MasterPassword/Resources/help.html

<!DOCTYPE HTML>
<html>
    <head>
        <style>
            body {
                color: white;
                text-align: center;
                text-shadow: 0 1px black;
                font: 16px "Baskerville";
            }
            h1, h2 {
                margin-top: 1.5em;
                padding-top: 1em;
                font-family: inherit;
                font-weight: bold;
            }
            h2 {
                font-size: inherit;
            }
            h3 {
                padding-top: 1.5em;
                font-size: 12px;
            }
            i {
                font-weight: bold;
            }
            q {
                font-style: italic;
            }
            img {
                display: inline-block;
                height: 1.4em;
                margin: -0.2em 0;
                vertical-align: middle;
            }
            a, a:link {
                color: inherit;
                font-weight: bold;
            }
            header {
                height: 8em;
                padding: 3em 0 0;
            }
            header h1, header h2 {
                margin: 0;
                padding: 0.5ex;
            }
            header h3 {
                padding-top: 2em;
            }
        </style>
        <script src="jquery-1.6.1.min.js" type="text/javascript"></script>
        <script type="text/javascript">
            function setClass(activeClass) {
                $(".Class").css("display", "none");
                if (!$(".Class." + activeClass).length)
                    return "Not found: " + activeClass;
                
                $(".Class." + activeClass).css("display", "block");
            }
        </script>
    </head>
    <body>
        <header>
            <h1>Master Password</h1>
            <h2>by <a href="http://www.lyndir.com">Lyndir</a></h2>
            <h3>&copy; 2011</h3>
        </header>

        <h2 id="1">&mdash; 1 &mdash;</h2>
        <p>
            <b>Find the site</b> that you need a password for by entering its name into the <i>search field</i>.
        </p>
        <p>
            <b>While searching</b>, the names of previously used sites will be listed.<br />
            Tap one of these results to go straight to its password.
        </p>
        
        <h2 id="2">&mdash; 2 &mdash;</h2>
        <p>
            <b>The site</b>'s password is now displayed.<br />
            Tap it to <i>copy the password</i>.  Once copied, you can switch to another application and paste it into a password field.
        </p>
        
        <p class="Class MPElementStoredEntity">
            <b>To change</b> the password for this site, tap the <i>edit icon</i> <img src="icon_edit.png" />.
        </p>

        <p>
            <b>Below the password</b> you can set the <i>password type</i>.  Some types <i>create a password for you</i>,
            others let you <i>choose your own</i>.
        </p>
        
        <p class="Class MPElementGeneratedEntity">
            <b>If the site complains</b> when you try to set or update the password, try changing the password type.
        </p>
        <p class="Class MPElementGeneratedEntity">
            <b>To create a new</b> password for this site, you can increment the <i>password counter</i> <img src="icon_plus.png" />.
            This is useful, for example, after you've had to share the password with somebody else.
        </p>

        <h2 id="faq">&mdash; F.A.Q. &mdash;</h2>

        <h3>What is this thing?<br />
            How do I use it?</h3>
        <p>
            <b>Begin by entering the name</b> of the thing you want a password for.  Naming is entirely up to you, but remember to be consistent.<br />
            <i>Good names</i> could be:<br />
            <code>apple.com</code>, <code>john@doe.com</code>, <code>office safe</code>, <code>bike lock</code>, etc.
        </p>
        <p>
            Every name has a different password, so the following names may be <i>difficult to recall</i>:<br />
            <code>pw for amazon</code>, <code>pin for my cell</code>, etc.
        </p>
        <p>
            <b>Tap the resulting password</b> to copy it for pasting in a different application or read it to type it in or use it manually elsewhere.
        </p>
        <p>
            The thought behind this application is to secure your online (and offline) life by <b>changing all of your passwords</b>
            to passwords generated by this app.
        </p>

