diff --git a/Site/1/algorithm.html b/Site/1/algorithm.html new file mode 100644 index 00000000..e366efb7 --- /dev/null +++ b/Site/1/algorithm.html @@ -0,0 +1,118 @@ + + + + + + Master Password — Securing your online life. + + + + + + + + + + + + + + + + +
+ +

Master Password

+
+
+
+ +
+ +

So how does it work?

+ +

+ The theory behind Master Password is simple. The user remembers a single, secure password. The user only ever uses that password to log into the Master Password application. This master password is then used as a seed to generate a different password based on the name of the site to generate a password for. +

+ +

+ The result is that each master password generates its own unique sequence of passwords for any site name. Since the only input data is the master password and the site name (along with a password counter, see below), there is no need for any kind of storage to recreate a site's password. All that's needed is the correct master password and the correct algorithm implementation. What that does for you is make it almost impossible to lose your passwords. It also makes it nearly impossible for hackers to steal your online identity. +

+ +

The algorithm

+

+ The user chooses a single master password, preferably sufficiently long to harden against brute-force attacks. The application then creates a scrypt key derivative from the user's password. This process takes quite a bit of processing time and memory. It makes brute-forcing the master password far more difficult, to practically infeasible, even for otherwise vulnerable password strings. +

+
+                key   = scrypt( P, S, N, r, p, dkLen )
+                where
+                P     = master password
+                S     = <empty>
+                N     = 16384
+                r     = 8
+                p     = 1
+                dkLen = 64
+            
+ +

+ When the user requests a password be generated for a site, the application composes a byte string consisting of the site name (UTF-8 decoded), the key, and a salt (a 32-bit unsigned integer in network byte order. Normally this is the password counter), delimited in that order by a single NUL byte, and hashes it using the SHA-1 algorithm. The result is called the seed. +

+
+                salt = htonl( password counter )
+                seed = sha1( site name . "\0" . key . "\0" . salt )
+            
+

+ The seed is now combined with the password type the user has chosen for the site. Password types determine the cipher that will be used to encode the seed bytes into a readable password. For instance, the standard password type Long Password activates one of three pre-set ciphers: CvcvCvcvnoCvcv, CvcvnoCvcvCvcv or CvcvCvcvCvcvno. Which of those will be used, depends on the first byte of the seed. Take the byte value modulo the amount of pre-set ciphers (in this case, three), and the result tells you which of the pre-set ciphers to use. +

+
+                ciphers = [ "CvcvCvcvnoCvcv", "CvcvnoCvcvCvcv", "CvcvCvcvCvcvno" ]
+                cipher  = ciphers[ seed[0] % count( ciphers ) ]
+            
+

+ Now that we know what cipher to use for building our final password, all that's left is to iterate the + cipher, and produce a character of password output for each step. When you iterate the cipher (i), every + character in the cipher represents a set of possible output characters (passChars). For instance, a C + character in the cipher indicates that we need to choose a capital consonant character. An o + character in the cipher indicates that we need to choose an other (symbol) character. Exactly which + character to choose in that set for the password output depends on the next byte from the seed. + Like before, take the next unused seed byte value modulo the amount of characters in the + set of possible output characters for the cipher iteration and use the result to choose the output + character (passChar). Repeat until you've iterated the whole cipher. +

