Can't find the answer to your question? Feel free to contact us at hello [you know it] chiff [dot] app.
Chiff is a new way to log in to websites. It consists of a mobile application and a browser extension that communicate with each other over an end-to-end encrypted channel.
Instead of typing in your username and password on a website, you log in by authorising a request on your phone. This sends your username and password to the browser, which fills it into the right forms.
Since you don’t need to remember your username and password anymore, you can just easily use randomly generated passwords, which are long and complex. This makes using Chiff more secure as well.
Our dependency on the Internet is steadily increasing, but so is the number of accounts that we have. While it would be quite convenient to use the same username and password for each of these accounts, this is not very secure.
If one of these websites gets hacked and their data leaks, evil hackers may obtain your password and use this to access all of your other accounts that are secured with the same password. Since we have little influence on how well these websites protect your data, the one thing we can do, is using strong passwords that are unique per website. But who can remember hundreds of different complex passwords?
We have developed Chiff, so you don’t need to think about this. By storing the passwords on your phone, you can simply login by authorizing a request with the biometric authentication mechanisms your phone has, like a fingerprint scanner of face recognition. Since you don’t need to remember the passwords anymore, you can just easily use randomly generated passwords, which are long and complex.
Chiff makes logging in easier, because you don’t need to remember a single password anymore, and more secure because you can use unique and strong passwords for each website.
After installing the Chiff browser extension, some cryptraphic keys are generated and put into a QR-code. When you scan this QR-code with the Chiff app, it uses the keys to setup a secure channel between the app and browser extension. The contents of all messages that are sent on this channel can only be decrypted by the phone and the browser extension.
When you send a message from the browser extension to the app (for a example, a login request), the server sends this to the phone as a push notification. The response is sent back by putting it on a message queue which the browser extension keeps checking for a few minutes after a request has been sent.
We call the process of connecting an app to a browser extension pairing. You can pair one app with as many browsers as you want, but a browser can only be paired with one app at the same time.
The main security advantage that Chiff offers is the change it delivers to the attack model. The target for hackers is usually the website. If a cybercriminal is able to gain access to a website, he can obtain millions of username/password combinations at the same time. These are usually hashed, which means he still does need to do some cracking to actually obtain the passwords, but if the password is easy to guess or not long enough, this usually succeeds within a few days.
With Chiff, it is much easier to use long and complex passwords, because you don’t need to remember them anymore. This implies that your password is much less likely to be cracked. And even if it does, the damage is less because you only used the password for one particular website.
Since Chiff only stores the passwords on your phone and not in the cloud, this means an attacker would have to hack your phone to gain access. Modern smartphones are not unhackable, but they are pretty secure and most known attacks require physical access to the device. This means that in order to obtain a list of millions of username/password combinations, an attacker now has to hack millions of phones he has physical access to, instead of one website remotely.
That said, we also want to be honest about security. We do not claim that Chiff is unhackable (you shouldn’t believe anyone who claims that anyway).
We do promise that Chiff has been designed and developed with security as one of its core values, and that we will continue to do so in the future.
We also promise to be transparant about our security and inform you if your data is or has been at risk.
If you are interested in the technical details of Chiff’s security, you can read Bas’ primer about the security of Chiff.
When you have Chiff installed, you must make a paper back-up by writing down 12 words. These words represent your unique and randomly generated seed.
All your passwords are derived from this seed using a deterministic algorithm. This sounds fancy, but it just means that you will always be able to generate your passwords if you have the secret (the seed), the recipe (the algorithm) and the ingredients (the websites you have an account for, the usernames and the number of times you’ve changed your password. These are encrypted and stored on Chiff’s server, so you don’t need to remember ‘the ingedrients’).
If you enter the seed (the 12 words of the paper backup) on a new phone, Chiff will restore all your passwords automatically.
Unlike most password managers, you don’t have a master password that encrypts all your passwords. And unlike other password managers Chiff does not store your sensitive data in the cloud. Chiff offers you a secure and user-friendly solution to login on every website.
Your passwords are securely stored on your mobile phone only. You are the owner of your own passwords.
In order for the back-up to work correctly, Chiff stores the following information:
- Websites users have an account for
- Times a password has been changed
Yes, of course. You can always open the Chiff app and copy the password and then paste it on the website.
On iOS 12.0 and later, you can set Chiff as a password provider. This allows iOS to retrieve passwords from Chiff after authorizing it.
Yes, you can use both TOTP-code and HOTP-codes with Chiff. For now you have to type them over like most other 2FA-apps, but in the future we will add the functionality to fill them automatically.
Chiff’s browser extension is available for the four major browsers: Google Chrome, Mozilla Firefox, Microsoft Edge and Safari.
There are three ways to add a new account to Chiff:
- You can add a new account to Chiff by logging in on a website as you’d normally do on your computer. If you have the Chiff browser extension installed, it will ask you if you want to add your account to Chiff.
Just authorize the request to add the site on your phone with your fingerprint and you’re good to go!
- You can add a new account manually from the browser extension menu or in the app.
- In the browser extension’s menu, you can get an overview of all your accounts. In this accountoverview you can import multiple accounts at once using a CSV-file.
Yes, you can view your credentials for every account in the Chiff app on your smartphone. In the browser extension’s menu you can also go to an account overview page, where you can retrieve every password individually from the Chiff app.
If you save your login data in Google Chrome, it may cause a conflict when you use Chiff, when both try to fill in your credentials. Therefore, we recommend that you disable the password auto-fill option in Google Chrome.
- Click the Chrome menu in the toolbar
- Select ‘Settings’
- Under Auto-fill, click ‘Passwords’
- Turn off ‘Auto Sign-in’
On this setting page, you can also delete already saved passwords.
Normally, the security model of iOS or Android does not allow apps to read data of one another. When a phone is jailbroken or rooted, this security measure is removed. Additionally, the device becomes more vulnerable to malware infections.
Since all your passwords are stored on your device with Chiff, the security of the OS is of vital importance to the security of your passwords. Use Chiff on a jailbroken or rooted device at your own risk!
Here’s a step-by-step guide on how you can import accounts using a CSV-file. We assume that you already have paired by scanning the QR-code in the extension with the Chiff app on your phone.
- Make sure you have a CSV-file with all your accounts. You can either create this yourself, or acquire it by exporting your accounts from your current password manager.
- Click the extension icon in top right of your browser. In the menu that appears, click ‘All accounts’.
- On the web page, click the ‘Import’ tab on the left. Upload the CSV-file containing the details of your accounts. It’ll show you something like this:
- Align each column by dragging them accordingly. If you have headers in your CSV-file you may want to ignore the first line.
- When all credentials are in the right column, click ‘Import’ in the right bottom. You’ll receive a push notification on your phone to add the accounts. When you authorize the push notification, the accounts are added.
There are several ways to report a bug:
- You can send us an email at: bugs email
- In the app we’ve included a feedback form. You can find it in the Settings-tab -> About Chiff -> Feedback.
- If you encounter problems with one account in particular, you can report it directly in the app as well. Go to the specific account and choose ‘Edit’. At the bottom of the account’s details, click ‘Report’ and you can explain what didn’t work.