How to use the LISTHASH passwords manager?
LISTHASH passwords manager is a tool designed to securely generate and manage passwords using a user-provided seed. This article will guide you through the process of setting up and using the passwords manager, ensuring that your authentication data is protected and accessible when you need it. This manager is NOT designed to be easy to use without a full understanding of the process, rather it is designed to maintain an extreme level of security and protection of the confidentiality of your authentication data.
Initial configuration
Providing a seed is essential for passwords generation in LISTHASH. It must contain at least 62 distinct characters to ensure high security and be admitted into the application. We recommend using the PassGeni service to generate your seed securely. Store the seed in a safe place, as it will be needed to retrieve your authentication data, and LISTHASH will not store it in the application.
Seed generation and usage
Using the password generation service provided by PassGeni, set a minimum length of 20 characters, select all available symbols and proceed to generate a set of passwords. PassGeni will provide you with a set of 400 random characters that you can copy, store and use as a seed in the LISTHASH service.
From the seed provided, LISTHASH generates a hash using the SHA-512 function and extracts the list of characters that will be used in the generation of passwords.
The hash data and the character map derived from the seed remain during the session opened in the application through the browser. The seed does not remain in the application and, once its hash and character map are determined, it is deleted. The hash and character map are deleted only when you close the browser or the corresponding tab of the LISTHASH application. Therefore, whenever you open the application it is necessary to provide the seed to reveal your passwords, unless you choose to activate the permanent storage of the hash and character map to avoid the need to provide the seed.
Thanks to the process employed by LISTHASH, if you include easily remembered modifications to the seed before LISTHASH processes it, the seed can be revealed in its original form to an attacker, but the modifications that must be made and only known to the user will make it impossible to use it to obtain your authentication data. Including any memorable character after a specific character, a space in a line, column or after a given number of characters, or removing a portion of the seed are modifications that increase uncertainty due to the chaotic behavior of hash function usage in the generation process. Only precise knowledge of the generation process and its details and special modifications will reveal valid authentication data.
With a valid seed, LISTHASH will derive and present you with a specific code linked to the seed that you can memorize. In this way, you can verify that the seed you enter is valid for your authentication data and use it to increase the complexity of the generation process. Remember that LISTHASH will never tell you whether the data you provide is valid or not, only the full and correct knowledge of every detail in the generation process will result in a valid password for the corresponding authentication data.
Account management
The LISTHASH manager allows adding and deleting user accounts in a list where each record retrieves the password of the corresponding account and in consideration of its time of creation.
Every new record requires the data corresponding to the account, which are service, username and password length. The time of creation is used as an additional unique data that allows incorporating the necessary uncertainty for each record to produce a new and unique password.
By default, the list of account authentication records goes from the most recent record to the oldest. Selecting an account authentication record allows you to observe the options available for the record:
1. Copy password: Allows copying the password corresponding to the account linked to the record to the clipboard. The user must provide the seed code and a secret code known only to him/her to retrieve the password.
2. View password: Allows to view the password corresponding to the account linked to the record. The user must provide the seed code and a secret code known only to him/her to retrieve the password. This method allows the user to make use of a different device than the one they use to access their accounts, increasing the security of password use by decoupling storage and use.
3. Update password: Allows you to use the existing account record and provide only the length data to generate a new password. By default, updating a record does not delete the previous record corresponding to the account and you can have a history of all authentication data used for a specific service and user.
4. Delete a record: Deletes the base data for retrieving authentication information only from the corresponding record.
The account administration also has the general options of importing and exporting the data corresponding to the account list. This allows recovering a list from a backup file and in the same way creating a backup file of the current list in the application.
Information Security
The user is informed that, for usability and to reduce complexity, the account lists are kept in the browser session and persist even if the tab is closed. However, for security, the seed is not stored directly, so it is necessary to re-enter it to access the authentication data each time the application is opened. In the case of the seed hash and its corresponding character map, it is up to the user to choose whether or not the information persists when the browser is closed, in order to avoid or demand the need to enter the seed each time the application is opened.