+
+                passChar  = passChars[ seed[i + 1] % count( passChars ) ]
+                passWord += passChar
+            
+ +
+ + +
+ + + + diff --git a/Site/1/css/ml-shadows.css b/Site/1/css/ml-shadows.css new file mode 100644 index 00000000..30d1da08 --- /dev/null +++ b/Site/1/css/ml-shadows.css @@ -0,0 +1,318 @@ +/* effect-1 */ + +.effect-1:before, +.effect-1:after { +content:""; +position:absolute; +z-index:-500; +bottom:20px; +left:10px; +width:50%; +height:20%; +max-width:300px; +-webkit-box-shadow: 0 20px 10px rgba(0, 0, 0, 0.75); +-moz-box-shadow: 0 20px 10px rgba(0, 0, 0, 0.75); +box-shadow: 0 20px 10px rgba(0, 0, 0, 0.75); +-webkit-transform:rotate(-4deg); +-moz-transform:rotate(-4deg); +-o-transform:rotate(-4deg); +-ms-transform:rotate(-4deg); +transform:rotate(-4deg); +} + +.effect-1:after { +right:10px; +left:auto; +-webkit-transform:rotate(4deg); +-moz-transform:rotate(4deg); +-o-transform:rotate(4deg); +-ms-transform:rotate(4deg); +transform:rotate(4deg); +} + +/* effect-2 */ + +.effect-2:before, +.effect-2:after { +content:""; +position:absolute; +z-index:-500; +bottom:20px; +left:10px; +width:50%; +height:20%; +max-width:300px; +-webkit-box-shadow:0 22px 10px rgba(0, 0, 0, 0.6); +-moz-box-shadow:0 22px 10px rgba(0, 0, 0, 0.6); +box-shadow:0 22px 10px rgba(0, 0, 0, 0.6); +-webkit-transform:rotate(-8deg); +-moz-transform:rotate(-8deg); +-o-transform:rotate(-8deg); +-ms-transform:rotate(-8deg); +transform:rotate(-8deg); +} + +.effect-2:after { +right:10px; +left:auto; +-webkit-transform:rotate(8deg); +-moz-transform:rotate(8deg); +-o-transform:rotate(8deg); +-ms-transform:rotate(8deg); +transform:rotate(8deg); +} + +/* effect-3 */ + +.effect-3:before, +.effect-3:after { +content:""; +position:absolute; +z-index:-500; +bottom:8px; +left:2%; +width:48.5%; +height:55%; +-webkit-box-shadow:0 7px 9px rgba(0, 0, 0, 0.75); +-moz-box-shadow:0 7px 9px rgba(0, 0, 0, 0.75); +box-shadow:0 7px 9px rgba(0, 0, 0, 0.75); +-webkit-transform: rotate(2deg); +-moz-transform: rotate(2deg); +-o-transform: rotate(2deg); +-ms-transform: rotate(2deg); +transform: rotate(2deg); +} + +.effect-3:after { +right:2%; +left:auto; +-webkit-transform: rotate(-2deg); +-moz-transform: rotate(-2deg); +-o-transform: rotate(-2deg); +-ms-transform: rotate(-2deg); +transform: rotate(-2deg); +} + +/* effect-4 */ + +.effect-4:before, +.effect-4:after { +content:""; +position:absolute; +z-index:-500; +bottom:12px; +left:2%; +width:49%; +height:55%; +-webkit-box-shadow:0 12px 18px rgba(0, 0, 0, 0.75); +-moz-box-shadow:0 12px 18px rgba(0, 0, 0, 0.75); +box-shadow:0 12px 18px rgba(0, 0, 0, 0.75); +-webkit-transform: rotate(3deg); +-moz-transform: rotate(3deg); +-o-transform: rotate(3deg); +-ms-transform: rotate(3deg); +transform: rotate(3deg); +} + +.effect-4:after { +right:2%; +left:auto; +-webkit-transform: rotate(-3deg); +-moz-transform: rotate(-3deg); +-o-transform: rotate(-3deg); +-ms-transform: rotate(-3deg); +transform: rotate(-3deg); +} + +/* effect-5 */ + +.effect-5:before { +content:""; +position:absolute; +z-index:-500; +left:-2.5%; +bottom:15px; +width:105%; +height:8px; +-webkit-box-shadow: 0px 20px 5px rgba(0, 0, 0, 0.5); +-moz-box-shadow: 0px 20px 5px rgba(0, 0, 0, 0.5); +box-shadow: 0px 20px 5px rgba(0, 0, 0, 0.5); +-webkit-border-radius:10px; +-moz-border-radius:10px; +border-radius:10px; +} + +/* effect-6 */ + +.effect-6:before { +content:""; +position:absolute; +z-index:-500; +left:-3.5%; +bottom:25px; +width:107%; +height:15px; +-webkit-box-shadow: 0px 30px 9px rgba(0, 0, 0, 0.5); +-moz-box-shadow: 0px 30px 9px rgba(0, 0, 0, 0.5); +box-shadow: 0px 30px 9px rgba(0, 0, 0, 0.5); +} + +/* effect-7 */ + +.effect-7:before { +content:""; +position:absolute; +z-index:-500; +left:0; +right:0; +top:10px; +bottom:10px; +-webkit-box-shadow: 0 0 8px rgba(0,0,0,0.5); +-moz-box-shadow: 0 0 8px rgba(0,0,0,0.5); +box-shadow: 0 0 8px rgba(0,0,0,0.5); +-webkit-border-radius:15px; +-moz-border-radius:15px; +border-radius:15px; +} + +/* effect-8 */ + +.effect-8:before { +content:""; +position:absolute; +z-index:-500; +left:0px; +right:0; +top:15px; +bottom:15px; +-webkit-box-shadow: 0px 0 20px rgba(0,0,0,0.8); +-moz-box-shadow: 0px 0 20px rgba(0,0,0,0.8); +box-shadow: 0px 0 20px rgba(0,0,0,0.8); +-webkit-border-radius:35px; +-moz-border-radius:35px; +border-radius:35px; +} + +/* effect-9 */ + +.effect-9:before { +content:""; +position:absolute; +z-index:-500; +left:70px; +bottom:2px; +width:50%; +height:15px; +max-width:200px; +-webkit-box-shadow:-85px 0 3px rgba(0, 0, 0, 0.4); +-moz-box-shadow:-85px 0 3px rgba(0, 0, 0, 0.4); +box-shadow:-85px 0 3px rgba(0, 0, 0, 0.4); +-webkit-transform:skew(60deg); +-moz-transform:skew(60deg); +-o-transform:skew(60deg); +-ms-transform:skew(60deg); +transform:skew(60deg); +} + +/* effect-10 */ + +.effect-10:before { +content:""; +position:absolute; +z-index:-500; +left:70px; +bottom:2px; +width:50%; +height:15px; +max-width:200px; +-webkit-box-shadow:-85px 0 3px rgba(0, 0, 0, 0.4); +-moz-box-shadow:-85px 0 3px rgba(0, 0, 0, 0.4); +box-shadow:-85px 0 3px rgba(0, 0, 0, 0.4); +-webkit-transform:skew(60deg); +-moz-transform:skew(60deg); +-o-transform:skew(60deg); +-ms-transform:skew(60deg); +-webkit-transform:skew(60deg); +} + +.effect-10:after { +content:""; +position:absolute; +z-index:-500; +right:70px; +bottom:2px; +width:50%; +height:15px; +max-width:200px; +-webkit-box-shadow: 85px 0 3px rgba(0, 0, 0, 0.4); +-moz-box-shadow: 85px 0 3px rgba(0, 0, 0, 0.4); +box-shadow: 85px 0 3px rgba(0, 0, 0, 0.4); +-webkit-transform:skew(-60deg); +-moz-transform:skew(-60deg); +-o-transform:skew(-60deg); +-ms-transform:skew(-60deg); +transform:skew(-60deg); +} + +/* effect-11 */ + +.effect-11:before { +content:""; +position:absolute; +z-index:-500; +left:70px; +bottom:2px; +width:50%; +height:75px; +max-width:200px; +-webkit-box-shadow:-86px 0 6px rgba(0, 0, 0, 0.4); +-moz-box-shadow:-86px 0 6px rgba(0, 0, 0, 0.4); +box-shadow:-86px 0 6px rgba(0, 0, 0, 0.4); +-webkit-transform:skew(20deg); +-moz-transform:skew(20deg); +-o-transform:skew(20deg); +-ms-transform:skew(20deg); +transform:skew(20deg); +} + +.effect-11:after { +display: none; +} + +/* effect-12 */ + +.effect-12:before { +content:""; +position:absolute; +z-index:-500; +left:70px; +bottom:2px; +width:50%; +height:75px; +-webkit-box-shadow:-86px 0 6px rgba(0, 0, 0, 0.4); +-moz-box-shadow:-86px 0 6px rgba(0, 0, 0, 0.4); +box-shadow:-86px 0 6px rgba(0, 0, 0, 0.4); +-webkit-transform:skew(20deg); +-moz-transform:skew(20deg); +-o-transform:skew(20deg); +-ms-transform:skew(20deg); +transform:skew(20deg); +} + +.effect-12:after { +content:""; +position:absolute; +z-index:-500; +right:70px; +bottom:2px; +width:50%; +height:75px; +-webkit-box-shadow:86px 0 6px rgba(0, 0, 0, 0.4); +-moz-box-shadow:86px 0 6px rgba(0, 0, 0, 0.4); +box-shadow:86px 0 6px rgba(0, 0, 0, 0.4); +-webkit-transform:skew(-20deg); +-moz-transform:skew(-20deg); +-o-transform:skew(-20deg); +-ms-transform:skew(-20deg); +transform:skew(-20deg); +} diff --git a/Site/1/css/screen.css b/Site/1/css/screen.css index 165583a3..e38ed2d5 100644 --- a/Site/1/css/screen.css +++ b/Site/1/css/screen.css @@ -1,8 +1,5 @@ html { background: url("../img/back-light.png") center 0; - -webkit-box-shadow: inset 0 0 100px #FFF, inset 0 0 100px #FFF; - -moz-box-shadow: inset 0 0 100px #FFF, inset 0 0 100px #FFF; - box-shadow: inset 0 0 100px #FFF, inset 0 0 100px #FFF; } body { padding: 0; @@ -57,6 +54,9 @@ label { display: inline-block; width: 15em; } +img { + border: none; +} /* Classes */ @@ -72,12 +72,16 @@ label { /* Page */ header { position: relative; + z-index: 99; background: url("../img/back-dark.png") center 0; border-bottom: 1px solid #FFF; -webkit-box-shadow: 0 0 50px #666; -moz-box-shadow: 0 0 50px #666; box-shadow: 0 0 50px #666; + top: 0; + left: 0; + width: 100%; margin: 0 0 5em; padding: 1em 0; @@ -91,16 +95,47 @@ header h1 { } header .logo { height: 128px; - vertical-align:middle; + vertical-align: middle; } header .divider { position: absolute; width: 100%; bottom: -90px; } +#fixedheader { + position: fixed; + z-index: 98; + background: url("../img/back-dark.png") center 0; + border-bottom: 1px solid #FFF; + -webkit-box-shadow: 0 0 10px #000; + -moz-box-shadow: 0 0 10px #000; + box-shadow: 0 0 10px #000; + + top: 0; + left: 0; + width: 100%; + margin: 0 0 5em; + padding: 0.5em 0; + + text-align: center; +} +#fixedheader h2 { + margin: 0; + + color: white; + font-size: 20px; +} +header a, header .link, header :link, +#fixedheader a, #fixedheader .link, #fixedheader :link { + text-decoration: none; +} +header a:hover, header .link:hover, +#fixedheader a:hover, #fixedheader .link:hover { + text-decoration: underline; +} footer { clear: both; - padding: 1em 0; + padding: 10em 0 1em; color: #333; text-shadow: #FFF 0 -1px 1px, #999 0 0 5px; @@ -119,7 +154,8 @@ section { hr { background: url("../img/Dividers/Simple.png") center center no-repeat; border: none; - height: 5px; + height: 4em; + clear: both; } blockquote { margin-left: 5em; @@ -150,40 +186,57 @@ blockquote:before { position: relative; z-index: -1; } -.frontpage .sidebox { - margin-right: -100px; +.appstore { + position: absolute; + right: 10px; + font-size: 0; } -.frontpage .sidebox .clip { - height: 416px; - margin-bottom: 84px; +.columns { + position: relative; + clear: both; + text-align: center; +} +.columns>div { + float: left; + width: 25%; + height: 22em; + margin: 0 4%; + padding: 3em 0 1em; + text-align: justify; + font-size: smaller; +} +.columns h2 { + font-size: 120%; +} +.columns .columnhead { +} +.box { + display: inline-block; + position: relative; + font-size: 0; +} +.box img { + border: 1px solid white; } .hoverShow { display: none; } +.center { + text-align: center; +} +.clear { + clear: both; +} *:hover>.hoverShow { display: inline-block; } -section { - position: relative; - display: none; - - -webkit-transition: all 0.2s ease-in-out; - -moz-transition: all 0.2s ease-in-out; - -ms-transition: all 0.2s ease-in-out; - -o-transition: all 0.2s ease-in-out; - transition: all 0.2s ease-in-out; -} -section.active { - display: block; -} a.previous, a.next { display: block; - position: absolute; - margin: -2.5em 0 0 0; font-size: 150%; font-weight: 400; + text-align: center; text-decoration: none; } a.previous { @@ -193,9 +246,6 @@ a.previous:before { content: "< "; } a.next { - right: 0; - - text-align: right; } a.next:after { content: " >"; @@ -211,7 +261,11 @@ a.next:after { width: 184px; height: 184px; } - #frontpage .sidebox { - margin-top: -50px; + margin-right: -100px; } +#frontpage .sidebox .clip { + height: 416px; + margin-bottom: 84px; +} + diff --git a/Site/1/img/ComparisonOfPasswordSolutions.png b/Site/1/img/ComparisonOfPasswordSolutions.png new file mode 100644 index 00000000..53cd6096 Binary files /dev/null and b/Site/1/img/ComparisonOfPasswordSolutions.png differ diff --git a/Site/1/img/Dividers/Divider_H.png b/Site/1/img/Dividers/Divider_H.png index 5cbb2275..d5fdfe39 100644 Binary files a/Site/1/img/Dividers/Divider_H.png and b/Site/1/img/Dividers/Divider_H.png differ diff --git