例举了一些常用网络服务所支持的多重验证方法供参考。

mfa01

随着多重验证的使用和用户账号管理的复杂程度越来越高,国内的领先互联网服务提供商开始使用一站式的安全应用来专门用作账户管理。其中具有代表性的有QQ安全中心、百度账号管家和网易账号管家等。这些应用通常要求用户将应用与常用设备绑定,然后通过绑定后的应用来管理用户的账户设置。这样的一站式应用可以提供更多元的账户管理功能,比如账户功能的开启和关闭,被盗账号的找回等等。
现在,您一定对互联网账户的安全有了进一步的了解。是否很想去HIBP网站上查一下自己的资料有没有被泄露?如果在HIBP的数据库里能查找到您的账号,以上提及的三点就是您必须要立即采取的防范措施,否则理论上说,所有人都可能通过HIBP找到您的用户名和密码,登录您的账号了。


PassXYZ是一款跨平台的密码管理软件,可以运行在安卓和苹果手机以及Windows 10上。
PassXYZ基于著名的开源软件KeePass开发,所以兼容KeePass数据格式。PassXYZ的核心代码可以在开源社区GitHub上获取。PassXYZ最大的特点是通过提供大量的个人信息记录模板来分享和传递良好的使用习惯。PassXYZ个人信息管理软件和PassXYZ公众号的目标是通过两者的结合来推动和提高公众的个人信息管理水平。

您可以通过苹果应用商店微软应用商店Google Play华为应用商店搜索关键字PassXYZ来下载该应用。如果您想获得更多模板或对个人信息安全及管理有兴趣,可以搜索关键字PassXYZ关注公众号。您也可以通过微信号passxyz_kpclib来添加此公众号。PassXYZ公众号专注于个人信息安全及管理的相关知识。

cover

Markdown编辑格式在程序员中已经流行很久了,但很多人可能还不知道Markdown到底是什么。即使知道Markdown的人,可能也很难想到Markdown和密码管理软件能扯上什么关系吧。PassXYZ的最新版本加入了Markdown的支持,本文就来介绍一下什么是Markdown以及如何在密码管理软件中使用Markdown来用做安全笔记。

什么是Markdown

关于Markdown百度百科上是这么定义的:

Markdown是一种可以使用普通文本编辑器编写的标记语言,通过简单的标记语法,它可以使普通文本内容具有一定的格式。

注意了,这里的重点是普通文本编辑器。普通文本格式是所有文字格式里的基础,所以普通文本是可以使用任何编辑器编辑的。普通文本的缺点是没有格式,没有格式的文本是不便于阅读的。Markdown就是在普通文本文件中添加一些约定的标记使之显示时易于阅读,而Markdown本身还是文本文件。
大家可能有这样的疑问:既然要编辑有格式的文件,为什么不直接用MS Word呢?其实,有非常多的原因要使用Markdown格式,举几个例子:
1. Markdown文件用任何编辑工具都可以编辑,而MS Word只能用几种软件编辑。
2. 可以很容易地把Markdown转换成其他基于文本格式的标记语言,如HTML等。
3. Markdown很容易掌握,或者说基本不用学。这点可能是Markdown流行的最重要的原因吧。

Markdown的标记有多简单呢?我们可以参考下图,这是本文使用Markdown编辑的效果。为了对比,图中编辑使用的是有道笔记里的Markdown编辑器。我们可以对比一下在左侧的Markdown文字跟右侧的显示效果。可以看到左侧的Markdown编辑格式跟我们平时的使用习惯是高度一致的。除了少数如网页链接有些不同以外,基本就是普通的文本编辑。虽然文字编辑差别不大,但显示效果和可读性的差别是巨大的。

markdown01

Markdown常用标记

下面例举几个Markdown的常用标记,如果需要了解更多,可以上网搜索关键字Markdown。
markdown04

Markdown的使用

Markdown最初是程序员用来注解程序说明用的,但后来被很多人采用并被标准化了。目前的主要用途是用来写在网上发表的文章。很多博客、在线媒体都在使用Markdown格式。这些内容本来是用HTML格式的,但因为Markdown的易用性,越来越多HTML编辑都逐渐被Markdown所替代。

