Valt

@razkarmi @brentheeringa this reminds me of Vidoop...! If the user picks the images him or herself, doesn't that open them open to some security risk, kind of like using your maiden name as your password reset? Or maybe you can explain what you mean by "hand-curated"?

@razkarmi @chrismessina Valt chooses a random set of images from its hand-curated set. The key is that we use memorable photos and pair them with interesting text and training techniques inspired by cognitive science (see my response to @imrankk below) to essentially burn them into your mind. You get all the security of a random password and all the memorability of human evolution.

@chrismessina I'd love for you to go through the onboarding / training process and give us some feedback!

@brentheeringa cool, WTAL!

@abadesi We've worked hard to balance user experience with security while keeping in mind appropriate threat models. The short answer to your question is it's pretty damn secure! Here's the long answer: we use AES-256 bit encryption and PBKDF2 for our key stretching. The default password is chosen uniformly at random from 455**3= ~94M choices. This yields about 27 bits of entropy. That's not a lot on its own, but we augment each password with 128 bits of entropy (this is called the Valt Secret) and store the secret on each authorized device. This means that even if your encrypted payload were compromised, it would take a *significant* amount of time to decrypt using state-of-the-art tech. We store the Valt Secret in the Keychain and we do the same with the key resulting from mixing your password with your Valt Secret. Even if your phone were to be stolen, a hacker would have to (1) unlock the phone - remember how hard it was for the FBI to do this? (2) hack the Keychain, and (3) finally execute a brute force attack on your password space. In the future we'll add more grids so even the most paranoid people can have upwards of 50-60 bits of entropy in the password alone.

@heliostatic There are 3 big ones: 1. The images. Because the grids are fixed, you eventually learn not only your images, but the patterns. I unlock my Valt in ~3 seconds every time. I never forget my master password and I don't have to type on a tiny screen. 2. Our device authorization process is really clean. Users register their Valt through email verification and then authorize new devices by approving them on already-authenticated devices. The authentication process is key because it allows us to securely pass along the Valt Secret, which is like a booster shot for your master password. It's all very fast and very seamless. 3. Our desktop experience is unobtrusive and natural. We use builtin notifications to alert you when we've captured a password. We never employ modal dialogs and we don't hand roll our own UI. Our browser plugins are lightweight and communicate with the desktop app using native communication channels, which also provides another layer of security.

@brentheeringa Very cool. It's a beautiful app!

@imrankk We hand-curate the images with great care. Part of it was finding the right photographers---we use a lot of images from Ryan McGuire---and understand that memorable photos are not necessarily beautiful or even interesting photos. We also pair the images with curated text during the training. We do this because of the so-called dual-encoding theory, which says information is stored along both a visual and a linguistic channel. Our images and our training process create a really robust memory. Of course, we also offer a simple and secure recovery code too. :)