[APP][4.0+] Twik - Password generator and manager

[SystemErrorOne]

Gonna try this out hopefully it works well. Very excited for this app :good: Great job.

 

[kabracity]

Hello! We're looking for people to help us translating Twik to some additional languages. Twik already supports English and Spanish, but we'd like to support much more languages. If you want to collaborate, that would be awesome!

Thank you very much!

Hi,

I can help with French translation if needed (I'm not French though, in case some French guy wants to take the job instead)

 

[kabracity]

Hi,

I can help with French translation if needed (I'm not French though, in case some French guy wants to take the job instead)

Hi,

I've pushed the files for French translation to github.

Cheers

 

[paranoid365]

It's totally different from LastPass. LastPass stores all your passwords, so if their servers are compromised, then the attacker gets all the passwords of a lot of people. Although those passwords are stored encrypted, I personally don't trust it. It seems to me that storing all your passwords in a cloud service is not the most secure choice, so I looked for something different.

With Twik you also have all your passwords on hand, but not because they're stored anywhere, they're generated everytime you need it, by typing your master key. It generates a different and strong password for each website. You need your facebook password? Twik generates it, it is not stored in the phone or the cloud. And don't forget, Twik is open source, you can take a look at the source code.

Furthermore, there is also a Chrome extension for the desktop called Password Hasher Plus that you can use to generate the exact same passwords that you generate using Twik, because both are compatible. You just have to make sure you set the same private key in Twik and Password Hasher Plus. The Chrome extension is very useful when you are on your PC because you just have to type you master key in the login form of a website and it automatically replaces your master key with the website password before sending the data.

Thank you very much for the reply, and for the information [emoji2] I've actually been thinking about your program ever since I asked my question originally, and the concept, execution, etc. really has my attention. I understand that your program works differently than lastpass, and actually that's a great thing, bc if it can be done in a more secure manner I'm all for it ?

Obviously, from my original question you can tell I currently use lastpass, but to be perfectly honest, lastpass itself is far from perfect. The last pass idea is fine, and dandy, but it is a very heavy, clunky app. It slows my browser down extremly, (a lot of times crashing it), and the app seems to not be consistent as far as auto login, or hell even handling your vault of passwords period. I find I end up with saved sites, plus multiple generated passwords for said sight, so I'm constantly having to clean up my vault, (which is a pain in it's own right). Also their mobile app is atrocious, and doesn't even work 1/2 the time. The reason that gets on my nerves is, bc I'm paying for a product that is more hassle than it's worth, and ultimately that wastes time, and is counterproductive.

I do have a few more questions about twix if you don't mind [emoji41]

1) I see in your description that twix creates a completely random password each time a person visits a site, so does that literally mean, "everytime I come to xda twit is going to create a new diffrent password for the site, bc I'm not sure how that would work with the site if your credentials are always changing??

2) Even though lastpass is a pain, there is the comfort that it won't be going anywhere for a while. So, my question to you is, if I take the time to switch everything over how do I know the app is going to be fully supported for the long run, bc if I then have to switch again I'm not sure the effort would be worth it??

3) This also goes for the chrome extention, that I'm assuming you don't personally own, and maintain. So, what assurances are there that-that particular plugin won't disappear in 6 months, leaving only the mobile app??

4) I know you do not currently have a pc bases app that partners, and syncs with the mobile app, but do you plan on making that happen, and will it be an app, or, just browser extensions, (and what is the approx timeline??

5) The thing is I myself do not completely trust the cloud, and a lot of it's mechanics make me uneasy, so I take the cloud with a pinch of salt.

The thing is I pay someone regardless for this service, so my only concern is that the program gets it right, and does it exceptionally. So, if I pay company a, or, b, or yourself for the service, I just need to know I'm paying for the best program.

@ the person who was leary of short insecure passwords, everyone gets your point, but I'm sure you can set it up in the settings so that it generates super long, super strong passwords. Also, to your other point even other software doesn't nag you constantly about a weak, or bad password, bc if it did most people would just stop using that app. Plus, an app can't "make" a person change their bad password ways, it can only offer pointers, and warnings in the hope the person changes their ways, (but ultimately if that person wants to continue to have bad password habits, there's not much the app can do). Very few people are going to use an app if it makes them do anything, (they don't want to do), or nags them constantly about anything. People change bad behaviours when "they ultimately decide , and not when some piece of software nags them to the point of being an inconvenience, or takes some type of control, and makes a person use only," secure passwords". Not only would a software company do no such thing, but if they did, (just like my example above), the consumer ultimately controls their decisions, and a company like that would go out of business. It's just like the adage that is as old as time, "you can lead a horse water, but you can't make it drink", and if your silly enough to try you're probably just going to get a kick you won't soon forget [emoji33]

 

[gustavomondron]

I'm glad to answer your questions! (very interesting questions, by the way)

1) I see in your description that twix creates a completely random password each time a person visits a site, so does that literally mean, "everytime I come to xda twit is going to create a new diffrent password for the site, bc I'm not sure how that would work with the site if your credentials are always changing??

