MasterPassword/Resources/help.html

<!DOCTYPE HTML>
<html>
    <head>
        <style>
            body {
                color: white;
                text-align: center;
                text-shadow: 0 1px black;
                font: 16px "Baskerville";
            }
            h1, h2 {
                margin-top: 1.5em;
                padding-top: 1em;
                font-family: inherit;
                font-weight: bold;
            }
            h2 {
                font-size: inherit;
            }
            h3 {
                padding-top: 1.5em;
                font-size: 12px;
            }
            i {
                font-weight: bold;
            }
            q {
                font-style: italic;
            }
            img {
                display: inline-block;
                height: 1.4em;
                margin: -0.2em 0;
                vertical-align: middle;
            }
            a, a:link {
                color: inherit;
                font-weight: bold;
            }
            header {
                height: 8em;
                padding: 3em 0 0;
            }
            header h1, header h2 {
                margin: 0;
                padding: 0.5ex;
            }
            header h3 {
                padding-top: 2em;
            }
        </style>
        <script src="jquery-1.6.1.min.js" type="text/javascript"></script>
        <script type="text/javascript">
            function setClass(activeClass) {
                $(".Class").css("display", "none");
                if (!$(".Class." + activeClass).length)
                    return "Not found: " + activeClass;
                
                $(".Class." + activeClass).css("display", "block");
            }
        </script>
    </head>
    <body>
        <header>
            <h1>Master Password</h1>
            <h2>by <a href="http://www.lyndir.com">Lyndir</a></h2>
            <h3>&copy; 2011</h3>
        </header>

        <h2 id="1">&mdash; 1 &mdash;</h2>
        <p>
            <b>Find the site</b> that you need a password for by entering its name into the <i>search field</i>.
        </p>
        <p>
            <b>While searching</b>, the names of previously used sites will be listed.<br />
            Tap one of these results to go straight to its password.
        </p>
        
        <h2 id="2">&mdash; 2 &mdash;</h2>
        <p>
            <b>The site</b>'s password is now displayed.<br />
            Tap it to <i>copy the password</i>.  Once copied, you can switch to another application and paste it into a password field.
        </p>
        
        <p class="Class MPElementStoredEntity">
            <b>To change</b> the password for this site, tap the <i>edit icon</i> <img src="icon_edit.png" />.
        </p>

        <p>
            <b>Below the password</b> you can set the <i>password type</i>.  Some types <i>create a password for you</i>,
            others let you <i>choose your own</i>.
        </p>
        
        <p class="Class MPElementGeneratedEntity">
            <b>If the site complains</b> when you try to set or update the password, try changing the password type.
        </p>
        <p class="Class MPElementGeneratedEntity">
            <b>To create a new</b> password for this site, you can increment the <i>password counter</i> <img src="icon_plus.png" />.
            This is useful, for example, after you've had to share the password with somebody else.
        </p>

        <h2 id="faq">&mdash; F.A.Q. &mdash;</h2>

        <ol>
            <li><a href="#what"     >What is it and how do I use it?</a></li>
            <li><a href="#why"      >Why do I need Master Password?</a></li>
            <li><a href="#custom"   >A password was given to me.</a></li>
            <li><a href="#loss"     >What if I loose my device?</a></li>
            <li><a href="#device"   >Am I dependant on my device?</a></li>
            <li><a href="#paranoid" >How do I maximize my security?</a></li>
            <li><a href="#hacked"   >A website I use got hacked!</a></li>
            <li><a href="#forgot"   >I forgot my master password!</a></li>
            <li><a href="#algorithm">How does Master Password work?</a></li>
            <li><a href="#branded"  >Do you offer enterprise solutions?</a></li>
        </ol>

        <h3 id="what">What is Master Password and how do I use it?</h3>
        <p>
            Master Password <b>creates secure and unique passwords for you</b>, so you don't have to.<br />
            The human brain is not well suited for creating secure and random passwords, and it's also terrible at remembering lots of unique passwords.
            Master Password does the work for you: all you need to do is remember a single long and secure master password to log into the app.
        </p>
        <p>
            <b>Begin by entering the name</b> of the thing you want a password for.  Naming is entirely up to you, but remember to be consistent.<br />
            <i>Good names</i> could be:<br />
            <code>apple.com</code>, <code>john@doe.com</code>, <code>office safe</code>, <code>bike lock</code>, etc.
        </p>
        <p>
            Every name has a different password, so the following names may be <i>difficult to recall</i>:<br />
            <code>pw for amazon</code>, <code>pin for my cell</code>, etc.
        </p>
        <p>
            <b>Tap the resulting password</b> to copy it for pasting in a different application or read it to type it in or use it manually elsewhere.
        </p>
        <p id="why">
            The thought behind this application is to secure your online (and offline) life by <b>changing all of your passwords</b>
            to passwords generated by this app.
        </p>