a/Site/1/img/Dividers/Divider_V.png b/Site/1/img/Dividers/Divider_V.png index 32be2273..4ff72a9f 100644 Binary files a/Site/1/img/Dividers/Divider_V.png and b/Site/1/img/Dividers/Divider_V.png differ diff --git a/Site/1/img/Dividers/Simple.png b/Site/1/img/Dividers/Simple.png index 96201dd4..35cf2a23 100644 Binary files a/Site/1/img/Dividers/Simple.png and b/Site/1/img/Dividers/Simple.png differ diff --git a/Site/1/img/MasterPassword_1.png b/Site/1/img/MasterPassword_1.png deleted file mode 100644 index 2e71c7eb..00000000 Binary files a/Site/1/img/MasterPassword_1.png and /dev/null differ diff --git a/Site/1/img/MasterPassword_2.png b/Site/1/img/MasterPassword_2.png deleted file mode 100644 index 39b4e0d4..00000000 Binary files a/Site/1/img/MasterPassword_2.png and /dev/null differ diff --git a/Site/1/img/appstore-small.png b/Site/1/img/appstore-small.png new file mode 100644 index 00000000..cbf282df Binary files /dev/null and b/Site/1/img/appstore-small.png differ diff --git a/Site/1/img/appstore.png b/Site/1/img/appstore.png new file mode 100644 index 00000000..1e364a4d Binary files /dev/null and b/Site/1/img/appstore.png differ diff --git a/Site/1/img/back-light.png b/Site/1/img/back-light.png index 6ed6e17e..b13edaf4 100644 Binary files a/Site/1/img/back-light.png and b/Site/1/img/back-light.png differ diff --git a/Site/1/img/frontpage_phone.png b/Site/1/img/frontpage_phone.png new file mode 100644 index 00000000..fa19cded Binary files /dev/null and b/Site/1/img/frontpage_phone.png differ diff --git a/Site/1/img/ribbon-join-beta.png b/Site/1/img/ribbon-join-beta.png index 95251596..d7deb684 100644 Binary files a/Site/1/img/ribbon-join-beta.png and b/Site/1/img/ribbon-join-beta.png differ diff --git a/Site/1/img/shots/feature-bike.png b/Site/1/img/shots/feature-bike.png new file mode 100644 index 00000000..b163a181 Binary files /dev/null and b/Site/1/img/shots/feature-bike.png differ diff --git a/Site/1/img/shots/feature-copy.png b/Site/1/img/shots/feature-copy.png new file mode 100644 index 00000000..6448c579 Binary files /dev/null and b/Site/1/img/shots/feature-copy.png differ diff --git a/Site/1/img/shots/feature-custom.png b/Site/1/img/shots/feature-custom.png new file mode 100644 index 00000000..dc6a6b6a Binary files /dev/null and b/Site/1/img/shots/feature-custom.png differ diff --git a/Site/1/img/shots/feature-export.png b/Site/1/img/shots/feature-export.png new file mode 100644 index 00000000..3599b95f Binary files /dev/null and b/Site/1/img/shots/feature-export.png differ diff --git a/Site/1/img/shots/feature-icloud.png b/Site/1/img/shots/feature-icloud.png new file mode 100644 index 00000000..9e133143 Binary files /dev/null and b/Site/1/img/shots/feature-icloud.png differ diff --git a/Site/1/img/shots/feature-mac.png b/Site/1/img/shots/feature-mac.png new file mode 100644 index 00000000..4adcc871 Binary files /dev/null and b/Site/1/img/shots/feature-mac.png differ diff --git a/Site/1/img/shots/feature-password.png b/Site/1/img/shots/feature-password.png new file mode 100644 index 00000000..2c11cbf0 Binary files /dev/null and b/Site/1/img/shots/feature-password.png differ diff --git a/Site/1/img/shots/feature-types.png b/Site/1/img/shots/feature-types.png new file mode 100644 index 00000000..b9d5985c Binary files /dev/null and b/Site/1/img/shots/feature-types.png differ diff --git a/Site/1/img/shots/feature-unlock.png b/Site/1/img/shots/feature-unlock.png new file mode 100644 index 00000000..bdb6f87f Binary files /dev/null and b/Site/1/img/shots/feature-unlock.png differ diff --git a/Site/1/index.html b/Site/1/index.html index 6258cbdd..52040b45 100644 --- a/Site/1/index.html +++ b/Site/1/index.html @@ -10,22 +10,11 @@ + - - - + + +
-