The point is that the passwords are not generated randomly. They are generated using an algorithm based on HMAC SHA1 (it's implemented in the PasswordHasher.java file), using as inputs the following:

1. A "tag" of the website, typically the domain (for instance, "facebook", "google", "ebay", etc.)
2. The private key, stored in your device.
3. Your master key, that only you know, and is not stored anywhere.

This is a mathematical process and, therefore, the same password is generated each time for the same website. This process is not reversible, so it's impossible to guess your private key or your master key in the case that the password of a website in particular is compromised.

2) Even though lastpass is a pain, there is the comfort that it won't be going anywhere for a while. So, my question to you is, if I take the time to switch everything over how do I know the app is going to be fully supported for the long run, bc if I then have to switch again I'm not sure the effort would be worth it??

I would not be very worried about that On the one hand, I use and need the app everyday so I'm the first one interested in keeping it working flawlessly On the other hand, it's not only free but open source so everybody is free to fork it, improve it, port it to different platforms, etc. in the case that I can't do it.

3) This also goes for the chrome extention, that I'm assuming you don't personally own, and maintain. So, what assurances are there that-that particular plugin won't disappear in 6 months, leaving only the mobile app??

You're right, I don't personally own the available Chrome extension (Password Hasher Plus). However, I also started to develop Twik for Google Chrome and I'll release it in a few days. It will support multiple profiles and will synchronize the options among your different Chrome installations.

4) I know you do not currently have a pc bases app that partners, and syncs with the mobile app, but do you plan on making that happen, and will it be an app, or, just browser extensions, (and what is the approx timeline??

Given that we'll have our own Twik for Chrome extension, synchronizing the desktop and the Android app is a feature that can be introduced in the future. However, this kind of synchronization requires of a web server working 24 hours a day, and this is not a minor issue (for instance, deploying it on the cloud of Google is not free if you exceed a quota).

In addition to the Chrome extension, I'd also like to develop (but I can't tell you when or whether it will actually happen) a desktop application, implemented as a Chrome application, which can be executed out of the browser just as any native application.

5) The thing is I myself do not completely trust the cloud, and a lot of it's mechanics make me uneasy, so I take the cloud with a pinch of salt.

The thing is I pay someone regardless for this service, so my only concern is that the program gets it right, and does it exceptionally. So, if I pay company a, or, b, or yourself for the service, I just need to know I'm paying for the best program.

I understand your concern, but you won't have to pay if you use Twik, it's free and opensource (GPLv3), you can build it yourself if you want I didn't trust the cloud for my passwords, and that's why after looking for alternatives I found the mechanism used in Twik the most appropriate for my needs. I think it's worth trying it, especially taking into account that it's not a closed-source and paid service.

 

[gustavomondron]

Hello! We've just released the Twik for Chrome extension for your desktop browser. You can get it now on the Chrome Web Store. Of course, it's also open source (the source code is available at GitHub).

It is 100% compatible with Twik for Android and it also supports multiple profiles. One of my favorite features is that all your profiles and passwords settings are synchronized among your Chrome installations, so you just have to setup Twik only once

More information is available on the Twik website, and I'll be happy to answer all your questions here.

Looking forward to your feedback!

 

[murderered]

+1 good work, +1 open source

I have not analyzed it and i think a normal user also would not do it, so here is a question:
For what do you need a network connection?
Please write your answer not only here but also in the description in the stores (at least f-droid ), many people like me are paranoid....

EDIT: translated it to german, see result at https://github.com/gustavomondron/twik/issues/2

 

[gustavomondron]

That's a good question

As you know, Twik is a password manager in addition to a password generator. We really wanted to provide an UI that allows you to get the password you want as fast as possible. Showing not only the name of the website but also its favicon make its easier to find it faster and also makes the UI more visual. In order to download the favicon, the Internet permission is necessary That's the only point in the application that uses the Internet connection. It's in the FaviconLoader.java file, if you want to take a look.

I'm updating the Play Store description to justify the need for this permission, you got a point there.

Thank you very much for your comments and, of course, for the translation to German too, we'll add it to the next release You can be sure that your name will be included in the acknowledgments

P.D. I almost forgot! I know it's a bit long but... would it be possible to get the Twik description in Play Store also translated to German? It's not urgent, anyway

+1 good work, +1 open source

I have not analyzed it and i think a normal user also would not do it, so here is a question:
For what do you need a network connection?
Please write your answer not only here but also in the description in the stores (at least f-droid ), many people like me are paranoid....

