Topic: ZeroPass (Read 783 times)

IO= input/output
or
IO= 10 (binary)

It's popular among startups and we like it too


Reputable?
Sure, reputation is build with time.

Better?
Hardly.
I really don't know how you can consider 1 password repeatedly typed "safe".
When you type the same password multiple times, you expose it and it stops being secure.
This expose all passwords/keys that this one password encrypts.

Chances of being hacked don't increase linearly with user-base.
Some systems are just better designed. Multi signature design should prevent more attacks that any "single point of failure" (reputable)system out there.
Making it open should help greatly to.

Features that lets you recover your coin after your devices are wiped out, or feature that lets you block all signing after your devices are stolen- just a bonus.
I do invite you to read Whitepaper.

IMHO, that is useless. There are plenty more reputable and better password managers than your new one; yours has no real userbase so the chances of being hacked is pretty large.

what determines the choice of domain .io ?

Thank you for the tip on audit company, but if the pricing of security audit is still in 30k+ range, we will pass it for now (until next round of funding).
I will definitely write to them, before we publish the code on public repo.

DDoS;
Logins are not the part of the main encryption. For communication channel (message delivery) we use telegram messaging system. They were hit with 200 Gbps of junk traffic 2 months ago, so they are working hard to mitigate those massive ddos attacks.
Our servers can not be attack directly. Even in the event of the blackout, all your codes are fine, and you can always recover your keys (if our server connection is down, you need to to collect your keys manually).

About key distribution;
users of ZeroPass would have to deploy the keys with their trusted contacts, otherwise no additional passwords slot for them. We would also bug you until you will actually deploy backup shares. 
In the meantime?(until they refuse to do so)
BackupKeyShares get distributed between 5 random selected users automatically. (there is more in "Key split" section of the Whitepaper)

I don't thing attack you are describing have any chance of success. These shares would already be distributed (automatically or better, manually), so even in the event that attacker would totally owned your device, there would be no shares to steal stored there.

If you have funding and are serious then pay Matasano (now ncc) security to do an audit, they have people there who specialize in breaking password management schemes like Lastpass and 1password. https://www.nccgroup.trust/us/our-services/security-consulting/ one of their guys repeatedly owned the CryptoCat chrome extension too. If your extensions plan on using NDK then you are adding sandbox breakout possibilities.

Can a denial of service attack against your server shut down all logins (if they don't back up to "3 trusted parties")? If so criminals will use this distraction to DoS admins trying to log into their management apps during a hack and emptying of accounts. I foresee many people simply keeping the split keys on their own system, and then having all of them stolen.

Bitcoin talk
Hi Bitcoiners,

I want to introduce you ZeroPass http://zeropass.io/, that our team is working on, with estimated time of delivery; 6 months.


Not really. We want to make private key manager. One that is so easy to use, even your mum can use it.

We plan/hope to give encrypted services like;
crypto-currencies,
encrypted data storages (example; dropbox alternative Tresorit https://tresorit.com/),
encrypted communications (example, gmail alternative ProtonMail https://protonmail.ch/),

much needed ease of use regarding to passwords/private-keys/pass-phrases/backup-codes.

If you lose any of them, you lose all of your data/communication history, or with bitcoin; all the money value.
This "key or nothing" approach is not how general public like their services to be.
That's why we get centralised solutions that go against the nature of decentralization and privacy. They completely miss the point of bitcoin.

On the surface, ZeroPass is just like any other password manager but with key deference; there is no 1 password.
There will be apps for all major platforms and extensions for your browsers.

By default, it protects your secret(passwords/private-keys/pass-phrases/backup-codes) with 3 factors (warning; simplification ahead).
1.) Your device holds the first half of the secret.
2.) Second half is stored on our servers and can be delivered when you sign your request with your device.
3.) Server ask you for second signature (second device with another private key), just to make sure that your first device was not stolen.

There would be plenty of options to add passwords on your app, [password slot] or just use biometric on both of your devices, but all this options are optional.

You could think of ZeroPass as a Multi-signature bitcoin wallet (example;BitGo), but for your private key. ZeroPass servers provide the second half and make sure that everything is ok before we send it to you.


No worries, you can always recover with two out of three keys. If if you lose all your devices (one key), or server gets shut down (another key) you still have a backup key to combine it with one of the remaining key.
To make things extra simple, you just invite 3 trusted contacts to split backup keys with (you need 2 trusted contacts to recover), and they can help you recover your backup key. There is no need to safe-keep it in a vault somewhere.
We plan to opensource everything (everything but zero-knowledge servers), so the community will have an option to review all of our claims.


Our schematic visualised;
http://zeropass.io/schematics

And Whitepaper on gitbook;
http://zeropass.gitbooks.io/whitepaper/content/

We hope we could get any feedback/critique/suggested improvements or “reviews” on our Whitepaper/security scheme.

We will come back later (estimation; 6 months) with the apps and their code on github public repository.

Best,
Luka Percic
ZeroPass