2
0
MasterPassword/Site/2013-05/faq.html

265 lines
19 KiB
HTML
Raw Permalink Normal View History

<!DOCTYPE html>
2014-11-06 12:48:02 +00:00
<html class="no-js" itemscope itemtype="://schema.org/Product">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title itemprop="name">Master Password &mdash; Secure your life, forget your passwords.</title>
<meta itemprop="description" content="Master Password is an ingenious password solution that makes your passwords truly impossible to lose." />
2014-11-06 12:48:02 +00:00
<meta itemprop="image" content="img/about.png" />
<meta name="apple-itunes-app" content="app-id=510296984" />
<meta name="viewport" content="width=device-width">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" href="img/favicon.png" type="image/x-png" />
<link rel="shortcut icon" href="img/favicon.png" type="image/x-png" />
<link rel="stylesheet" href="css/bootstrap.min.css">
<link rel="stylesheet" href="css/bootstrap-responsive.min.css">
<link rel="stylesheet" href="css/main.css?7">
<script src="js/vendor/modernizr-2.6.2.min.js"></script>
<script src="js/vendor/prefixfree.min.js"></script>
</head>
2014-11-06 12:48:02 +00:00
<body itemscope itemtype="://schema.org/MobileSoftwareApplication" id="trouble">
<!--[if lt IE 7]>
<p class="chromeframe">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> or <a href="http://www.google.com/chromeframe/?redirect=true">activate Google Chrome Frame</a> to improve your experience.</p>
<![endif]-->
<nav class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="brand" href="./">●●●|</a>
<div class="nav-collapse collapse">
<ul class="nav">
<li><a href="what.html">What is it? How do I use it?</a></li>
<li><a href="security.html">Is it safe?</a></li>
<li><a href="algorithm.html">How does it work?</a></li>
</ul>
<ul class="nav pull-right">
<li><a href="irc://irc.freenode.net/#masterpassword" onclick="_gaq.push(['_trackPageview', '/outbound/irc']);">#masterpassword</a></li>
<li class="divider-vertical"></li>
<li class="active"><a href="faq.html">FAQ</a></li>
<li><a href="support.html">Support</a></li>
<li><a href="https://github.com/Lyndir/MasterPassword/" onclick="_gaq.push(['_trackPageview', '/outbound/github']);">Source</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
</nav>
<header>
<img class="background" src="img/mp-process-angled.png" data-stellar-ratio="2.5" />
<div class="container">
<div class="content">
<h2>Security Overview</h2>
</div>
</div>
</header>
<section><div class="content">
<p>Master Password is an "unconventional" way of managing passwords. If you've got questions and need answers, read on. For a full overview of the security features in this app, see the <a href="security.html">Security page</a>. For the technical details on how Master
Password works, see the <a href="algorithm.html">Algorithm page</a>.</p>
<ol>
<li><a href="#hacking">Can Master Password get hacked?</a></li>
<li><a href="#theft">Can a thief get to my passwords if he steals my phone?</a></li>
<li><a href="#masterpassword">What should my master password be?</a></li>
<li><a href="#numbers">What is the basis for your numbers?</a></li>
</ol>
<div class="thumb clearfix">
<h1 id="hacking">Can Master Password get hacked?</h1>
<p>There are ways around everything, including Master Password's algorithm. A hacker could install a program on your computer that watches as you send your password to the website. At this point, however, no amount of password management will help you, if this is your worry, you need to use two-factor authentication methods which most sites don't support.</p>
<p>A hacker could also attempt to derive your master password from a password stolen from a site. Master Password has been designed specifically to thwart any attempts to break its security model. For more information, <a href="security.html#strength">read "Why Is Master Password Strong?"</a>.</p>
<h1 id="theft">Can a thief get to my passwords if he steals my phone?</h1>
<p>Master Password has been engineered not to store any secrets on your phone. The secret is your master password and it is only in your head. You enter it when opening the app at which point Master Password remembers it only as long as you leave the app open. Once you ask the app for a site's password, your master password is used to calculate the site's password.</p>
2014-02-11 03:45:05 +00:00
<p>To answer the question directly: not unless the app is showing at the time he steals your phone, or you configured it to save the master password and used a weak PIN on your phone.</p>
<p>There is an exception: Master Password allows you to save "custom" or "personal" passwords in the app. These passwords don't use Master Password's special algorithm and are merely encrypted using the strong master key derived from your master password. These types of passwords behave more like conventional vault-based passwords do. They are however very well protected and an attacker would still need to find a way to crack your master password (which is extremely
