EveryPass™

EveryPass uses AES 256 bit encryption to store your data. This is a very strong form of encryption, the same used by banks to protect money and security organisations to protect national secrets. EveryPass uses the Stanford Javascript Crypto Libray (SJCL) implementation of this encryption standard.

EveryPass uses your browser as the execution environment, the same browser you most likely use to access your online bank accounts. With EveryPass, your data is not saved onto a server on the Internet; it’s saved to the device you are using. Once saved locally, you can transfer the file to your other devices.

There are no "back doors" to your content in EveryPass once it is encrypted. This means that if you lose your main password, your data can not be recovered.

Unlike the vast majority of applications, EveryPass bundles both application software and user data into a single file. The application part of the file consists of the HTML user interface and JavaScript software, the user data part consists of an encrypted data store. This is done to achieve maximum portability.

EveryPass, like other security applications, has known weak points. It is important that you understand these so that you can make an educated choice on whether EveryPass meets your security requirements.

• Because there is currently no effective way to perform JavaScript code signing it is not possible for your browser to determine whether an EveryPass application has been modified maliciously. This gives rise to a variety of attacks known as Man In The Middle (MITM). EveryPass is susceptible to these every time it is transferred over an insecure channel like email or if you download it via HTTP from a third party. However, if you source EveryPass from our server over HTTPS or you verify the original file using the signatures provided you can be assured that it has not been modified in transit.
• JavaScript cryptography is considerably less mature than direct operating system runtime environments. The SJCL library, although tested extensively, may not perform as well as other technical alternatives.
• The browser you use could be susceptible to side channel attacks or could leak information through a design fault, nevertheless Internet banking relies on the very same browser to protect access to your money. Similar problems are also found in other runtime environments and establishing a 100% trusted environment is nearly impossible on modern day devices, especially when you are connected to the Internet.

Checksums

The checksums are provided to help verify the authenticity of new copies of EveryPass downloaded. When you download EveryPass directly from Consunet, it is served over a secure HTTPS connection. This means that you do not have to perform further authenticity checks, however when you download from a third party, you should verify that the files have not been modified by using the signatures provided.

The checksums provided are MD5 and SHA256. To calculate a checksum of your EveryPass copy, use one of the following applications for your operating system.

• linux terminal> md5sum EveryPass.html
• linux terminal> sha256sum EveryPass.html
• osx terminal> md5 EveryPass.html
• osx terminal> shasum -a 256 EveryPass.html
• windows: install Microsoft's PsFCIV tool

Once you start using EveryPass, the original signatures will no longer match since you add your data to the file, you can however use our Validator service to check files you are unsure about. If you do not want to send your encrypted data to our Validator service, you should make use of the import function from a trusted copy of EveryPass. This retrieves only the encrypted data from an untrusted copy of EveryPass and validates it using the AES 256 encryption.

Add new password entry

1. Find the blank entry form at the bottom of the page, you may need to scroll down.
2. Type what the password is for in the "New password for..." box, e.g. my.emailserver.com
3. Type in the username and password details in the like named boxes.
4. Optionally, provide additional information, such as question and answer challenge for password recovery in the Additional Information boxes.
5. Click the Add button to add the password to your password list.

Remove a password entry

1. Click the Del button on the entry you don't want anymore.

Save your passwords

1. At the bottom of the screen type in a password to protect all your other passwords. Remember, this one keeps ALL your other passwordssafe so it should be a strong password.
2. Optionally, provide a hint for yourself. Keeping in mind the point above, don't make it obvious.
3. Hit the Encrypt button. This will encrypt all your passwords and package everythingneatly into a single HTML file. You can save it to your local disc or perhaps a cloud service.
4. You should avoid overwriting the previous copy of EveryPass, so if something goeswrong you can recover from the previous file.

View your passwords

1. To view your passwords, simply open the EveryPass file in a web browser and provide your master password.
2. Each entry has a Show button, click it to view your secrets.

Import

It is possible to use this copy of EveryPass to import data from another EveryPass copy into this one.

1. Click the Import button in the top right corner.
2. Provide a password for the imported file.
3. Passwords from the imported file will be appended to your current file's password list.
4. Importing also provides a secure way of accessing an EveryPass file you suspect has been tampered with.

Search

1. The search box at the top of the page searches in all the input boxes of each entry.
2. If a single entry is found, it will automatically open for you.

Problem Reporting

If you find any problems or have suggestions for EveryPass, please report them using our public GitHub repository.

Example use 1

Ailin and Bryce are a couple living in the digital age. They have a joint bank account but they each have their own credit cards and a collection of loyalty cards. They use a variety of online services such as Internet banking, Paypal, Ebay, Gumtree, Amazon and subscribe to a number of online shopping sites. Over time they have a amassed a large collection of accounts and passwords, some of which they jointly use. They also use a range of different devices, Bryce has a PC and a HTC one phone while Ailinhas a MacBook Air and an iPhone, they also use an Internet capable large screen TV.

Managing their password collection has become complex and as they are aware of the risks associated with identity theft they are unwilling to store passwords in an unencrypted form. Consunet's EveryPass offers a solution. EveryPass is a simple HTML file that can encrypt itself. Ailin and Bryce each get a copy of the EveryPass file for the private passwords and create a third copy for their joint passwords and PIN's. They choose a shared location to store the "joint" EveryPass file, perhaps Microsoft's OneDrive or DropBox so they can access it from their mobile devices. They also decide that this is a pretty good for their private EveryPass files as well. They can now access any of their passwords and PIN's from any of their devices at any time. They don't need to install any software or apps on their existing Internet enabled devices to access EveryPass and it also works when they travel without access to the Internet.

Example use 2

Ellis works in a corporate workplace that has very strict IT rules. Ellis can not install any software, access social media sites or use a private smart phone during work hours. Ellis finds it difficult to manage private passwords such as those needed for infrequent Internet banking when at work.

Ellis creates an EveryPass file containing the required passwords and emails this file to the work email address. Since EveryPass is a HTML file and only contains text it passes through the restrictive email gateway and is then verified using the Validator service. Ellis can now access the passwords at work since the workstations have a web browser installed.