        <h3>That's crazy talk.<br />
            Why would I do that?</h3>
        <p>
            The theory of password authentication is simple: To log in to a site, you share a secret word with the site
            that <b>only you and the site know</b>.  Since nobody else knows your secret password, nobody else can log
            into your account.
        </p>
        <p>
            It sounds good in theory.  In practice, it's an <b>absolute hell</b>.  These days, people have hundreds of
            accounts on sites all over the Internet.  Does that mean we're all remembering hundreds of secret passwords?
            No, of course not.  That would be impossible.  If you're like most people, you remember one or two
            passwords, and use those for all your sites everywhere.
        </p>
        <p>
            <q>So, what?</q>, you might say.<br />
            Here's the problem: When you share a secret password with a site, and then share the same secret password
            with another site, both sites can now use the password you gave them to log into your account on the
            <i>other</i> site.  Nothing is stopping them from trying to log into <i>your</i> GMail, Hotmail or Twitter
            accounts using the same password that you used to register an account on their site.  Even if you only give
            your password to sites you trust, all it takes is for one of those sites to get hacked and lose their
            passwords database. Those hackers now have all it takes to impersonate you.  This is, in fact, so common,
            that it's one of the main reasons people's accounts are getting hacked nowadays.
        </p>
        <p>
            Some of you already try to remember unique-ish passwords for different sites.  This causes problems too:
            with so many passwords to remember, you easily forget passwords for sites you haven't used in a while.  Or
            you make up a simplification algorithm such as tacking your birth year onto the site name.  This is really
            not any more secure than using the same password for every site.  And then there's those sites with
            <q>password policies</q>: suddenly your long password isn't good enough, because it begins with a number,
            or because (god forbid) it's <q>too long</q>.  You now find yourself forced to create a strange variant
            of your password that you'll have forgotten before the day is out.
        </p>
        <p>
            This app <b>solves the problem</b> by letting you remember only a single password without requiring you to
            share the password with anyone else.  Instead, the app creates secure passwords for use with whatever site
            or purpose you might need a password for.
        </p>
        
        <h3>I can't change all my passwords.<br />
            Some of them were assigned to me.</h3>
        <p>
            That's why this application allows you to change the password type to <code>Personal</code> or <code>Device
            Private</code>.  These types let you enter a password for a site, and the app will encrypt and save it so
            you it's there for future reference.
        </p>
        <p>
            These types of <q>stored</q> passwords don't have all the advantages that their generated counterparts have
            (they can be lost if you lose your device and don't back it up), but when you can't change a site's
            password to one generated by the app, this is as good as it gets.
        </p>

        <h3>So, what if I lose my device?<br />
            I'm locked out of everything?</h3>
        <p>
            <b>Absolutely not!</b>  In fact, generated passwords aren't even stored on your device.  No, not in the
            cloud either.  They're not stored anywhere!  What that basically means is, if you grab the iPhone of a
            colleague or friend and open this app on it with your own master password, <i>it'll give you all your
            generated passwords</i> (don't worry, it's perfectly safe).  So, if you lose your iPhone or forget it,
            just open the app on your iPad, or borrow a friend's phone, and you're back in business.  No backups or
            restores needed.
        </p>
        <p>
            This also means that, unlike all those apps that store your passwords or send them off to be stored on the
            Internet, this app makes your passwords much safer from theft.  If your device is stolen, the thieves can't
            get at your passwords.  There's also no cloud service that can be mis-managed or hacked.
        </p>

        <h3>Great, but that still means I need my phone to get my passwords.</h3>
        <p>
            Correct.  However, remember that usually you'll only need to use this app once for each site.  After you log
            into a site once using the password generated by this app, your browser will probably ask you to remember
            the password for the future.  Agree to that, and you won't need to bring up your phone again the next time
            you log in to the account.
        </p>
        <p>
            There is also a <b>Mac version</b> of Master Password available from the App Store.  It allows you to
            generate any of your passwords without even needing to take out your phone.
        </p>

        <h3>I'm paranoid.<br />
            How do I maximize my security?</h3>
        <p>
            For starters, make sure you've changed the passwords of all your sites you have accounts for to those
            generated by this app and make sure that you use this app when registering a new account somewhere, to
            determine the password to use for the account.
        </p>
        <p>
            It's also important that you've chosen a long master password.  Short master passwords, especially 4-digit
            PIN codes, are trivial to guess by attackers.  Using a <b>10-character master password</b> provides
            sufficient entropy to protect against any modern-day attempt at brute-forcing, assuming the password is not
            based on easily determined facts (names, birth dates, etc.).
        </p>
        <p>
            <b>A better idea yet</b> is to use a pass phrase, ideally <em>an absurd sentence</em>.  These are usually
            much easier to remember and much harder to guess by attackers.
        </p>
        <p>
            Using the action icon on the top right, select <code>Settings</code> to find some advanced settings for
            the application.  Here, you can disable <code>Remember my password</code>.  Doing so will force the
            application to <b>ask for your master password each time</b> you open it.  That way, when you show your
            phone to somebody else after unlocking it, they can't go through your passwords.
        </p>