difficult, see below) before being able to decode the passwords in its vault.</p>
<h1 id="surrender">Can an officer force me to divulge my master password?</h1>
<p>Cryptography only provides technical security. It does not protect you from situations where you are legally required or forced by peers to surrender your key.</p>
2014-11-06 12:48:02 +00:00
<img class="block" src="https://sslimgs.xkcd.com/comics/security.png" />
<p>In fact, many countries provide their officers with a legal grounds for forcing you to divulge your encryption keys to any encrypted information they've recovered during a warranted search.</p>
<p>Again, unlike ordinary password managers, Master Password might have an edge here. If you make no use of stored passwords, Master Password doesn't actually encrypt anything with your master password. That means, when your devices are seized, these legal grounds may no longer apply. Note however that this does not constitute legal advice and that this theory has never been tested in practice.</p>
<p>For your safety, we recommend that in preparation of travelling, you change the master password for your user on the device. That way, if your device is seized by a foreign entity and they force you to divulge your master password, you'll likely be fully compliant by simply giving up the new master password even though it will cause the app to generate invalid passwords for all your sites. Later, you can always change the master password back to the real one.</p>
<h1 id="masterpassword">What should my master password be?</h1>
<p>The simple answer to that question is: First and foremost, memorable and unrelated to you. What that means is that the most important thing about your master password is that you need to be able to recall it any time and yet it should not be derived from anything personal.</p>
<p>That advice usually doesn't help very much with actually picking a good master password. <strong>The goal of a good password is that it'll take an attacker a lot of guesses before he'll find it</strong>. That is the core idea behind good passwords.</p>
2014-11-06 12:48:02 +00:00
<img class="block" src="https://sslimgs.xkcd.com/comics/password_strength.png" />
<p>There are a few strategies of getting good passwords. The speed with which an attacker can guess your password depends a lot on whether he knows what kind of password you're using or not. So we'll compare a few password strategies, their strength and how memorable they are.</p>
<p>The simplest strategy for picking good passwords is by just picking a bunch of random letters, digits and symbols and mixing them up. This is a great strategy for strong passwords but those passwords are usually not very memorable.</p>
<p>Another strategy is by "encoding" something you already know. This can seem like a good way to make memorable passwords, but recalling the "encoding" you used two years later can be tricky. This also makes it much easier for attackers that know you to find your password.</p>
<p>Master Password itself generates very random passwords that look semi-legible, for instance <code>Togu3]ToxiBuzb</code>. Such passwords have been found to be very memorable while also being very high in entropy (hard to guess).</p>
<p>A strategy that's gaining traction lately is that of combining words into a sentence. Some claim it's best for the sentence to make no grammatical sense, others dispute these claims. It's a fact, though, that if your attacker doesn't expect such a password, they're nearly impossible to defeat.</p>
<p>Let's sum these strategies up in a table, note that this type of comparison is very subjective.</p>
<table>
<caption>Time to crack a master password</caption>
<thead>
<tr>
<th colspan="4">Strategy</th>
</tr>
<tr>
<th>Example</th>
<th>Time to crack<br />(bulk/ignorant&nbsp;attack)</th>
<th>Time to crack<br />(attacker&nbsp;knows&nbsp;strategy)</th>
<th>Memorability</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="4">Random password, 4 number PIN</th>
</tr>
<tr>
<td><code>9174</code></td>
<td>50 minutes<span class="red box"></span></td>
<td>50 minutes<span class="red box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Random password, 4 alphanumeric characters</th>
</tr>
<tr>
<td><code>a1qd</code></td>
<td>1.7 months<span class="red box"></span></td>
<td>1.7 months<span class="red box"></span></td>
<td>Difficult</td>
</tr>
<tr>
<th colspan="4">Random password, 6 alphanumeric characters</th>
</tr>
<tr>
<td><code>v9ea30</code></td>
<td>560 years<span class="green box"></span></td>
<td>560 years<span class="green box"></span></td>
<td>Difficult</td>
</tr>
<tr>
2014-11-06 12:48:02 +00:00
<th colspan="4">Encoding a word, <a href="https://xkcd.com/936/" onclick="_gaq.push(['_trackPageview', '/outbound/xkcd/troubador']);">Tr0ub4dor</a> style</th>
</tr>
<tr>
<td><code>Tr0ub4dor</code></td>
<td>2.6 years<span class="red box"></span></td>
