skylab/MasterPassword
2
0
Fork 0
Code Releases Activity

prMac Press Release

Browse Source 
[ADDED]     prMac press release for 1.2.1, REV1b
This commit is contained in:
Maarten Billemont 2012-07-03 11:02:31 +02:00
parent 1da63e450d
commit dea7434bd4
5 changed files with 84 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
Site/algorithm.html
View File

@ -85,10 +85,10 @@
</script> </script>
</head> </head>
<body> <body>
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<header> <header>
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1> <h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1>
<div class="divider"></div> <div class="divider"></div>
@ -118,13 +118,13 @@
<p> <p>
Master Password uses a stateless algorithm that relies solely on its implementation and the user's inputs. The user is expected to remember the following information: Master Password uses a stateless algorithm that relies solely on its implementation and the user's inputs. The user is expected to remember the following information:
<ul> <ul>
<li><b>The master password</b> (eg. <em>pink fluffy door frame</em>):<br /> <li><strong>The master password</strong> (eg. <em>pink fluffy door frame</em>):<br />
This is a secret that the user shares with nobody.</li> This is a secret that the user shares with nobody.</li>
<li><b>The site name</b> (eg. <em>apple.com</em>):<br /> <li><strong>The site name</strong> (eg. <em>apple.com</em>):<br />
The user chooses a name for each site. Its domain name is an ideal choice, since it needn't necessarily be remembered.</li> The user chooses a name for each site. Its domain name is an ideal choice, since it needn't necessarily be remembered.</li>
<li><b>The site's password counter</b> (default: <em>0</em>):<br /> <li><strong>The site's password counter</strong> (default: <em>0</em>):<br />
This is an integer that can be incremented when the user needs a new password for the site.</li> This is an integer that can be incremented when the user needs a new password for the site.</li>
<li><b>The site's password type</b> (default: <em>Long Password</em>):<br /> <li><strong>The site's password type</strong> (default: <em>Long Password</em>):<br />
This type determines the format of the output password. It can be changed if the site's password policy does not accept passwords of this format.</li> This type determines the format of the output password. It can be changed if the site's password policy does not accept passwords of this format.</li>
</ul> </ul>
</p> </p>
@ -132,26 +132,33 @@
In short, the algorithm is comprised of the following steps: In short, the algorithm is comprised of the following steps:
<ul> <ul>
<li>Determining the master <code>key</code></li> <li>Determining the master <code>key</code></li>
<li>Determining the cipher <code>seed</code></li> <li>Determining the template <code>seed</code></li>
<li>Encoding a user-friendly <code>password</code></li> <li>Encoding a user-friendly <code>password</code></li>
</ul> </ul>
</p> </p>
<p>
A note on types:
<ul>
<li>Any character string is UTF-8 de- or encoded, depending on context.</li>
<li>Any number is converted to 32-bit network byte order.</li>
</ul>
</p>
<h2>The Master Password</h2> <h2>The Master Password</h2>
<p> <p>
The user chooses a single master password, preferably sufficiently long to harden against brute-force attacks. Master Password recommends absurd two or three-word sentences as they're easily remembered and generally sufficiently high in entropy. The user chooses a single master password, preferably sufficiently long to harden against brute-force attacks. Master Password recommends absurd three or four-word sentences as they're easily remembered and generally sufficiently high in entropy.
</p> </p>
<p> <p>
The application then creates a <a href="http://www.tarsnap.com/scrypt.html" onclick="_gaq.push(['_trackPageview', '/outbound/tarsnap.com/scrypt.html">scrypt</a> key derivative from the user's password. This process takes quite a bit of processing time and memory. This step exists to make brute-force attempts at guessing the master password from a given output password <b>far more difficult</b>, to practically infeasible, even for otherwise vulnerable password strings. The application then creates a <a href="http://www.tarsnap.com/scrypt.html" onclick="_gaq.push(['_trackPageview', '/outbound/tarsnap.com/scrypt.html">scrypt</a> key derivative from the user's password. This process takes quite a bit of processing time and memory. This step exists to make brute-force attempts at guessing the master password from a given output password <strong>far more difficult</strong>, to practically infeasible, even for otherwise vulnerable password strings.
