Fix a few spelling mistakes.
This commit is contained in:
parent
556d1d3d58
commit
a3ebcf0608
@ -508,4 +508,7 @@ table .box.green {
|
||||
header h2 {
|
||||
font-size: 2em;
|
||||
}
|
||||
header .moviecontrol {
|
||||
top: 1em;
|
||||
}
|
||||
}
|
||||
|
@ -296,7 +296,7 @@
|
||||
<h3 id="masterkey" class="inline">The Master Key</h3>
|
||||
<p>The first part of the process it to obtain a very strong "token" of your personal identity. We call this token your <em>master key</em>, because it is very much like the one and only <strong>main key that opens all your doors</strong>. It is a personal key, it represents your identity.</p>
|
||||
<p>The master key is derived from your name and your master password, and thrown away as soon as it's no longer needed to minimize the risk of loss.</p>
|
||||
<p>Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is unsurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.</p>
|
||||
<p>Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is insurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.</p>
|
||||
<p>These are two different types of brute-force attacks and we need to make sure to defeat both of them.</p>
|
||||
<p>To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to <code>2<sup>256</sup></code> guesses, or try <code>115792089237316195423570985008687907853269984665640564039457584007913129639936</code> master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them.
|
||||
<p>A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.</p>
|
||||
@ -348,9 +348,9 @@
|
||||
|
||||
<div class="hlvl">
|
||||
<p><h2 class="inline">Custom passwords</h2>
|
||||
are sometimes still a necessity. You may want to store a password you've been using for a long time in your manager, or your boss may have set an unchangable password on your computer for you to use. Since Master Password's passwords are a mathematical result of your unchanging master password, it is impossible for it to be used with passwords that are created via another way.</p>
|
||||
are sometimes still a necessity. You may want to store a password you've been using for a long time in your manager, or your boss may have set an unchangeable password on your computer for you to use. Since Master Password's passwords are a mathematical result of your unchanging master password, it is impossible for it to be used with passwords that are created via another way.</p>
|
||||
<p>The Master Password application however <em>functions as a hybrid password manager, implementing both the Master Password algorithm and a vault-like password solution</em>. In the second mode, Master Password uses your master key to encrypt custom passwords and store the encrypted result in a vault. Since we use the master key for this process, the result is a vault that is much harder to break into than that used by many other vault-based password solutions (specifically
|
||||
because the encryption key is a large key derived from your master pasword using scrypt key derivation). As a result, <strong>this trade-off has been mitigated</strong>.</p>
|
||||
because the encryption key is a large key derived from your master password using scrypt key derivation). As a result, <strong>this trade-off has been mitigated</strong>.</p>
|
||||
</div>
|
||||
|
||||
<div class="hlvl">
|
||||
|
@ -112,14 +112,14 @@
|
||||
<p>More complicated than what, exactly? Using <code>robert17</code> for all your sites? Well, yes. That's also rather the point.</p>
|
||||
<p>The point is to eliminate the many sources of insecurities related to password authentication, and yet keeping the process surprizingly trivial. What you get in exchange for these two extra first-time only steps is very robust, unique passwords which are not hackable even from a site's leaked password hashes, in addition to the freedom to forget all about passwords. Entirely.</p>
|
||||
<ul>
|
||||
<li>You get to stop worrying about what password you used for your bank or the government tax portal, because they both use rediculous and different password policies.</li>
|
||||
<li>You get to stop worrying about what password you used for your bank or the government tax portal, because they both use ridiculous and different password policies.</li>
|
||||
<li>You get to stop writing down passwords and keeping those notes safe from others as well as safe from loss.</li>
|
||||
<li>You get to stop messing with password vaults that promise to encrypt your stuff, but can't help you when you're at a friend's house, or after your appartment fire.</li>
|
||||
<li>You get to stop messing with password vaults that promise to encrypt your stuff, but can't help you when you're at a friend's house, or after your apartment fire.</li>
|
||||
<li>You can stop sharing the keys to your digital life with online password websites that promise all the military grade encryption while being gagged and tapped by a government agency.</li>
|
||||
</ul>
|
||||
|
||||
<h2>I use this other password manager, and it's awesome.</h2>
|
||||
<p>I shall not endeaver to quarrel with the point on the awesome scale of your other password manager. That said, Master Password was designed from the ground up specifically because of the many flaws that existed in all the popular password managers at the time. And the times haven't changed for the better since.</p>
|
||||
<p>I shall not endeavour to quarrel with the point on the awesome scale of your other password manager. That said, Master Password was designed from the ground up specifically because of the many flaws that existed in all the popular password managers at the time. And the times haven't changed for the better since.</p>
|
||||
<p>I'm going to provide an excessively brief description of the primary flaws other password managers suffer, which Master Password is free from. Please <a href="support.html">contact me</a> if you have something to add, ask or correct.</p>
|
||||
|
||||
<p>While each of these services have many great pros, I will only mention those that Master Password lacks.</p>
|
||||
@ -156,8 +156,8 @@
|
||||
|
||||
<h2>You speak of trust, how can I trust you?</h2>
|
||||
<p>A very valid question, and arguably the most important one to ask!</p>
|
||||
<p>Trust is a very difficult thing to guarantee. Powerful entities will sollicit your trust by appearing with it and coming well recommended. Trust can also be assured by legalese or contracts. If you have the means and energy to hold an entity responsible for his claims and actions, this might be sufficient for you.</p>
|
||||
<p>Most of us mere mortals cannot affort this level of trust enforcement, however. We're mostly left in the position of trusting claims blindly, in the hopes that companies will not violate those claims for fear of taking a seizable public-relations hit.</p>
|
||||
<p>Trust is a very difficult thing to guarantee. Powerful entities will solicit your trust by appearing with it and coming well recommended. Trust can also be assured by legalese or contracts. If you have the means and energy to hold an entity responsible for his claims and actions, this might be sufficient for you.</p>
|
||||
<p>Most of us mere mortals cannot afford this level of trust enforcement, however. We're mostly left in the position of trusting claims blindly, in the hopes that companies will not violate those claims for fear of taking a seizable public-relations hit.</p>
|
||||
<h3>I propose that none of these forms of trust are sufficient adequate.</h3>
|
||||
<p>In fact, Master Password is what it is because it aims to avoid any requirement of trust in the solution's author. Master Password requires no services or proprietary storage format. I've published Master Password's algorithm for you to inspect and licensed to you the full source code to the implementations for you to use.</p>
|
||||
<p>What that gives you, is the ability to either inspect and learn how Master Password works or to take this information to a professional (be it an academic, mathematician or payed developer) and have him do this for you.</p>
|
||||
|
Loading…
Reference in New Issue
Block a user