Master Password

-
-
-
- -
+ +

Master Password

+
- + +
+ +

Master Password

+
+ +

Stop worrying about passwords

-

Memorising passwords or even saving them in our browser, an application or the cloud just isn't good enough.

- -

Master Password is a solution that voids the need to keep your passwords anywhere. Not in your head, not on your computer and not in the cloud. Nothing to store means nothing to lose. At the same time it makes sure that your accounts are adequately protected with exclusive passwords.

- -

With Master Password, you remember one secure password and use that with the application to generate any password you might need. You could even generate PIN codes with it, if you wanted. Today, it's time to stop worrying about passwords and get on with what we need to get done.

-
-
- - - - -

What is this?

+

Memorizing passwords or even saving them in our browser, an application or the cloud just isn't good enough.

- Master Password is a revolution in password management. + Master Password is a solution that voids the need to keep your passwords anywhere. Not in your head, not on your computer and not in the cloud. +

+

+ Nothing to store means nothing to lose. At the same time it makes sure that your accounts are adequately protected with exclusive passwords. +

+

+ Learn how below.

-

- It aims to secure your online (and offline!) life by changing the way you deal with passwords. -

+
+ + + +
+
+
+
+ +
+
+
+

Locked from prying eyes

+ Your master password unlocks the application and grants access all the passwords inside.
+ It is the only thing you will need to remember from now on. +
+
+
+
+ +
+
+
+

Generates secure passwords

+ The application generates secure, random and unique passwords in a format that's easy for you to copy. +
+
+
+
+ +
+
+
+

Different password types

+ Master Password's presets allow you to comply with almost any site's restrictive password policies, while still producing secure passwords for them. +
+
+
+
+ +
+
+
+

Copy with a tap

+ It's really easy to use the password on your iPhone: Just tap the password to copy it and paste it in a different application's password field.
+ Goodbye, annoying App Store password pop-up. +
+
+
+
+ +
+
+
+

Saves custom passwords

+ You can also store custom passwords in the application. They will be safely encrypted with your master password. +
+
+
+
+ +
+
+
+

Not just for online

+ These passwords can also be used for the things around you: Your bike lock, your home alarm system, PIN codes, ... +
+
+
+
+ +
+
+
+

Syncs with iCloud

+ Enable iCloud support to store all your password names in your iCloud account. Great for keeping multiple Apple devices in sync or backing up your site list.
+ Apple will never see any of your passwords. +
+
+
+
+ +
+
+
+

Data liberation

+ And of course, you retain full control over all your passwords: You can export them at any time, and import new site lists. +
+
+
+
+ +
+
+
+

What about your Mac?

+ A Mac version of Master Password exists too! It gives you access to all of your passwords without needing to bring up your phone.
+ Just enable iCloud for a seamless experience. +
+

- -

Revolution? Why would I need that?