</p> </p>
<code><pre> <code><pre>
key = scrypt( P, S, N, r, p, dkLen ) key = scrypt( P, S, N, r, p, dkLen )
where where
P = master password (UTF-8) P = master password
S = &lt;empty&gt; S = "com.lyndir.masterpassword" . name length . name
N = 16384 N = 32768
r = 8 r = 8
p = 1 p = 2
dkLen = 64 dkLen = 64
</pre></code> </pre></code>
@ -167,8 +174,7 @@
These input values are combined in a byte array, separated by a single <code>NUL</code> byte. In order, the input values are the <code>site name</code> (UTF-8 decoded), the master <code>key</code>, and a <code>salt</code> (this is the password counter, a 32-bit unsigned integer in network byte order). The byte array is hashed using the SHA-1 algorithm to yield the <code>seed</code> as a result. These input values are combined in a byte array, separated by a single <code>NUL</code> byte. In order, the input values are the <code>site name</code> (UTF-8 decoded), the master <code>key</code>, and a <code>salt</code> (this is the password counter, a 32-bit unsigned integer in network byte order). The byte array is hashed using the SHA-1 algorithm to yield the <code>seed</code> as a result.
</p> </p>
<code><pre> <code><pre>
salt = htonl( password counter ) seed = hmac-sha256( key, "com.lyndir.masterpassword" . site name length . site name . counter )
seed = sha1( site name . "\0" . key . "\0" . salt )
</pre></code> </pre></code>
<h2>Generating The Output</h2> <h2>Generating The Output</h2>
@ -180,33 +186,58 @@
</p> </p>
<p> <p>
Since the idea is that the output password can be used directly as a password to protect the user's account on the site, it needs to be able to pass the site's password policy. Since the idea is that the output password can be used directly as a password to protect the user's account on the site, it needs to be able to pass the site's password policy.
Master Password addresses this problem by introducing <em>password types</em>. Each password type describes what an output password must look like and maps to a set of <code>ciphers</code>. Ciphers describe the resulting output password using a series of characters that map to character groups of candidate output characters. A cipher has the same length as the output password it yields. Each character in the cipher maps to a specific character group. At each position of the output password, a character is chosen from the character group identified by the character in the cipher at the same position. Master Password addresses this problem by introducing <em>password types</em>. Each password type describes what an output password must look like and maps to a set of <code>templates</code>. Templates describe the resulting output password using a series of characters that map to character groups of candidate output characters. A template has the same length as the output password it yields. Each character in the template maps to a specific character group. At each position of the output password, a character is chosen from the character group identified by the character in the template at the same position.
</p> </p>
<p> <p>
The following ciphers are defined: The following templates are defined:
<ul> <ul>
<li>Type: <b>Long Password</b></li> <li>Type: <strong>Maximum Security Password</strong></li>
<li> <li>
<ul> <ul>
<li><code>CvcvCvcvnoCvcv</code></li> <li><code>anoxxxxxxxxxxxxxxxxx</li></code>
<li><code>CvcvnoCvcvCvcv</code></li> <li><code>axxxxxxxxxxxxxxxxxno</li></code>
<li><code>CvcvCvcvCvcvno</code></li>
</ul> </ul>
</li> </li>
<li>Type: <b>Medium Password</b></li> <li>Type: <strong>Long Password</strong></li>
<li>
<ul>
<li><code>CvcvnoCvcvCvcv</li></code>
<li><code>CvcvCvcvnoCvcv</li></code>
<li><code>CvcvCvcvCvcvno</li></code>
<li><code>CvccnoCvcvCvcv</li></code>
<li><code>CvccCvcvnoCvcv</li></code>
<li><code>CvccCvcvCvcvno</li></code>
<li><code>CvcvnoCvccCvcv</li></code>
<li><code>CvcvCvccnoCvcv</li></code>
<li><code>CvcvCvccCvcvno</li></code>
<li><code>CvcvnoCvcvCvcc</li></code>
<li><code>CvcvCvcvnoCvcc</li></code>
<li><code>CvcvCvcvCvccno</li></code>
<li><code>CvccnoCvccCvcv</li></code>
<li><code>CvccCvccnoCvcv</li></code>
<li><code>CvccCvccCvcvno</li></code>