        <h3>I forgot my master password.  What are my options?</h3>
        <p>
            Due to the nature of this app's algorithms and the decisions that were made to protect against brute-force
            attacks, it is simply infeasible to recover your master password.  If you really can't remember it, your
            passwords are <b>gone</b>.
        </p>
        <p>
            Where you go from here is, you log in with a new master password, and for each of your accounts, you go
            through the password recovery procedure (which will usually involve sending a message to your email account)
            and reset the passwords of these accounts to passwords generated by your newly chosen master password.<br />
            Just don't forget it again! :-)
        </p>

        <h3>So how does this thing work internally?</h3>
        <p>
            The way Master Password works internally is <i>fully disclosed</i>.  The source code for this application
            is also available from <b>GitHub</b>.  I invite anyone with a technical background to go through these
            resources to make certain of the trustworthyness of Master Password.
        </p>
        <p>
            This part will likely make sense to you only if you're well versed in computer security jargon.  If you're
            the kind of person who likes to know how the clock ticks before deciding that it can be trusted to keep
            ticking, read on.
        </p>
        <p>
            The user chooses a single master password, preferably sufficiently long to harden against brute-force
            attacks.  The application then creates a scrypt key derivative from the user's password.  This process
            takes quite a bit of processing time and memory.  It makes brute-forcing the master password
            <b>far more difficult</b>, to practically infeasible, even for otherwise vulnerable password strings.
        </p>
        <p>
            When the user requests a password be generated for a site, the application composes a byte buffer
            consisting of the site's name (<code>UTF-8</code> encoded), the key derived from the master password,
            and a password counter, delimited in that order by a NUL byte.  The bytes are hashed using the
            <code>SHA-1</code> algorithm.  The bytes resulting from this hashing operation are called the
            <code>seed</code> in the next steps.
        </p>
        <p>
            Next, we need the password type that the user has chosen to use for the site.  Password types determine the
            <q>cipher</q> that will be used to encrypt <code>seed</code> into a readable password.  For
            instance, the standard password type <q>Long Password</q> activates one of three pre-set ciphers:
            <code>CvcvCvcvnoCvcv</code>, <code>CvcvnoCvcvCvcv</code> or <code>CvcvCvcvCvcvno</code>.  Which of those
            will be used, depends on the first of the <code>seed</code> bytes.  Take the byte value modulo the amount of
            pre-set ciphers (in this case, three), and the result tells you which of the three ciphers to use.
        </p>
        <p>
            Now that we know what cipher to use for building our final password, all that's left is to iterate the
            cipher, and produce a character of password output for each step.  When you iterate the cipher, every
            character in the cipher represents a set of possible output characters.  For instance, a <code>C</code>
            character in the cipher indicates that we need to choose a capital consonant character.  An <code>o</code>
            character in the cipher indicates that we need to choose an <q>other</q> (symbol) character.  Exactly which
            character to choose in that set for the password output depends on the next byte from <code>seed</code> bytes.
            Like before, take the next unused <code>seed</code> byte's byte value modulo the amount of characters in the
            set of possible output characters for the cipher iteration and use the result to choose the output
            character.  Repeat until you've iterated the whole cipher.
        </p>
        <p>
            The result is a password whose format is dictated by the password type's ciphers and whose exact value is
            filled in by feeding the algorithm some bytes from a hash operation on the user's givens.
        </p>

        <h3>This stuff is gold.<br />
            I want one branded for our company.</h3>
        <p>
            Contact me directly for enterprise inquiries.  I can provide branded clients and enterprise distribution
            if your company is interested in deploying this solution internally.
        </p>
    
        <footer>
            <a href="http://masterpassword.lyndir.com">Homepage</a> | <a href="http://www.lyndir.com">Lyndir</a> |
            <a href="http://www.lyndir.com/contact">Contact</a>
        </footer>

    </body>
</html>