Markdown与密码管理软件的关系

在PassXYZ支持Markdown之前,没有任何密码管理软件是直接支持Markdown格式的。但是,几乎所有密码管理软件都包括一项功能,那就是安全笔记(Secure Notes) 。这个功能是让使用者可以记录一些安全性要求很高的事项。由于不支持任何格式,安全笔记的可读性不高。当记录的内容稍长时就不容易阅读了。安全笔记是经常会被使用到的一项功能,同样是文本编辑,加入了Markdown支持后,安全笔记的可读性显著的增强了。下图就是使用安全笔记的PassXYZ使用说明的显示效果。可以看到,当使用Markdown后,安全笔记的显示效果基本上跟大多数网络文章的显示效果一样。由于编辑和显示是不一样的,所以加入Markdown支持的安全笔记就有显示和编辑两个模式。之前的安全笔记只是一个简单的文本编辑器,编辑和显示是没有区别的。加入了Markdown支持后,在显示模式的右上角有一个笔状的图标,点击后就切换到文本编辑模式了。

markdown02

Markdown与HTML的混合使用

从上面的例子我们可以看到,Markdown对普通用户来说基本没有使用难度,但所带来的阅读体验的提升却是非常显著的。稍微添加一些Markdown标记可以使您的笔记具有类似MS Word的效果。
如果您是经常在网上写文章或发博客的资深用户,您可能也会使用HTML语言。一般的应用如果支持Markdown的话,通常也可以让Markdown和HTML混合使用。Markdown和HTML混合使用可以让您的安全笔记做更多的事情。比如,如果您觉得密码软件使用的条目(Entry)记录格式不符合自己的要求,那么您完全可以选用安全笔记(Notes)来制作成任何您想要的记录格式。也就是说,在理想的情况下,您可以用安全笔记来记录所有的东西。但是,完全用安全笔记(Notes)代替条目(Entry)会导致编辑相对较为复杂,所以非资深用户,不建议完全替代使用。

markdown03

上图就是一个Markdown和HTML混合使用的效果。这是一个标准的KeePass条目。由于HTML支持很多控件,密码域可以做成类似我们在网页上看到的密码域的效果。当点击密码域边上的检查框时,可以控制密码域的隐藏或显示。

这只是一个简单的例子,如果您熟悉HTML的使用,Markdown和HTML的混合使用能给安全笔记这项功能带来很多的扩展空间。

以上介绍了什么是Markdown,以及如何在PassXYZ中使用Markdown来增强安全笔记的效果。笔记类软件与专业的编辑软件各有优缺点,它们分别适合在不同的场合使用。专业编辑软件如MS Word很适合用来写正规的文章,但如果不使用电脑,没有鼠标,基本上很难使用。这也是为什么很少人在手机上用MS Word来写文章的原因。而Markdown只需要加上简单的文本编辑,就非常适合在移动应用中使用。使用Markdown加简单的文本编辑器,就如同我们在发短信时使用“:)”来代替“笑脸”的效果一样。加两个简单的符号,在阅读模式时看到的就是一个可爱的笑脸了。

通过这篇文章,希望能够让看起来高高在上的Markdown成为网友们广泛使用的辅助编辑工具。


PassXYZ是一款可以运行在安卓和苹果手机以及Windows10上的KeePass兼容应用。PassXYZ最大的特点是通过提供大量的个人信息记录模板来分享和传递良好的使用习惯。PassXYZ个人信息管理软件和PassXYZ公众号的目标是通过两者的结合来推动和提高公众的个人信息管理水平。