- -

- You already know the problem:
- Passwords are confidential information between you and a site. They should never be shared with anyone else, definitely not other sites. Yet that's exactly what happens with most of us: Hundereds of online accounts to manage and authenticate, we can't help but reuse one, two or five passwords that we can remember. Maybe we keep a paper stuck to our monitor with a list of passwords on them, because we realize the truth: -

- -
It is impossible to remember a secure password for each of our accounts and still keep those passwords both exclusive and confidential.
- -

- Multiple solutions exist:
- Sites that realize that passwords aren't the end-all of authentication usually implement some sort of alternative authentication mechanism: OpenID, SAML, some form of mobile authentication, secure tokens, etc.
- The problem here is that these solutions only work for the select few sites that have chosen to implement them; and then you, the user, are stuck with whatever mechanism the site has chosen for you. -

- -

- To solve the problem for other sites, there are programs that remember our passwords for us.
- The problem with these is that they do not actually help us with setting exclusive and confidential passwords for our accounts. They just offload the work of remembering passwords, and at a great expense: If you lose your data, you lose your online identity and are locked out of everything. -

- -
- -

So, I guess you claim to do better?

- -

- Master Password aims to turn the tables in favor of the user, you.
- In the end, what we really want is a way of dealing with passwords in an exclusive and confidential way without having to remember them, and without running the risk of losing our online identity to fraudsters. -

- -

- Master Password does exactly this. You remember a single master password. Make it a long and secure one. Master Password uses this password along with the name of the site that you want to log into and generates a secure but unique password for that site. What's more, it doesn't store this information anywhere. If you lose your phone, the thieves can get none the wiser from it. You kick yourself for losing your phone, pick up any other phone, start the application, enter your master password, and instantly have access to all your passwords again. No sync, no backups, no hassle. -

- - - -
- -

OK, I'm convinced. Where do I get in?

- -

- Master Password is currently in beta.
- Anyone interested in joining the beta is invited to join the Lyndir TestFlight team. Every so often new pending testers are admitted to the Master Password beta testers team. -

-

- Participation in the beta is free of charge, but does come with the expectation that you will contribute. Comment constructively, report issues and propose improvements. -

-

- Post-beta, Master Password is expected to sell for somewhere around 10 USD. The most helpful testers will receive the final version (and all future updates) free of charge. -

- +
-
- - - -

So how does it work?

- -

- The theory behind Master Password is simple. The user remembers a single, secure password. The user only ever uses that password to log into the Master Password application. This master password is then used as a seed to generate a different password based on the name of the site to generate a password for. -

- -

- The result is that each master password generates its own unique sequence of passwords for any site name. Since the only input data is the master password and the site name (along with a password counter, see below), there is no need for any kind of storage to recreate a site's password. All that's needed is the correct master password and the correct algorithm implementation. What that does for you is make it almost impossible to lose your passwords. It also makes it nearly impossible for hackers to steal your online identity. -

- -

The algorithm

-

- Alright, let's describe the process in detail. This part will likely make sense to you only if you're well versed in computer security jargon. If you're the kind of person who likes to know how the clock ticks before deciding that it can be trusted to keep ticking, read on. -

-

- The user chooses a single master password, preferably sufficiently long to harden against brute-force attacks. Before usage, a masterKey is derived from this master password using the scrypt key derivation function. This makes it impossibly expensive and time-consuming to attempt brute-forcing a properly sized master password. -

-
-                masterKey = scrypt( P, S, N, r, p, dkLen )
-                where
-                P     = master password
-                S     = <empty>
-                N     = 16384
-                r     = 8
-                p     = 1
-                dkLen = 64
-            
- -

- When the user requests a password be generated for a site, the application composes a byte string consisting of the site name, the master key, and a password counter, delimited in that order by a dash character (characters are UTF-8 encoded, numbers in 32-bit network byte order), and hashes it using the SHA-1 algorithm. The result is called the cipherKey. -

-
-                cipherKey = sha1( site name "-" masterKey "-" password counter )
-            
-

