2
0

Fix a few spelling mistakes.

This commit is contained in:
Maarten Billemont 2014-10-12 12:03:57 -04:00
parent 556d1d3d58
commit a3ebcf0608
3 changed files with 13 additions and 10 deletions

View File

@ -508,4 +508,7 @@ table .box.green {
header h2 { header h2 {
font-size: 2em; font-size: 2em;
} }
header .moviecontrol {
top: 1em;
}
} }

View File

@ -296,7 +296,7 @@
<h3 id="masterkey" class="inline">The Master Key</h3> <h3 id="masterkey" class="inline">The Master Key</h3>
<p>The first part of the process it to obtain a very strong "token" of your personal identity. We call this token your <em>master key</em>, because it is very much like the one and only <strong>main key that opens all your doors</strong>. It is a personal key, it represents your identity.</p> <p>The first part of the process it to obtain a very strong "token" of your personal identity. We call this token your <em>master key</em>, because it is very much like the one and only <strong>main key that opens all your doors</strong>. It is a personal key, it represents your identity.</p>
<p>The master key is derived from your name and your master password, and thrown away as soon as it's no longer needed to minimize the risk of loss.</p> <p>The master key is derived from your name and your master password, and thrown away as soon as it's no longer needed to minimize the risk of loss.</p>
<p>Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is unsurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.</p> <p>Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is insurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.</p>
<p>These are two different types of brute-force attacks and we need to make sure to defeat both of them.</p> <p>These are two different types of brute-force attacks and we need to make sure to defeat both of them.</p>
<p>To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to <code>2<sup>256</sup></code> guesses, or try <code>115792089237316195423570985008687907853269984665640564039457584007913129639936</code> master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them. <p>To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to <code>2<sup>256</sup></code> guesses, or try <code>115792089237316195423570985008687907853269984665640564039457584007913129639936</code> master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them.
<p>A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.</p> <p>A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.</p>
@ -348,9 +348,9 @@
<div class="hlvl"> <div class="hlvl">
<p><h2 class="inline">Custom passwords</h2> <p><h2 class="inline">Custom passwords</h2>
are sometimes still a necessity. You may want to store a password you've been using for a long time in your manager, or your boss may have set an unchangable password on your computer for you to use. Since Master Password's passwords are a mathematical result of your unchanging master password, it is impossible for it to be used with passwords that are created via another way.</p> are sometimes still a necessity. You may want to store a password you've been using for a long time in your manager, or your boss may have set an unchangeable password on your computer for you to use. Since Master Password's passwords are a mathematical result of your unchanging master password, it is impossible for it to be used with passwords that are created via another way.</p>
<p>The Master Password application however <em>functions as a hybrid password manager, implementing both the Master Password algorithm and a vault-like password solution</em>. In the second mode, Master Password uses your master key to encrypt custom passwords and store the encrypted result in a vault. Since we use the master key for this process, the result is a vault that is much harder to break into than that used by many other vault-based password solutions (specifically <p>The Master Password application however <em>functions as a hybrid password manager, implementing both the Master Password algorithm and a vault-like password solution</em>. In the second mode, Master Password uses your master key to encrypt custom passwords and store the encrypted result in a vault. Since we use the master key for this process, the result is a vault that is much harder to break into than that used by many other vault-based password solutions (specifically
because the encryption key is a large key derived from your master pasword using scrypt key derivation). As a result, <strong>this trade-off has been mitigated</strong>.</p> because the encryption key is a large key derived from your master password using scrypt key derivation). As a result, <strong>this trade-off has been mitigated</strong>.</p>
</div> </div>
<div class="hlvl"> <div class="hlvl">
@ -367,7 +367,7 @@
the "something you know", they'll still need to obtain the "something you have" before they can break in. The most popular example of a two-factor solution is a bank card: Your PIN number is the secret you know, but with the PIN alone a thief can't get to your money. They'll need to first steal your card as well.</p> the "something you know", they'll still need to obtain the "something you have" before they can break in. The most popular example of a two-factor solution is a bank card: Your PIN number is the secret you know, but with the PIN alone a thief can't get to your money. They'll need to first steal your card as well.</p>
<p>A vault-based password manager is often considered two-factor, since it relies on your vault password as well as access to your vault file. <em>Most security experts disagree, however</em>. To be truly multi-factor, the security factors should come from separate categories:</p> <p>A vault-based password manager is often considered two-factor, since it relies on your vault password as well as access to your vault file. <em>Most security experts disagree, however</em>. To be truly multi-factor, the security factors should come from separate categories:</p>
<ul> <ul>
<li><strong>Knowledge factors</strong>: passwords, keyfiles, other secret data or information</li> <li><strong>Knowledge factors</strong>: passwords, key files, other secret data or information</li>
<li><strong>Possession factors</strong>: physical tokens, smart cards</li> <li><strong>Possession factors</strong>: physical tokens, smart cards</li>
<li><strong>Inherence factors</strong>: biometrics</li> <li><strong>Inherence factors</strong>: biometrics</li>
</ul> </ul>

