diff --git a/Site/2013-05/algorithm.html b/Site/2013-05/algorithm.html index c98d74b2..35a4fe62 100644 --- a/Site/2013-05/algorithm.html +++ b/Site/2013-05/algorithm.html @@ -276,12 +276,12 @@ passWord[i] = passChar
bcdfghjklmnpqrstvwxyz
Template character: A
(= V . C
)
+
Template character: A
AEIOUBCDFGHJKLMNPQRSTVWXYZ
Template character: a
(= V . v . C . c
)
+
Template character: a
AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz
@&%?,=[]_:-+*$#!'^~;()/.
Template character: X
(= a . n . o
)
+
Template character: X
AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789@&%?,=[]_:-+*$#!'^~;()/.
AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&*()
There is an exception: Master Password allows you to save "custom" or "personal" passwords in the app. These passwords don't use Master Password's special algorithm and are merely encrypted using the strong master key derived from your master password. These types of passwords behave more like conventional vault-based passwords do. They are however very well protected and an attacker would still need to find a way to crack your master password (which is extremely difficult, see below) before being able to decode the passwords in its vault.
+Cryptography only provides technical security. It does not protect you from situations where you are legally required or forced by peers to surrender your key.
+ +In fact, many countries provide their officers with a legal grounds for forcing you to divulge your encryption keys to any encrypted information they've recovered during a warranted search.
+Again, unlike ordinary password managers, Master Password might have an edge here. If you make no use of stored passwords, Master Password doesn't actually encrypt anything with your master password. That means, when your devices are seized, these legal grounds may no longer apply. Note however that this does not constitute legal advice and that this theory has never been tested in practice.
+For your safety, we recommend that in preparation of travelling, you change the master password for your user on the device. That way, if your device is seized by a foreign entity and they force you to divulge your master password, you'll likely be fully compliant by simply giving up the new master password even though it will cause the app to generate invalid passwords for all your sites. Later, you can always change the master password back to the real one.
+The simple answer to that question is: First and foremost, memorable and unrelated to you. What that means is that the most important thing about your master password is that you need to be able to recall it any time and yet it should not be derived from anything personal.
That advice usually doesn't help very much with actually picking a good master password. The goal of a good password is that it'll take an attacker a lot of guesses before he'll find it. That is the core idea behind good passwords.
+There are a few strategies of getting good passwords. The speed with which an attacker can guess your password depends a lot on whether he knows what kind of password you're using or not. So we'll compare a few password strategies, their strength and how memorable they are.
The simplest strategy for picking good passwords is by just picking a bunch of random letters, digits and symbols and mixing them up. This is a great strategy for strong passwords but those passwords are usually not very memorable.
Another strategy is by "encoding" something you already know. This can seem like a good way to make memorable passwords, but recalling the "encoding" you used two years later can be tricky. This also makes it much easier for attackers that know you to find your password.