Frequently Asked Questions
what exactly is passlok universal?
It is an extension for Chrome and Firefox (and their derivatives), which encrypts and decrypts data on the page, and can also be used to fill passwords, all by simply clicking an icon. The encryption functions are the same as in PassLok for Email, except that they can be used on any service. The password functions are the same as in SynthPass.
what's so special about this app?
Actually, plenty. Here's a list:
- It's open source. You can see the code on GitHub, and you can see it as it executes by right-clicking its popup and selecting "Inspect." Not many security-related apps are so open to inspection.
- It's free. Nobody's going to ask you to make an account, or offer you a few days "free." It's just free, period.
- It's very easy to use. You click its icon and follow instructions on the popup, which typically involve typing what you want to encrypt or remember, and clicking a button. Plus typing your master Password somewhere along the line, otherwise anyone could supplant you.
- You never have to change your master Password. Nobody is going to ask you to do it and you won't lose any security if you don't. But you can change it at any moment if you so desire; it's as easy as typing in the new Password when asked, instead of the old one.
- It's very powerful. Its encryption engine is NaCl, one of the most respected encryption engines today. It uses Signed encryption by default, but can also make Read-once messages (which "self-destruct" after you read them), Anonymous (so you can use a dummy address), and several kinds of encryption where you share a password with the recipients. PassLok Universal can also hide its data so your messages don't appear encrypted at all.
- It's portable, so you can go to a friend's computer, log yourself into Chrome or Firefox, and continue as if you were back at your computer.
- It uses no servers, so no one else has your data. This doesn't look like much, but it's actually quite a feat, and quite rare among apps this powerful. All data to be remembered is stored (encrypted) in the browser's own data system. We believe servers are evil.
- We don't force you to trust us. Go ahead and inspect the code before it executes. If you can't read JavaScript, you can easily find someone who can, because it's a very popular programming language. All the code is in full view of the user rather than hidden in a server somewhere.
Just give me the 1-2-3 of encrypting and decrypting
Here you go:
- Install the extension. PassLok Universal cannot do anything for you if it's not installed. You can load it for free from the Chrome and Firefox web stores, or you can get the installation file and load it outside those stores.
- To encrypt: open a Compose window on your favorite email and click the PassLok icon on the upper right of the browser. A dialog will appear where you can write your message securely. Select the recipients from a list on that same dialog, and click the Encrypt button. If your master Password hasn't been entered within the last five minutes, you'll be asked to enter it again. The encrypted message will appear in the Compose window, so you can fill the rest and send it using your regular email service.
- To decrypt: display the encrypted message you want to decrypt so it's the first encrypted message visible on the page, then click the PassLok icon. If you have not entered your master Password within the last five minutes you'll be asked to enter it again. Then the message decrypts and appears in a popup below the icon.
And the 1-2-3 of filling passwords?
1. If a login is visible, clicking the PassLok icon opens a popup where you can write your master Password, which will be filled if you have used it within the last five minutes.
2. Click the OK button, and the login is filled. If you want to change your password for that website, change the contents of the Serial box before you click OK. This will be remembered, as well as your user ID.
3. OK, so there's only two steps. Sorry about that.
2. Click the OK button, and the login is filled. If you want to change your password for that website, change the contents of the Serial box before you click OK. This will be remembered, as well as your user ID.
3. OK, so there's only two steps. Sorry about that.
What if I forget my master Password?
Then you're going to be in real trouble, because PassLok Universal doesn't store it anywhere, even locally. But there are a couple features that might help you:
- The master Passwords for encryption and for logins don't have to be the same. You may, for instance, write yourself an encrypted email containing your master for logins, plus a note containing your master for encryption, which is encrypted with the password master. Then, if you remember one of the two you can retrieve the other.
- As you type either master Password, a mnemonic "Hashili" word appears above it. You may not recall the Hashili off-hand, but likely you'll recognize the good one when it pops. Often a failure to get the right master Password is because of a mistype, so this can really help.
I want to use PassLok Universal on a cell phone
That would be really nice, but PassLok Universal is a browser extension, and today's mobile browsers don't support extensions yet (wonder if they ever will).
Still, you can load the standalone PassLok Privacy, which is fully compatible with PassLok Universal encryption-wise, from this address: https://passlok.com/app. You can use it with your mobile email or texting by cut and paste. There's also an Android app.
For password filling, you can fire up the SynthPass web app, which will synthesize the same passwords, available from https://synthpass.com/app
Still, you can load the standalone PassLok Privacy, which is fully compatible with PassLok Universal encryption-wise, from this address: https://passlok.com/app. You can use it with your mobile email or texting by cut and paste. There's also an Android app.
For password filling, you can fire up the SynthPass web app, which will synthesize the same passwords, available from https://synthpass.com/app
what if there's neither a login or something to encrypt or decrypt?
In that case clicking th PassLok icon opens a popup with two things:
- A button that will put the page inside an isolating "cage" so other extensions don't have access to it. Think of it as Incognito or Private mode, but within the normal set of tabs. You can change the URL of the page after that, or load from a list a secure search engine or a web app related to PassLok.
- A box where you can type anything you like. When you click Save, PassLok will ask you for your master Password in order to save it securely. It will ask you again to display it. A good place to store extra instructions for login, the name of the pet you never had, or whatnot.
what are the vulnerabilities?
We've worked really hard to mitigate this, but vulnerabilities always exist. Here's a list of those we know about, so you can decide if you can live with it:
- PassLok won't authenticate users outside of their email addresses. This means no two-factor authentication, which would require a server, which introduces its own (large) set of vulnerabilities. It is also possible that someone capable of intercepting communications may impersonate your friends. There's however, a trick explained in PassLok's help page that will flush out a potential interloper.
- The code could be altered by the web store from where you download it. Google and Mozilla swear they cannot, but who knows? In any case, you can always inspect the code as it runs. Try doing this with a server-based app (the majority out there). If you feel really paranoid, you can download the extension from its GitHub repo and install it yourself. It's quite easy.
Who are you?
My name is Francisco Ruiz and I am the leader of the PassLok project. I have been a professor at the Illinois Institute of Technology, in Chicago, since 1987. In addition to cryptography, I have interests in energy, transportation, literature, music, photography, and theology. You can read some more about all these projects at my page at IIT, or my personal page at prgomez.com. Drop me a line at [email protected]
Why are you doing this?
Because I love people, and I believe their ability to communicate privately is a God-given right. When they exercise it, they are supporting innovation, free exchange of ideas, better government, and then everyone benefits. It's the bad, tyrannical governments throughout history that fear ironclad private communications, because they see enemies everywhere.
Will terrorists and pedophiles be able to use my app? Sure, as they also use roads, electricity, and indoor plumbing. But likely they are already using something heavier than PassLok Universal in order to protect their online communications. It's the little guy on the street who is having his privacy trampled on these days, and this is the guy I'm trying to help.
Will terrorists and pedophiles be able to use my app? Sure, as they also use roads, electricity, and indoor plumbing. But likely they are already using something heavier than PassLok Universal in order to protect their online communications. It's the little guy on the street who is having his privacy trampled on these days, and this is the guy I'm trying to help.