您可以通过苹果应用商店微软应用商店Google Play华为应用商店搜索关键字PassXYZ来下载该应用。如果您想获得更多模板或对个人信息安全及管理有兴趣,可以搜索关键字PassXYZ关注公众号。您也可以通过微信号passxyz_kpclib来添加此公众号。PassXYZ公众号专注于个人信息安全及管理的相关知识。

cover

Markdown has been used by programmers for many years. However, many people may still not know what Markdown is. As a programmer, you may know what Markdown is, but does it have anything to do with Password Management apps? In the latest version of PassXYZ, Markdown is supported as part of the Secure Notes function. In this article, we will find out what Markdown is and how to use it to make your secure notes looking similar to Microsoft Word.

What is Markdown?

In Wikipedia, the definition of Markdown is as follows:

Markdown is a lightweight markup language with plain text formatting syntax. It is designed so that it can be converted to HTML and many other formats using a tool by the same name. Markdown is often used to format readme files, for writing messages in online discussion forums, and to create rich text using a plain text editor.

Please pay attention to the highlighted key words plain text editor. With Markdown, you can edit rich text using a plain text editor. That means you can edit contents with Markdown using any editors. This is a very useful feature in many situations. You may be wondering why we want to use Markdown with a plain text editor instead of using software like Microsoft Word to create rich text documents. There are many reasons to use Markdown. Some of them are listed below:

  1. You can edit plain text with Markdown using almost any editors. You can only use MS Word to edit Word documents. To edit rich text like Word documents, you may have to use a PC with a mouse. You don’t have this constraint to edit plain text with Markdown.
  2. It is very easy to convert Markdown to other rich text format such as HTML or MS Word etc.
  3. Markdown is super easy to use. There is not any difficulty to use it and this may be the most import reason why Markdown is so popular to be used to create online contents.

How easy to use Markdown? Please refer to the below figure. This is a comparison of the resulting look and feel of this article in the editing mode and the reading mode respectively. On the left hand side, it shows that this article was edited using Markdown in editing mode, while on the right hand side, shows the article in the reading mode.

As we can see from the picture on the left, editing text with Markdown is very similar to what we usually do when editing a document or a message. Once the edited document or message is displayed in the reading mode, the result looks fabulous indeed as shown on the right.

markdown01

Markdown Cheat Sheet

Below is a brief summary of frequently used Markdown markup. You can find more on internet by searching keyword Markdown.

markdown04

The Usage of Markdown

Initially, Markdown is a slightly formatted plain text used by programmers to add comments in the source code or to create a readme for the source code. For an example, Markdown is used extensively in GitHub for various purposes. Later on, people started to use this kind of markup to write online contents, such as blog or web page etc. Nowadays, many popular sites, such as GitHub, Bitbucket, Reddit, Stack Exchange and SourceForge use variants of Markdown to facilitate discussions between users.

Markdown and Password Management Software

PassXYZ is the first Password Management Software which provides the use of Markdown. Secure Notes is a function in almost all the Password Management software. It is a function to allow the users to take down the notes of sensitive information securely. Using plain text, it is not easy to read if the content of the note goes long without any format. With Markdown added, the readability of the Secure Notes enhanced significantly. Below is a figure of a built-in note in PassXYZ. The title “How to use PassXYZ” is a brief explanation of the usage of PassXYZ. As we can see, it is very similar to a document edited using MS Word or HTML. With Markdown support, the editing is done in the editing mode and the view of document is in the reading mode. This is the difference comparing to plain text, as in the plain text, there is no difference between editing and reading. In the below figure, there is a Pen icon on the top right of the screen. By clicking it, the note will be switched to its editing mode.