EDIT: translated it to german, see result at https://github.com/gustavomondron/twik/issues/2

 

[murderered]

Thank you very much for your comments and, of course, for the translation to German too, we'll add it to the next release You can be sure that your name will be included in the acknowledgments

Thanks.

P.D. I almost forgot! I know it's a bit long but... would it be possible to get the Twik description in Play Store also translated to German? It's not urgent, anyway

Twik ist ein einfacher Passwort-Generator und Manager für Android. Und dass, ohne die Passwörter zu speichern!
Sich die Unmengen Passwörtern für alle möglichen Dienste zu errinern, ist schwierig, vor allem mit den Anforderungen an die Passwörter. Jedes Passwort soll einzigartig sein und doch einfach zu merken. Das ist nicht nicht einfach. Man könnte die Passwörter einem Dienst anvertrauen und sie dann jedem Gerät zur Verfügung stellen. Mit einem Blick auf Sicherheit ist das ein absolutes No-Go. Würde der Dienst gehackt, wären alle Passwörter unsicher!

Twik arbeitet auf eine andere Weise. Twik erstellt einen privaten Schlüssel, der auf dem Gerät gespeichert wird. Zusammen mit einem Master-Passwort, das Du dir merken musst, kann jetzt für jede Webseite oder jeden Dienst ein induviduelles Passwort generiert werden. Nur die Kombination des privaten Schlüssels, des Master-Passwort und der Webseite oder dem Dienst ermöglicht es, das Passwort zu berechnen. Damit wären, selbst wenn ein Dienst gehackt würde, Deine restlichen Passwörter sicher. Twik integriert sich auch in den mobilen Web-Browser mit der Teilen-Funktion, damit auch beim Einsatz unterwegs alles schnell geht.

Für den Rechner gibt es auch ein Addon für Chrome im Chrome Web Store. Du kannst den gleichen privaten Schlüssel auf deinem Rechner benutzen, um so die gleichen Passwörter (natürlich nur mit dem gleichen Master-Passwort) zu generieren, solltest Du dein Smartphone nicht zur Hand haben.

Weitere Features:
- Beliebig viele Profile, jedes mit eigenem privatem Schlüssel
- Webseiten-Icons zum schnelleren Identifizieren
- Identicons zum überprüfen, ob du dein Master-Passwort richtig eingegeben hast, ohne es im Klartext zu sehen
- Teilen-Funktion für Browser um schnell an den Passwort-Generator zu kommen
- Anpassbare Sicherheit für jedes Passwort
- Automatisches Kopieren des Passwortes in die Zwischenablage

Twik ist Open-Source (GPLv3), die Quellen gibt es bei GitHub: https://github.com/gustavomondron/twik
Berechtigungen: Die Internet-Berechtigung wird nur dazu verwendet, Webseiten-Icons herunterzuladen. Es werden keine Daten gesendet.

It's not translated directly. But i think it's better to read.
Please release the text together with the new version, not before (else you may get bad votes at the Play Store).
I don't know how the f-droid store works, but if possible, please add also there the german description.

 

[gustavomondron]

Thanks.





It's not translated directly. But i think it's better to read.
Please release the text together with the new version, not before (else you may get bad votes at the Play Store).
I don't know how the f-droid store works, but if possible, please add also there the german description.

Thank you very much, it was very fast!

With regard to F-Droid, I don't know how it works too. I didn't publish the app there myself and I don't know who is responsible for keeping it updated. I guess it'll be possible to open an update request but, honestly, I don't know. I'll take a look at that.

 

[sevenpastzeero]

@gustavomondron thank you very much for the app. I tried to use password managers many times before but could not get used to them, but twik makes everything different

I just wanted to ask you how to get the favicon to show? Is there any special way? For example, I tried to type the website as google, google.com, www.google.com but every time there was no favicon only the first letter.

 

[gustavomondron]

@gustavomondron thank you very much for the app. I tried to use password managers many times before but could not get used to them, but twik makes everything different

I just wanted to ask you how to get the favicon to show? Is there any special way? For example, I tried to type the website as google, google.com, www.google.com but every time there was no favicon only the first letter.

Hello, I'm really glad you find Twik useful! :good:
Regarding the favicon, to get the favicon you just have to share the webpage you're generating the password for with Twik from your favourite browser.

 

[sevenpastzeero]

Hello, I'm really glad you find Twik useful! :good:
Regarding the favicon, to get the favicon you just have to share the webpage you're generating the password for with Twik from your favourite browser.

Thank you. I never thought if doing that. Now I have favicons showing

 

[sloheim]

So, at first glance, I love, Love, LOVE the idea of this app. I'm a LastPass user, and would consider jumping ship to this. I have almost 200 passwords set in my LastPass account, and it would be pure hell to change them all to follow your algorithm... but it would be worth the effort.

BUT.

What happens when I get that dreaded email from Facebook telling me that my account has been compromised? There is no way for me to change JUST my facebook password. I'd need to change my master password, which would force me to change ALL of my passwords, because the hash would change.