- Next up is to merge this key with the password type that the user has chosen to use for the site. Password types determine the cipher that will be used to encrypt cipherKey bytes into a readable password. For instance, the standard password type Long Password activates one of three pre-set ciphers: CvcvCvcvnoCvcv, CvcvnoCvcvCvcv or CvcvCvcvCvcvno. Which of those will be used, depends on the first byte of the cipherKey. Take the byte value modulo the amount of pre-set ciphers (in this case, three), and the result tells you which of the pre-set ciphers to use. -

-
-                ciphers = [ "CvcvCvcvnoCvcv", "CvcvnoCvcvCvcv", "CvcvCvcvCvcvno" ]
-                cipher  = ciphers[ cipherKey[0] % count( ciphers ) ]
-            
-

- Now that we know what cipher to use for building our final password, all that's left is to iterate the - cipher, and produce a character of password output for each step. When you iterate the cipher (i), every - character in the cipher represents a set of possible output characters (passChars). For instance, a C - character in the cipher indicates that we need to choose a capital consonant character. An o - character in the cipher indicates that we need to choose an other (symbol) character. Exactly which - character to choose in that set for the password output depends on the next byte from the cipherKey. - Like before, take the next unused cipherKey byte value modulo the amount of characters in the - set of possible output characters for the cipher iteration and use the result to choose the output - character (passChar). Repeat until you've iterated the whole cipher. -

-
-                passChar  = passChars[ cipherKey[i + 1] % count( passChars ) ]
-                passWord += passChar
-            
- -
diff --git a/Site/1/what.html b/Site/1/what.html new file mode 100644 index 00000000..f543db84 --- /dev/null +++ b/Site/1/what.html @@ -0,0 +1,141 @@ + + + + + + Master Password — Securing your online life. + + + + + + + + + + + + + + + + +
+ +

Master Password

+
+
+
+ +
+ +

What is this?

+ +

+ Master Password is a revolution in password management. +

+ +

+ It aims to secure your online (and offline!) life by changing the way you deal with passwords. +

+ +
+ +

Revolution? Why would I need that?

+ +

+ You already know the problem:
+ Passwords are confidential information between you and a site. They should never be shared with anyone else, definitely not other sites. Yet that's exactly what happens with most of us: Hundereds of online accounts to manage and authenticate, we can't help but reuse one, two or five passwords that we can remember. Maybe we keep a paper stuck to our monitor with a list of passwords on them, because we realize the truth: +

+ +
It is impossible to remember a secure password for each of our accounts and still keep those passwords both exclusive and confidential.
+ +

+ Multiple solutions exist:
+ Sites that realize that passwords aren't the end-all of authentication usually implement some sort of alternative authentication mechanism: OpenID, SAML, some form of mobile authentication, secure tokens, etc.
+ The problem here is that these solutions only work for the select few sites that have chosen to implement them; and then you, the user, are stuck with whatever mechanism the site has chosen for you. +

+ +

+ To solve the problem for other sites, there are programs that remember our passwords for us.
+ The problem with these is that they do not actually help us with setting exclusive and confidential passwords for our accounts. They just offload the work of remembering passwords, and at a great expense: If you lose your data, you lose your online identity and are locked out of everything. +

+ +
+ +

So, I guess you claim to do better?

+ +

+ Master Password aims to turn the tables in favor of the user, you.
+ In the end, what we really want is a way of dealing with passwords in an exclusive and confidential way without having to remember them, and without running the risk of losing our online identity to fraudsters. +

+ +

+ Master Password does exactly this. You remember a single master password. Make it a long and secure one. Master Password uses this password along with the name of the site that you want to log into and generates a secure but unique password for that site. What's more, it doesn't store this information anywhere. If you lose your phone, the thieves can get none the wiser from it. You kick yourself for losing your phone, pick up any other phone, start the application, enter your master password, and instantly have access to all your passwords again. No sync, no backups, no hassle. +

+ + + +

+ +

+ +
+ +

OK, I'm convinced. Where do I get it?

+ +

+ Master Password is available from Apple's App Store for iOS and Mac. The Mac application currently requires the iOS application and iCloud to be enabled and set up on both the iPhone and the Mac. +

+

+ The application is fully open source under the GPLv3, which means you can inspect the code and build the application for yourself, if you prefer. You can find the Master Password source code on GitHub. +

+ +
+ + +
+ + + + +