markdown02

Embedded HTML inside Markdown

From the above example, we can see that there is no learning curve to use Markdown for most of the users. With Markdown support, we can create a document on mobile device with similar result of MS Word or HTML. If you have experiences in writing blog or creating your own website, you may have learnt or known HTML. Usually, Markdown allows mixing together with HTML language to present content. With embedded HTML, you can get Secure Notes to do more things comparing to the pure Markdown documents. The following example explains more. A typical Sample Entry that you can find once you install KeePass on Windows is recreated as shown in the below figure.

markdown03

As you can see, we used an HTML table to recreate a KeePass sample entry. Inside the table, we can use a password control to present the password field in KeePass. We can click the small checkbox next to the password field to show or hide the password. With embedded HTML, we can recreate almost all different entries supported by either KeePass or PassXYZ. The expense is that you have to know HTML, and the editing effort is much more than that of the normal entry. This is just a simple example to show the power of the mixed usage of HTML and Markdown. You can explore more on your own with this function in PassXYZ.

In this article, we have introduced what Markdown is and how Markdown helps us in the Secure Notes of PassXYZ. For the professional editing software, such as MS Word and lightweight notes in mobile devices, they have their own advantages or limitations. It will be difficult to use MS Word without a PC and a mouse. However, there is not any difficulty to use the Secure Notes of PassXYZ in mobile devices. In the Secure Notes, you can add simple Markdown markups to enjoy a similar effect just as you add a “:)” to show a smiley face when you send a message.

We hope that PassXYZ users can use Markdown to create their own personalized secure notes without any difficulties after reading this article.


If you are interested in the personal information management, please add PassXYZ Wechat public account by searching the keyword PassXYZ or link it using Wechat name passxyz_kpclib. The source code of KPCLib can be found at GitHub at https://github.com/passxyz/KPCLib.

You can also find more information about PassXYZ on its website and install it from Google Play, Apple Store and Microsoft Store.

OneDrive File

Password management software is actually needed by everyone nowadays, but not all of the people know how to use it. We can find lots of password management software on various App Stores. According to the storage of password data, they can be divided into two categories, namely, local storage and cloud storage. The advantage of local storage is that it is the safest way to store data since the users have absolute control over the data files. The issue of local storage is that the users have to manage all data files by themselves, thus, they have to spend time to backup data and synchronize data among their devices. To get rid of this burden, many users may choose apps with cloud storage support. Comparing to local storage, the users of cloud storage do not have to take care of the backup and synchronization by themselves since the apps will perform the same through cloud. However, in term of security, the cloud storage may incur data leak. The users should therefore use a more complicated master password to protect their data.

Currently, the popular password management software, including 1Password, LastPass and KeePass etc., can be found and downloaded from either the App Stores or their respective websites. Out of these popular password management apps, KeePass is the most famous open source solution available on the market. However, KeePass supports only Windows platform. PassXYZ and PassXYZ Cloud are KeePass compatible software supporting Android, iOS and Windows 10.

PassXYZ and PassXYZ Cloud

The reason why two versions of PassXYZ were developed is because there are different users who concern differently about security and convenience. Some users prefer to use offline app to store their data, and some would like to use cloud storage for the convenience.

PassXYZ is the version for the use of local storage only. There is no built-in networking functionality, the users therefore have to backup and synchronize data on their own. As long as the users store their data safely, there should not have the risk of data leak. Also, there are many ways for the backup and synchronization across devices, such as Bluetooth, sharing local storage etc.

PassXYZ Cloud is the version with integrated cloud storage. In term of cloud storage, there are many ways to use it. The simplest way of using cloud storage is to use the functionalities provided by the operating system. If the data are stored in the cloud storage area providing by the operating system, you can use the cloud storage automatically. This is the case for OneDrive on Windows 10. It also applies to Google Drive on Android and iCloud on Apple devices. For PassXYZ, as we want to bring seamless user experiences on using cloud storage in different platforms (Android, iOS and Windows 10), the additional work has to be done to support the same. By supporting cloud storage regardless of platforms, it will help the users in many cases on top of backup and synchronization. For an example, when you change your Android phone to a new Apple phone, you do not have to worry about the change from Android system to iOS system. All your previous data can be synchronized to your new Apple device in the same way as your Android phone.