View File

@ -112,14 +112,14 @@
<p>More complicated than what, exactly? Using <code>robert17</code> for all your sites? Well, yes. That's also rather the point.</p> <p>More complicated than what, exactly? Using <code>robert17</code> for all your sites? Well, yes. That's also rather the point.</p>
<p>The point is to eliminate the many sources of insecurities related to password authentication, and yet keeping the process surprizingly trivial. What you get in exchange for these two extra first-time only steps is very robust, unique passwords which are not hackable even from a site's leaked password hashes, in addition to the freedom to forget all about passwords. Entirely.</p> <p>The point is to eliminate the many sources of insecurities related to password authentication, and yet keeping the process surprizingly trivial. What you get in exchange for these two extra first-time only steps is very robust, unique passwords which are not hackable even from a site's leaked password hashes, in addition to the freedom to forget all about passwords. Entirely.</p>
<ul> <ul>
<li>You get to stop worrying about what password you used for your bank or the government tax portal, because they both use rediculous and different password policies.</li> <li>You get to stop worrying about what password you used for your bank or the government tax portal, because they both use ridiculous and different password policies.</li>
<li>You get to stop writing down passwords and keeping those notes safe from others as well as safe from loss.</li> <li>You get to stop writing down passwords and keeping those notes safe from others as well as safe from loss.</li>
<li>You get to stop messing with password vaults that promise to encrypt your stuff, but can't help you when you're at a friend's house, or after your appartment fire.</li> <li>You get to stop messing with password vaults that promise to encrypt your stuff, but can't help you when you're at a friend's house, or after your apartment fire.</li>
<li>You can stop sharing the keys to your digital life with online password websites that promise all the military grade encryption while being gagged and tapped by a government agency.</li> <li>You can stop sharing the keys to your digital life with online password websites that promise all the military grade encryption while being gagged and tapped by a government agency.</li>
</ul> </ul>
<h2>I use this other password manager, and it's awesome.</h2> <h2>I use this other password manager, and it's awesome.</h2>
<p>I shall not endeaver to quarrel with the point on the awesome scale of your other password manager. That said, Master Password was designed from the ground up specifically because of the many flaws that existed in all the popular password managers at the time. And the times haven't changed for the better since.</p> <p>I shall not endeavour to quarrel with the point on the awesome scale of your other password manager. That said, Master Password was designed from the ground up specifically because of the many flaws that existed in all the popular password managers at the time. And the times haven't changed for the better since.</p>
<p>I'm going to provide an excessively brief description of the primary flaws other password managers suffer, which Master Password is free from. Please <a href="support.html">contact me</a> if you have something to add, ask or correct.</p> <p>I'm going to provide an excessively brief description of the primary flaws other password managers suffer, which Master Password is free from. Please <a href="support.html">contact me</a> if you have something to add, ask or correct.</p>
<p>While each of these services have many great pros, I will only mention those that Master Password lacks.</p> <p>While each of these services have many great pros, I will only mention those that Master Password lacks.</p>
@ -156,12 +156,12 @@
<h2>You speak of trust, how can I trust you?</h2> <h2>You speak of trust, how can I trust you?</h2>
<p>A very valid question, and arguably the most important one to ask!</p> <p>A very valid question, and arguably the most important one to ask!</p>
<p>Trust is a very difficult thing to guarantee. Powerful entities will sollicit your trust by appearing with it and coming well recommended. Trust can also be assured by legalese or contracts. If you have the means and energy to hold an entity responsible for his claims and actions, this might be sufficient for you.</p> <p>Trust is a very difficult thing to guarantee. Powerful entities will solicit your trust by appearing with it and coming well recommended. Trust can also be assured by legalese or contracts. If you have the means and energy to hold an entity responsible for his claims and actions, this might be sufficient for you.</p>
<p>Most of us mere mortals cannot affort this level of trust enforcement, however. We're mostly left in the position of trusting claims blindly, in the hopes that companies will not violate those claims for fear of taking a seizable public-relations hit.</p> <p>Most of us mere mortals cannot afford this level of trust enforcement, however. We're mostly left in the position of trusting claims blindly, in the hopes that companies will not violate those claims for fear of taking a seizable public-relations hit.</p>
<h3>I propose that none of these forms of trust are sufficient adequate.</h3> <h3>I propose that none of these forms of trust are sufficient adequate.</h3>
<p>In fact, Master Password is what it is because it aims to avoid any requirement of trust in the solution's author. Master Password requires no services or proprietary storage format. I've published Master Password's algorithm for you to inspect and licensed to you the full source code to the implementations for you to use.</p> <p>In fact, Master Password is what it is because it aims to avoid any requirement of trust in the solution's author. Master Password requires no services or proprietary storage format. I've published Master Password's algorithm for you to inspect and licensed to you the full source code to the implementations for you to use.</p>
<p>What that gives you, is the ability to either inspect and learn how Master Password works or to take this information to a professional (be it an academic, mathematician or payed developer) and have him do this for you.</p> <p>What that gives you, is the ability to either inspect and learn how Master Password works or to take this information to a professional (be it an academic, mathematician or payed developer) and have him do this for you.</p>
<p>While at first glimpse, this may not seem terribly useful to you - particularly when you don't have the skillset to perform this verification yourself - but it's actually a pretty big deal to show your naked self as proof of having nothing to hide. If you want to go all the way, you could even build the application from scratch rather than rely on the binaries provided by our distributions.</p> <p>While at first glimpse, this may not seem terribly useful to you - particularly when you don't have the skill set to perform this verification yourself - but it's actually a pretty big deal to show your naked self as proof of having nothing to hide. If you want to go all the way, you could even build the application from scratch rather than rely on the binaries provided by our distributions.</p>
<p>This is the closest we can get to voiding any need for trust in Master Password, and it's more than you're likely to find in most other popular password solutions.</p> <p>This is the closest we can get to voiding any need for trust in Master Password, and it's more than you're likely to find in most other popular password solutions.</p>
</div> </div>