        <h3>That's crazy talk.<br />
            Why would I do that?</h3>
        <p>
            The theory of password authentication is simple: To log in to a site, you share a secret word with the site
            that <b>only you and the site know</b>.  Since nobody else knows your secret password, nobody else can log
            into your account.
        </p>
        <p>
            It sounds good in theory.  In practice, it's an <b>absolute hell</b>.  These days, people have hundreds of
            accounts on sites all over the Internet.  Does that mean we're all remembering hundreds of secret passwords?
            No, of course not.  That would be impossible.  If you're like most people, you remember one or two
            passwords, and use those for all your sites everywhere.
        </p>
        <p>
            <q>So, what?</q>, you might say.<br />
            Here's the problem: When you share a secret password with a site, and then share the same secret password
            with another site, both sites can now use the password you gave them to log into your account on the
            <i>other</i> site.  Nothing is stopping them from trying to log into <i>your</i> GMail, Hotmail or Twitter
            accounts using the same password that you used to register an account on their site.  Even if you only give
            your password to sites you trust, all it takes is for one of those sites to get hacked and lose their
            passwords database. Those hackers now have all it takes to impersonate you.
        </p>
        <p>
            Some of you already try to remember unique-ish passwords for different sites.  This causes problems too:
            with so many passwords to remember, you easily forget passwords for sites you haven't used in a while.  Or
            you make up a simplification algorithm such as tacking your birth year onto the site name.  This is really
            not any more secure than using the same password for every site.  And then there's those sites with
            <q>password policies</q>: suddenly your long password isn't good enough, because it begins with a number,
            or because (god forbid) it's <q>too long</q>.  You now find yourself forced to create a strange variant
            of your password that you'll have forgotten before the day is out.
        </p>
        <p>
            This app <b>solves the problem</b> by letting you remember only a single password without requiring you to
            share the password with anyone else.  Instead, the app creates secure passwords for use with whatever site
            or purpose you might need a password for.
        </p>
        
        <h3 id="custom">I can't change all my passwords.<br />
            Some of them were assigned to me.</h3>
        <p>
            That's why this application allows you to change the password type to <code>Personal</code> or <code>Device
            Private</code>.  These types let you enter a password for a site, and the app will encrypt and save it so
            you it's there for future reference.
        </p>
        <p>
            These types of <q>stored</q> passwords don't have all the advantages that their generated counterparts have
            (they can be lost if you lose your device and don't back it up), but when you can't change a site's
            password to one generated by the app, this is as good as it gets.
        </p>

        <h3 id="loss">So, what if I lose my device?<br />
            I'm locked out of everything?</h3>
        <p>
            <b>Absolutely not!</b>  In fact, generated passwords aren't even stored on your device.  No, not in the
            cloud either.  They're not stored anywhere!  What that basically means is, if you grab the iPhone of a
            colleague or friend and open this app on it, re-create your user and log in, <i>it'll give you all your
                generated passwords</i>.  So, if you lose your iPhone or forget it, just open the app on your iPad,
            or borrow a friend's device, and you're back in business.  No backups or restores needed.
        </p>
        <p>
            This also means that, unlike all those apps that store your passwords or send them off to be stored on the
            Internet, this app makes your passwords much safer from theft.  If your device is stolen, the thieves can't
            get at your passwords.  There's also no cloud service that can be mis-managed or hacked.
        </p>

        <h3 id="device">Great, but that still means I need my device to get my passwords.</h3>
        <p>
            Correct.  However, remember that usually you'll only need to use this app once for each site.  After you log
            into a site once using the password generated by this app, your browser will probably ask you to remember
            the password for the future.  Agree to that, and you won't need to bring up your device again the next time
            you log in to the account.
        </p>
        <p>
            There is also a <b>Mac version</b> of Master Password that will be released on the Mac App Store.
            It allows you to generate any of your passwords without the need to bring out your device.
        </p>