File or Folder synchronization status

No matter how you use cloud storage, you may have noticed the differences between cloud storage and local storage in your system. Let’s recapture the differences using OneDrive as an example.

OneDrive File

Even though the user interface of cloud storage is very similar to that of the local storage, as we can see from the above figure, there is an extra column in the File Explorer to show the current status of cloud data. There are different icons to show the status of files or folders. Below is a table to explain the meaning of various icons.

OneDrive File

The above table is a summary based on OneDrive. You can find similar icons on either Google Drive or iCloud. Once you get familiar with one of the systems, you will not have problems to use any of them.

How to use PassXYZ Cloud

PassXYZ Cloud uses OneDrive as cloud storage for all platforms. The reason why to choose OneDrive is because OneDrive provides the best support on various platforms including Android and iOS. Microsoft Graph API includes rich programming interfaces for their cloud services. Microsoft also provides a client library to use Microsoft Graph API for Xamarin apps. Since PassXYZ is developed using Xamarin, the development cycle can be reduced significantly using Microsoft Graph API client library.

Now we use Android user interface as an example to explain how to use PassXYZ Cloud. Windows 10 and iOS have a very similar user interface. To enable cloud storage, the users can select OneDrive from the menu as shown in below figure.

PageMaster

Once you select OneDrive from the menu, you can see the OneDrive setup page as shown below. At the top of this page, there is an option to login to OneDrive and another option to turn on/off synchronization notification. After you login to OneDrive, a list of files will be displayed. You can enable or disable cloud storage on individual file using Context Action for that item. If you do not know what the Context Action is, you may refer to this article called Comparison of Context Action Menu of PassXYZ on Different Systems.

Enable_Sync

You can also enable cloud synchronization for both local files and cloud files. Once you turn on the cloud synchronization, the status will be changed to the one as shown in the below figure. When the synchronization is completed, a green tick will be shown as the status.

Syncing

As long as the cloud synchronization is enabled, PassXYZ Cloud will synchronize with cloud automatically whenever there is a change to the data file. You can monitor the synchronization events through the notification setting. If you turn on the synchronization notification, you will get a message in the system notification tray whenever the synchronization is started or stopped. On the contrary, for a synchronized file, you can make it local only by disabling the synchronization.

Merge method

For the cloud support, there are actually two kinds of architecture. The first architecture is that you can put everything in cloud and all changes are made in cloud only. This kind of architecture usually uses in financial transaction system, but some password management software also use this kind of architecture. The advantage of this architecture is that all the changes are made in cloud, thus, there is no need to maintain a local copy. No merge is needed. The problem of this kind of app is that it relies on network and network bandwidth. It cannot work offline. Any data leak or damage in the cloud will be a disaster.

The second architecture is the one that we used in PassXYZ Cloud which is the same as OneDrive, Google Drive and iCloud. A local copy is always maintained to shadow the one in the cloud. The changes are always made in the local copies, and then synchronized with the cloud. The problem of this kind of architecture is that there may be conflicts when merging the local copy with the cloud. If the same record is changed on different devices at the same time, there will be a conflict. We need to decide which version should be kept in this case. To resolve this issue, we need to set the merge method in the setting to tell PassXYZ how to handle the conflict.

MergeMethods

The above figure lists all the merge methods supported by KeePass library. To be simple, we discuss two of them here to help you plan your own strategy on conflict handling. For the simple usage, we can use two merge methods KeepExisting and Synchronize. KeepExisting means local copy has higher priority over cloud copy. When there is a conflict, the local version will overwrite the cloud version. In contrast, Synchronize means cloud copy has higher priority over local copy. When there is a conflict, the cloud version will overwrite the local version. Based on this definition, you can keep one device as the main one to make all the changes. The merge method on this main device can be set as KeepExisting while the rest of the devices should be set as Synchronize. As KeePass merge is record based, you can add a new record on any devices without any problems. However, when you change an existing record, you are recommended to do it in the main device. You may wish to try and test other merge methods by yourself and find the best way that can work for you.