<td>2.6 years<span class="red box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Master Password style</th>
</tr>
<tr>
<td><code>Togu3]ToxiBuzb</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>632 million years<span class="green box"></span></td>
<td>Moderate</td>
</tr>
<tr>
2014-11-06 12:48:02 +00:00
<th colspan="4">Nonsense sentence, <a href="https://xkcd.com/936/" onclick="_gaq.push(['_trackPageview', '/outbound/xkcd/correct-horse']);">correct horse</a> style</th>
</tr>
<tr>
<td><code>correct horse battery staple</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>173 thousand years<span class="green box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Real sentence, 4 words (1 verb, 1 noun)</th>
</tr>
<tr>
<td><code>I have a dream</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>8.7 months<span class="orange box"></span></td>
<td>Easy</td>
</tr>
<tr>
<th colspan="4">Real sentence, 4 words (1 adjective, 2 nouns)</th>
</tr>
<tr>
<td><code>My red beach ball</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>551 years<span class="green box"></span></td>
<td>Easy</td>
</tr>
<tr>
<th colspan="4">Real sentence, 6 words (1 adverb, 1 verb, 1 adjective, 1 nouns)</th>
</tr>
<tr>
<td><code>I once had a red ball</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>27 thousand years<span class="green box"></span></td>
<td>Easy</td>
</tr>
</tbody>
</table>
<p>The numbers on sentences assume the attacker thinks you know no more than 500 adjectives, 2000 nouns, 333 verbs and 300 adverbs. These calculations are very subjective, since language is such a complex thing to write a password cracker for. Never mind adding in punctuation, names or using other languages.</p>
<p>Pick a strategy that works best for you, but remember that <strong>far more important than maximizing the "time to crack" is making your master password memorable and impersonal</strong>.</p>
<h1 id="numbers">What is the basis for your numbers?</h1>
<p>The time-to-crack numbers throughout this website are based on the following assumptions:</p>
<ul>
2014-07-18 16:03:27 +00:00
<li>The attacker can calculate <code>1 479 million</code> SHA-256 hashes per second (<a href="http://hashcat.net/oclhashcat/" onclick="_gaq.push(['_trackPageview', '/outbound/hashcat']);">hashcat on AMD HD 6990</a>)</li>
<li>The attacker can calculate <code>3.3</code> Master Password passwords per second (2GHz MacBook Pro, scrypt N=32768, r=8, p=2, dkLen=64).</li>
</ul>
</div>
<div class="thumb clearfix">
<h1>Other Questions / Issues</h1>
<p>Don't hesitate to send us a message at <a href="mailto:masterpassword@lyndir.com">masterpassword@lyndir.com</a>. I'll get right on your case. Try to include any details you can. Good or common questions will have their answers added to this page.</p>
</div>
</div></section>
<footer><div class="muted content">
2014-10-20 18:31:21 +00:00
<p><em>Master Password is a security product and algorithm by <a href="http://www.lhunath.com" onclick="_gaq.push(['_trackPageview', '/outbound/lhunath']);">Maarten Billemont</a>, <a href="http://www.lyndir.com" onclick="_gaq.push(['_trackPageview', '/outbound/lyndir']);">Lyndir</a> (&copy; 2011-2014).</em><br>Usage implies agreement with our <a href="privacy.html">privacy policy and disclaimer</a>.</p>
<p><a href="http://gorillas.lyndir.com" onclick="_gaq.push(['_trackPageview', '/outbound/gorillas']);">Gorillas</a><a href="http://deblock.lyndir.com" onclick="_gaq.push(['_trackPageview', '/outbound/deblock']);">DeBlock</a><a href="https://github.com/Lyndir" onclick="_gaq.push(['_trackPageview', '/outbound/github']);">GitHub</a><a href="http://thanks.lhunath.com" onclick="_gaq.push(['_trackPageview', '/outbound/thanks']);">Send Thanks</a></p>
</div></footer>
<!-- Scripts -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="js/vendor/jquery-1.9.1.min.js"><\/script>')</script>
<script src="js/vendor/bootstrap.min.js"></script>
<script src="js/plugins.js"></script>
<script src="js/main.js"></script>
<!-- Internet Defense League -->
<script type="text/javascript">
window._idl = {};
_idl.variant = "modal";
(function() {
var idl = document.createElement('script');
idl.type = 'text/javascript';
idl.async = true;
idl.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'members.internetdefenseleague.org/include/?url=' + (_idl.url || '') + '&campaign=' + (_idl.campaign || '') + '&variant=' + (_idl.variant || 'banner');
document.getElementsByTagName('body')[0].appendChild(idl);
})();
</script>
<!-- Google Analytics -->
<script>
var _gaq=[['_setAccount','UA-90535-15'],['_trackPageview']];
(function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];
g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
s.parentNode.insertBefore(g,s)}(document,'script'));
</script>
<!-- Google +1 -->
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<!-- Tender -->
<script src="https://masterpassword.tenderapp.com/tender_widget.js" type="text/javascript"></script>
</body>
</html>