        <h3 id="paranoid">I'm paranoid.<br />
            How do I maximize my security?</h3>
        <p>
            The <b>most important</b> aspect to the security of your passwords is your <b>master password</b>.  Make sure
            you've chosen a <em>long and unique master password</em>.  Master Password's algorithm makes it exceedingly
            difficult for an attacker to try and guess your master password, but that doesn't make you invulnerable when
            your master password is short or easy to guess.  Ideally, your master password should be <em>longer than 10 characters</em>.
            <b>An absurd sentence is a great idea</b>, especially if you add non-english or gibberish words to it.
            Absurd sentences are long and high in entropy, but also particularly easy for the human brain to remember.
        </p>
        <p>
            Armed with a good master password, your next step is to assign generated passwords to all of your sites.
            By default, Master Password creates passwords that are secure and still easy to copy from your device to a
            computer by keyboard.  If you prefer, you can go into Master Password's preferences (using the top-right icon)
            and change the default password type to <code>Maximum Security</code>.  Any new sites will now generate
            passwords that are even higher in entropy.  These types of passwords are nigh impossible for an attacker to
            brute-force (though a <code>Long Password</code> really is secure enough for most any purpose, see
            <a href="#hacked">What if a site I use gets hacked?</a>).
        </p>
        <p>
            Also check out the application's preferences (using the action icon on the top right, select <code>Preferences</code>).
            Make sure that <code>Save Password</code> is disabled.  Saving your password is a convenience feature that lets your
            device save your master password so you don't need to enter it anymore.  It also means that if somebody finds your device
            somewhere or steals it, the only obstacle between them and your passwords are your device's PIN code (assuming you even
            have one set).<br />
            If you go into <code>Settings</code> from the <code>Preferences</code> page, you'll see some global application settings.
            Make sure that <code>Stay logged in</code> is disabled here.  If enabled, Master Password will not log you out when you
            close the app.  Your master password isn't saved on your device, but kept in memory for as long as your device remains
            powered on. Again, a malignent person can easily get to your passwords if they find your device powered on and logged
            into Master Password.
        </p>

        <h3 id="hacked">What if a site I use gets hacked?</h3>
        <p>
            There have been some high-profile password database leaks lately.  LinkedIn, eHarmony, Last.fm, to name a few,
            have lost millions of people's password hashes.  In these cases, attackers have obtained a <q>hash</q> of
            the passwords of all of these people, which makes it much easier for them to guess their real password.
            A single sophisticated computer can be used to try about 200 million password combinations per second in an
            attempt to find the real password behind a hash.  That means these millions of people should be really worried
            about their account's security.<br />
            However, if your account is protected by a <code>Long Password</code> generated by Master Password, it would
            take an attacker with ten sophisticated machines multiple lifetimes to find your actual password from a hash.
            If the attacker knew beforehand that you had used Master Password to generate your password, he could make
            his approach smarter and ten sophisticated machines would still take more than a year of constantly trying
            millions of password combinations to find out your actual password.<br />
            If instead you used a <code>Maximum Security</code> password to protect your account, the time it would take
            for an attacker to brute-force your password goes completely off the scale: 10,000 sophisticated machines
            would take up to 312409704477000000 years to try and find your password, even if the attacker knew you're
            using Master Password.
        </p>
        <p>
            If you're worried anyway or you need a new password for your site for some other reason, tap the password
            counter button (the plus icon) to instantly create a new password for that site.
        </p>
        <p>
            Long story short: When a website you use gets hacked and your password hashes are revealed to hackers, this
            is a big problem for the security of your account, but only if you're <b>not</b> using Master Password.
        </p>


        <h3 id="forgot">I forgot my master password.  What are my options?</h3>
        <p>
            Due to the nature of this app's algorithms and the decisions that were made to protect against brute-force
            attacks, it is simply infeasible to recover your master password.  If you really can't remember it, your
            passwords are <b>gone</b>.
        </p>
        <p>
            Where you go from here is: on the unlock screen, tap and hold your user.  A dialog will pop-up that will allow
            you to reset your master password.  Assign a new master password, log in, and for each of your accounts, go
            through the password recovery procedure (which will usually involve the site sending a mail to your email account)
            and reset the passwords of these accounts to passwords generated by your newly chosen master password.<br />
            Now don't forget it again! :-)
        </p>

        <h3 id="algorithm">So how does this thing work internally?</h3>
        <p>
            The way Master Password works internally is <a href="http://masterpassword.lyndir.com/algorithm.html">fully disclosed</a>.
            The source code for this application is also available from <a href="https://github.com/Lyndir/MasterPassword">GitHub</a>.
            I invite anyone with a technical background to go through these resources to make certain of the trustworthiness of Master Password.
        </p>

        <h3 id="branded">This stuff is gold.<br />
            I want one branded for our company.</h3>
        <p>
            <a href="mailto:masterpassword@lyndir.com">Contact me</a> directly for enterprise inquiries.
            I can provide branded clients and enterprise distribution if your company is interested in deploying this solution internally.
        </p>
        <p>
            Master Password can also be used as a One-Time Password token generator to secure your infrastructure and client access.
        </p>
    
        <footer>
            <a href="http://masterpassword.lyndir.com">Homepage</a> | <a href="http://www.lyndir.com">Lyndir</a> |
            <a href="http://www.lyndir.com/contact">Contact</a>
        </footer>

    </body>
</html>