Having read this article, you may have a better understanding on the differences between local storage and cloud storage for the password database management. From now on, you may be in a better position to choose a version which is suitable for you.


If you are interested in the personal information management, please add PassXYZ Wechat public account by searching the keyword PassXYZ or link it using Wechat name passxyz_kpclib. You can also find more information about PassXYZ on its website and install it from Google Play, Apple Store and Microsoft Store.

OneDrive File

现代生活中,密码管理软件其实是每个人都需要用到的,只是很多人不知道该如何使用。目前在各大应用市场上可以找到很多密码管理软件,如果按存储的方式分类,基本上可以分成本地存储和云存储两类。本地存储的优点是安全性高,自己对数据文件有绝对的控制权。因为是本地存储,资料的备份就显得十分重要。为了省掉备份和同步所带来的麻烦,有些人就会选择支持云存储的密码管理软件。基于云存储的密码管理软件的优点是使用方便,基本不用手动备份和同步,但是安全性较低,云端资料有泄漏的可能性。如果要使用云端存储,建议使用复杂的主密码以保障数据的安全性。

目前主要流行的密码管理软件有1Password,LastPass和KeePass等。PassXYZ和PassXYZ云就是KeePass兼容的密码管理软件。KeePass本身只支持Windows,而PassXYZ是可以在Android,iOS和Windows 10上运行的KeePass兼容软件。

PassXYZ和PassXYZ云

之所以在推出PassXYZ普通版之后又开发了PassXYZ云版,是为了照顾不同使用者对安全性和方便性的各自需求。

PassXYZ是本地版本,不会用到任何网络功能。使用者需要自己管理备份和不同设备间的同步。由于是本地存储,只要注意数据的存储安全,基本上没有资料泄漏的风险。本地资料的同步和备份有很多办法,比如,可以通过Bluetooth在各设备间传送,也可以把数据存储在自己的移动存储设备上,在各设备间共享。

PassXYZ云是一个集成了云存储的版本。对云存储的支持有很多层面,在同一平台上支持云存储比较容易,但跨平台就相对比较复杂。比如,在Windows上OneDrive是集成在Windows 10之中的,只要将数据存储在OneDrive目录下,用户就可以在所有设备上使用。同样的,在Android上有Google Drive,在苹果上有iCloud。如果想在不同系统的设备,如,Android、iOS和Windows 10之间共享云存储,就需要开发者做额外的开发了。PassXYZ云就是一个支持多个平台的版本,不同设备之间都可以共享同个云存储。比如说您更换了不同款手机,这时就会发现PassXYZ云版的便利。

文件或文件夹的云同步状态

虽然各个系统将云存储的用户界面做得跟本地存储的类似,但在使用上还是需要了解它们之间的区别。下面就以OneDrive为例,介绍一下云存储的文件状态。

OneDrive File

如上图所示,在文件浏览器中,云存储的界面与普通文件非常类似,只是多了一栏显示当前同步状态的图标。这些状态图标在PassXYZ云中也会用到。下面列表分别说明一下:

OneDrive File

这些同步状态,在其他的云平台,如Google Drive和iCloud中都有类似的状态。熟悉一种后,其他的云平台使用是非常类似的。

PassXYZ云的使用

PassXYZ云对云存储的支持是建立在OneDrive之上的。之所以选择OneDrive,是因为OneDrive的跨平台支持最完善。Microsoft Graph API提供了非常完善的编程接口,Xamarin应用可以非常方便地使用Microsoft Graph API来实现云存储支持。

