monkkee got a security update
Everything you write in your monkkee online journal is encrypted on your own device before it is sent to the monkkee server. This ensures that no one but you can ever read your entries. We’ve now enhanced this security mechanism and updated it to reflect the latest state of the art. In this article, we’ll explain what has changed and why this update makes your data even more secure.
Preparing for the worst case
The purpose of encryption is to protect your data if other security measures fail – for example, if hackers were to gain access to the monkkee server. Of course, we take every possible measure to ensure this never happens. But encryption is like a second safety net – comparable to hospitals installing backup generators to prepare for power outages, but without neglecting the reliability of the regular power supply. Thus, the monkkee security update is like installing a powerful new backup generator. Its true value becomes clear if the regular power supply ever fails – or in our case, if someone gains unauthorised access to your encrypted data.
If that happens, the attacker still can’t read your encrypted data. What they can do, however, is try to decrypt it. For that, they need your password. One possible strategy is simple trial and error: They might first try to unlock your data with the password “aaaaaaaa.” That’s unlikely to work – unless, by chance, your password really is “aaaaaaaa.” So they try “aaaaaaab,” then “aaaaaaac,” and so on. Using a computer program, this process can be automated, allowing millions of password attempts in a very short time.
How we protect you against this
There are two ways to reduce the chances of an attacker succeeding with such a strategy. First, you should choose a long and complex password. We help you with this by showing you during registration whether the password you’ve chosen is strong enough. Second, guessing a password should be made costly in terms of computing power so that the attacker can only make a few attempts per hour. For example, if a decryption attempt takes one millisecond, an attacker can try 3.6 million passwords in an hour. If it takes one second, they can only try 3,600 passwords per hour.
The problem is this: It would be highly impractical if decrypting each journal entry took a full second. You’d have to wait just as long yourself. Imagine logging into monkkee and wanting to view your last 30 entries – it would take half a minute before they appeared!
Fortunately, there’s a simple solution. Your data isn’t encrypted directly with your password. Instead, a key is first derived from your password. This key is then used to encrypt and decrypt all your data. The important part: Deriving the key from the password takes time, but encrypting and decrypting the data with the key is fast. So the time-consuming process of key derivation only happens once, right after you log in. From that point on, encrypting and decrypting your entries with the key is lightning fast. The attacker, by contrast, has to derive a new key every time they try a different password. It’s the best of both worlds: The attacker is hindered, while monkkee stays smooth and responsive for you.
What we have improved
Computer performance keeps advancing. What might have taken a full second a few years ago can now often be done in milliseconds. In recent years, the use of GPUs (graphics cards) for complex calculations has led to a massive increase in computing power. That’s why it’s important to keep pace with technological developments. Every so often, the process of deriving the key has to be updated so that it still takes long enough on the latest computers to provide effective protection. That is a key part of the current security update: We have deliberately slowed down the key derivation process.
What you need to do
You only need to run the security update once. After logging in, a dialog will appear with a button.
Make sure you’re on a stable internet connection and using a device with sufficient performance. Click the button and wait until all your data has been decrypted and re-encrypted. Once the process is complete, your account data will be up to date with the latest technical standard.
We’ll keep working on it
Data security is not a state you reach once and then forget about. At monkkee, your data stays safe because we constantly expand our knowledge and keep track of new developments. That’s why there will almost certainly be further security updates in the future. With monkkee, your thoughts are always well protected – leaving you free to focus on what really matters: your writing.