Welcome, dear visitor! I'm glad to introduce you to something quite useful here (at least I hope so). I'm pretty sure you know how important it is to use strong unique passwords for web accounts and to keep them secure. There are a lot of great tools, which, by managing passwords in different ways, make your life much easier. Nevertheless, for this purpose I used to rely only upon my own brains - unfortunately, such strategy just can't be considered safe anymore. So, all those people and me as well, who were trying to keep their passwords in mind, had to face the bad news: if you think your passwords are still reliable, you're most likely to be wrong. Nowadays there seems to be no better way than to change your passwords to real strong ones, which are, obviously, very hard to remember. However, this simple tool can help you with it.

In the beginning, “Cockatoo” was planned to be just a tiny gift for myself and for my friends only. As soon as an extension for Google Chrome was made, it quickly turned out, that it lacked a lot of useful things: support for graphic patterns, a Mozilla Firefox add-on (to make it available on mobile devices) and an online version. So, while development was getting more and more serious, at some point I decided it could have been interesting to somebody else as well.

First of all: about cryptography. It was obvious to me from the very start, that the only way to make a reliable tool of this kind was to implement some industry-accepted key derivation function. Here I should thank two people, as the project is based solely on the password-based KDF "scrypt", which was created by Colin Percival and, subsequently, coded on JavaScript by Tony Garnock-Jones (licensed under 2-clause BSD license).

Another thing, people may worry about, is how secure such JS tools can be. Concerning this particular tool, one shouldn’t forget the crucial fact: it doesn’t send anything anywhere. Furthermore, working in a browser environment installed add-ons are protected from malicious web content much better than the target webpage itself. Every system is as weak as its weakest point, so, the use of this tool, obviously, involves no extra danger for content, and, thus, for passwords. Things might become more complex when using an online version. By default, every browser treats all external HTTPS-links as having an equal security level; so, it processes them in the same manner. However, there is a usual danger of phishing attack, so, I wouldn’t recommend using this version on a daily basis – it’s better to install an add-on/extension anyway.

Concerning master-password requirements, there is only one thing you should be aware of: at least 18 characters for simple master-passwords are required (at least 12 for complex ones). Salt is recommended to use – just put something not secret but memorable there. For result passwords two inline modifiers ("site" field) are available:

   "#"-prefix restricts the result password to alphanumeric-only;

   "$"-suffix shortens its length down to 10 characters (default is 16).

If needed, you can attach these modifiers to the site name in this way: #google.com, facebook.com$, #twitter.com$. In order to comply with widely used complexity rules, the result password can be slightly longer sometimes – don't worry about it.

The graphical input method implies using one or more confidential gestures, drawn on a grid. Everything is quite easy here, although, in order to see the whole process and to understand it more clearly, for the very first time I’d suggest turning on the full mode (it makes visible both: the grid and the password field). While you’re drawing your secret gesture, Cockatoo encodes it in an alphabetic form, appending it to the sequence of just encoded gestures (if any). The number of gestures is not restricted. The only rule here is simple: the total number of all segments shouldn’t be smaller than 18, which is equal to the minimum length for master-passwords. Anyway, there are three suggestions:

– Every time you start your drawing, you can choose any starting lattice point you like – it has no effect on the result, so it just doesn’t matter at all;

– You can interrupt your drawing anywhere. Then, if you continue the interrupted drawing (also, from any grid coordinate you like), parts will be joined and understood correctly;

– Please, don’t use trivial or just good-looking gestures, e.g. “hearts” or something like that. I know, they might look gorgeous, but will be almost 100% insecure. Check “Gestures” in the online version – it can give good examples of reliable gestures (please, don’t use them as yours!). By the way, here you can find a small article, which contains several useful tips.

About add-on compatibility: the range of supported browsers is defined mostly by their own (browsers') support for such add-ons. Thus, this range can become wider in the future, of'course. So far Cockatoo is available as add-ons for Opera (desktop), Google Chrome (desktop), Mozilla Firefox (both desktop & mobile).

So, that's all for now. By the way, check the options ("Settings") – there are at least several of them, which can help you adjust Cockatoo to your particular needs and make your experience more pleasant. Enjoy!

Attention! Modern web techniques are present - may require an updated browser!