PassXYZ云支持Android、iOS和Windows 10。这里,我们用Android的用户界面来举例讲解,其他平台是类似的。首先,在PassXYZ云版菜单中选择OneDrive来控制文件的同步设置,如下图所示。

PageMaster

在选择了菜单选项OneDrive之后,可以看到如下图所示的页面。该页面的顶部是OneDrive的登录选项和同步通知设置。登录后,在下面的列表中会显示当前本地和云端的文件状态,您可以通过上下文菜单来对文件的状态进行操作。如果您对在不同系统中上下文菜单的使用有不明之处,可以点击查阅文章PassXYZ的上下文菜单在不同系统中的比较

Enable_Sync

对于当前的本地文件和所有的云端文件,可以通过上下文菜单启用云同步。当启用云同步后,文件的状态会变成如下图所示的正在同步的状态。

Enable_Sync

一旦开启了云同步,在数据被更改后,PassXYZ云会自动与云端进行同步。如果想监控同步的状态,可以开启同步通知。开启同步通知后,同步时您会在系统通知栏收到同步开始和结束的提示。如果不想收到提示,可以选择关闭同步通知。如果想取消云同步,也可以使用上下文菜单对当前的文件禁用云同步。

文件的合并方法

基于云存储的数据管理其实有两种。第一种是把整个数据库都放在云端,这样所有设备都直接从云端读取数据。第二种是我们常见的云端存储,这种云存储直接操作的是本地映像文件。当本地映像文件被更改后,系统会将它与云端同步。OneDrive,Google Drive和iCloud都是属于后者。

第一种方法有一个优点就是没有文件合并时的冲突问题。因为只有云端存储,不管在哪个设备上更改,都会直接更改云端的数据。但这种方法也有其缺点,它无法离线操作,一旦没有网络,就无法使用。另外,数据泄漏和数据丢失的后果较第二种方法更为严重。

说到第二种方法,由于是基于OneDrive的实现,我们直接操作的是本地的映像文件。如果在另一个设备上更改了同一个记录,那么在同步时就会产生冲突。要解决这个冲突,我们需要设置当前的合并方法。如下图所示,菜单中显示了发生冲突时可以选择的合并方法。

MergeMethods

上图中的设置选项显示的是KeePass所支持的所有合并方法。为了简单起见,建议使用其中两种KeepExisting和Synchronize。这两种合并方法的使用是将所有设备分成两类:主要设备和从属设备。将主要设备的合并方法设为KeepExisting。将所有从属设备的合并方法设为Synchronize。在所有设备上都可以添加新记录,因为同步时新记录是不会产生冲突的。尽量只在主要设备上更改现有记录。或者说当要更改现有记录时应该将合并方法改为KeepExisting。这个设置会使当前的更改覆盖云端的记录。而Synchronize设置的作用是会用云端的记录覆盖本地的数据。

通过这篇文章,相信您对本地存储和云端存储有了更进一步的了解。在此基础上,您可以根据自己的需求选用适合自己的密码管理软件。如果选择使用支持云的密码管理软件,您需要对同步方法有所了解,并知道如何处理同步时的合并冲突问题。

希望以上的介绍能让大家更好地使用适合自己的密码管理软件,体验它在生活中给您带来的便利。


PassXYZ是一款可以运行在安卓和苹果手机以及Windows10上的KeePass兼容应用。PassXYZ最大的特点是通过提供大量的个人信息记录模板来分享和传递良好的使用习惯。PassXYZ个人信息管理软件和PassXYZ公众号的目标是通过两者的结合来推动和提高公众的个人信息管理水平。

您可以通过苹果应用商店微软应用商店Google Play华为应用商店搜索关键字PassXYZ来下载该应用。如果您想获得更多模板或对个人信息安全及管理有兴趣,可以搜索关键字PassXYZ关注公众号。您也可以通过微信号passxyz_kpclib来添加此公众号。PassXYZ公众号专注于个人信息安全及管理的相关知识。

0%