How is SecurePasteBin different from other paste bins?
SecurePasteBin uniqueness is that only you, the end user, know and control the key that can unlock your data. There is a number of paste bin sites that claim "secure" encryption. They too offer you to protect the data with a password and often provide flashy animation to help visualize the strength of the password and the perceived protection your data receives. They go to great lengths to describe how they randomize an identifier assigned to each post, or would not show the list of posts at all to prevent snooping. The fatal flaw of all these sites is that they fail to warn you that while your data might be protected from random Internet visitors, it is not protected from the site owners, their hosting company, partners, or nosy system administrator.. The fatal flaw of all this sites is that in order to encrypt or obfuscate your data, they make you send your password to the server along with the data, and once they know your password, what guarantees do you have (or would accept) that they aren't looking at your data? You probably didn't even think about it but most security attacks are perpetrated by insiders!
With SecurePasteBin, any data you paste into it will be encrypted in your browser before it is sent to the server. Your password will not be sent to the server and is not known to anyone. Any information you send to SecurePasteBin cannot be decrypted and read by anyone else, including the owners of this site. To allow someone to decrypt the information, you need to share the password with this person in some way: over the phone or via an email or an instant messenger.
Is my password sent to the server?
You password is NEVER sent to the server. If you are a developer, we welcome you to examine the JavaScript code behind the SecurePasteBin pages to see that for yourself. As owners of this site, if we wanted to know the contents of your post, we would need to mount a brute force attack on your ciphertext, pretty much as everyone else would. And if you chose a strong password, you can rest assured it would be years before the plain text is recovered.
What if I forget the password to a post?
You are out of luck! And this is a good thing, really. We have absolutely no idea what your password was because the password never leaves your browser!
Write it down and stick it to your monitor next time ;-)How strong my passwords should be?
It depends. If you are hiding secrets from your 12-year old sister or brother, then even a word from a dictionary or some 3 letter password might be insurmountable. (Never underestimate kids these days!) If you are hiding something from a more serious adversary, then your password needs to be strong enough to require the attack on the cipher text to take longer than the usefulness of the protected data itself. For example, if you are sharing information about some new product that your company is about to introduce on the market in one month, then you want to ensure that an attack on your protected data would take at least a month or more. Take into account what resources (financial and computing) your adversary would be willing to spend to learn your secrets. In the future, we will be providing estimates of resources required to break a cipher text given the password's complexity.
How strong is the data encryption?
Your data is encrypted using a commercial grade strong cryptography. If your password is longer than 8 characters, the data is encrypted using 3DES (Triple DES) based on 3 keys that are derived from the password. (Neither the password nor the keys are ever sent to the server!) For shorter passwords, we use DES which is much less secure. We are looking into offering the AES-based encryption soon.
For support, please write to: support@codekinetics.com.
Get your own virtual post box with auto-filtering! Use a custom URL like this: http://my.securepastebin.com and replace "my" with your own label.