Do I understand that correctly? If so... thats a dealbreaker.

 

[khaytsus]

I

1. A "tag" of the website, typically the domain (for instance, "facebook", "google", "ebay", etc.)
2. The private key, stored in your device.
3. Your master key, that only you know, and is not stored anywhere.

This is a mathematical process and, therefore, the same password is generated each time for the same website. This process is not reversible, so it's impossible to guess your private key or your master key in the case that the password of a website in particular is compromised.

So, at first glance, I love, Love, LOVE the idea of this app. I'm a LastPass user, and would consider jumping ship to this. I have almost 200 passwords set in my LastPass account, and it would be pure hell to change them all to follow your algorithm... but it would be worth the effort.

BUT.

What happens when I get that dreaded email from Facebook telling me that my account has been compromised? There is no way for me to change JUST my facebook password. I'd need to change my master password, which would force me to change ALL of my passwords, because the hash would change.

Do I understand that correctly? If so... thats a dealbreaker.

See this post from the OP before. No, you would just change the tag.

I like the idea of this app, I've seen the idea before of taking "some string" (be it URL, a tag, whatever) + master password = password to use. But I also have general purpose passwords, like lock combinations and stuff like that. They don't really fit with this app. I suppose I could use my existing solution (Keepass) for certain types of "passwords" and this for website passwords. I might try it out and see how I like it. One thing I like about this is that there's NO syncing required, ie: with KeePass if I add/modify on my desktop I have to hope that Dropbox has synced the file up to Dropbox and my device has synced it Down, or from the device, etc etc... And yeah, I have to hope the file itself is secure since it's on Dropbox.

Thanks, nice idea, hope to see a Firefox extension soon

 

[sloheim]

See this post from the OP before. No, you would just change the tag.

Thanks for pointing that out. It definitely warrants consideration now.

Only upside of LatsPass over this now is the IE extension... have to weigh the pros and cons of both...

 

[sloheim]

As much as I like it, I just see too many barriers caused by "forced" password changes.

Today I had a website change their security policy, and they asked me to change my password. Lets say the original password was generated with a tag of "ESPN". Theoretically, I could just make it "ESPN2"... but with 200 passwords to manage, I'll never keep track of which sites are 2, 3, 4, etc. It just seems like a maintenance nightmare.

Thanks for a great idea... I just think it has some shortcomings that folks will discover in the long run.

 

[pcienniwa]

using phone and desktop Twik

I'm considering using Twik on both my Android phone and on desktop Chrome. The problem with Chrome is that I can't see the password that's generated, unlike on Android where I can see the password. My concern is that I want to be sure that both platforms are generating the same password. (I wouldn't be asking this question if I could actually see the Chrome password when generated!)

Please tell me if I understand Twik correctly for use across phone and desktop. If I 1) use same master key, 2) use same private key, and 3) use same website tag, the password generated at Chrome (the password I'm unable to see) will be the same password that I'm able to see with the Android app. Right? Or wrong?

Thanks.

 

[gustavomondron]

I'm considering using Twik on both my Android phone and on desktop Chrome. The problem with Chrome is that I can't see the password that's generated, unlike on Android where I can see the password. My concern is that I want to be sure that both platforms are generating the same password. (I wouldn't be asking this question if I could actually see the Chrome password when generated!)

Please tell me if I understand Twik correctly for use across phone and desktop. If I 1) use same master key, 2) use same private key, and 3) use same website tag, the password generated at Chrome (the password I'm unable to see) will be the same password that I'm able to see with the Android app. Right? Or wrong?

Thanks.

Your're right, both apps are 100% compatible and therefore they generate the same passwords. Actually, I could add a button for seeing the generated password, but I'm not sure that's the typical use case. Maybe it's worth adding it as an optional features.

 

[gustavomondron]

As much as I like it, I just see too many barriers caused by "forced" password changes.

Today I had a website change their security policy, and they asked me to change my password. Lets say the original password was generated with a tag of "ESPN". Theoretically, I could just make it "ESPN2"... but with 200 passwords to manage, I'll never keep track of which sites are 2, 3, 4, etc. It just seems like a maintenance nightmare.

Thanks for a great idea... I just think it has some shortcomings that folks will discover in the long run.

I understand your concern. Actually, Twik manages all your tags, both in Android and Chrome (and now also in Python, by the way ), and if you change the tag of a website, Twik will remember it.

For instance, in the Android app, when you share a website with Twik from the browser, Twik associates the website domain with the tag you define, so the next time you share that website Twik will remember the tag you used before.
I've personally been using this password generation mechanism for a long time (more than a year for sure) and it's still the best choice for my own needs.
However, I know there's still room for improvement with regards to tag management and I've some ideas I want to implement in future releases.