<li><code>CvcvnoCvccCvcc</li></code>
<li><code>CvcvCvccnoCvcc</li></code>
<li><code>CvcvCvccCvccno</li></code>
<li><code>CvccnoCvcvCvcc</li></code>
<li><code>CvccCvcvnoCvcc</li></code>
<li><code>CvccCvcvCvccno</li></code>
</ul>
</li>
<li>Type: <strong>Medium Password</strong></li>
<li> <li>
<ul> <ul>
<li><code>CvcnoCvc</code></li> <li><code>CvcnoCvc</code></li>
<li><code>CvcCvcno</code></li> <li><code>CvcCvcno</code></li>
</ul> </ul>
</li> </li>
<li>Type: <b>Short Password</b></li> <li>Type: <strong>Short Password</strong></li>
<li> <li>
<ul> <ul>
<li><code>Cvcn</code></li> <li><code>Cvcn</code></li>
</ul> </ul>
</li> </li>
<li>Type: <b>Basic Password</b></li> <li>Type: <strong>Basic Password</strong></li>
<li> <li>
<ul> <ul>
<li><code>aaanaaan</code></li> <li><code>aaanaaan</code></li>
@ -214,7 +245,7 @@
<li><code>aaannaaa</code></li> <li><code>aaannaaa</code></li>
</ul> </ul>
</li> </li>
<li>Type: <b>PIN</b></li> <li>Type: <strong>PIN</strong></li>
<li> <li>
<ul> <ul>
<li><code>nnnn</code></li> <li><code>nnnn</code></li>
@ -226,70 +257,70 @@
By default, Master Password uses the <em>Long Password</em> type for any new passwords. The user is able to choose a different password type, which is normally only done if the site's password policy is incompatible with the output password produced by this type. By default, Master Password uses the <em>Long Password</em> type for any new passwords. The user is able to choose a different password type, which is normally only done if the site's password policy is incompatible with the output password produced by this type.
</p> </p>
<p> <p>
To create the create the output password, the bytes in the <code>seed</code> are encoded according to the cipher. The first <code>seed</code> byte is used to determine which of the type's ciphers to use for encoding an output password. We take the byte value of the first <code>seed</code> byte modulo the amount of ciphers set for the chosen password type and use the result as a zero-based index in the cipher list for the password type. To create the create the output password, the bytes in the <code>seed</code> are encoded according to the template. The first <code>seed</code> byte is used to determine which of the type's templates to use for encoding an output password. We take the byte value of the first <code>seed</code> byte modulo the amount of templates set for the chosen password type and use the result as a zero-based index in the template list for the password type.
</p> </p>
<code><pre> <code><pre>
ciphers = [ "CvcvCvcvnoCvcv", "CvcvnoCvcvCvcv", "CvcvCvcvCvcvno" ] templates = [ "CvcvCvcvnoCvcv", "CvcvnoCvcvCvcv", "CvcvCvcvCvcvno", ... ]
cipher = ciphers[ seed[0] % count( ciphers ) ] template = templates[ seed[0] % count( templates ) ]
</pre></code> </pre></code>
<p> <p>
Now that we know what cipher to use for building our output password, all that's left is to iterate the cipher, and produce a character of password output for each step. When we iterate the cipher (index <code>i</code>), we look in the character group identified by the character (string <code>passChars</code>) in the cipher at index <code>i</code>. Now that we know what template to use for building our output password, all that's left is to iterate the template, and produce a character of password output for each step. When we iterate the template (index <code>i</code>), we look in the character group identified by the character (string <code>passChars</code>) in the template at index <code>i</code>.
</p> </p>
<p> <p>
The following character groups (<code>passChars</code>) are defined: The following character groups (<code>passChars</code>) are defined:
<ul> <ul>
<li>Cipher character: <code>V</code></li> <li>Template character: <code>V</code></li>
<li> <li>
<ul> <ul>
<li><code>AEIOU</code></li> <li><code>AEIOU</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>C</code></li> <li>Template character: <code>C</code></li>
<li> <li>
<ul> <ul>
<li><code>BCDFGHJKLMNPQRSTVWXYZ</code></li> <li><code>BCDFGHJKLMNPQRSTVWXYZ</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>v</code></li> <li>Template character: <code>v</code></li>
<li> <li>
<ul> <ul>
<li><code>aeiou</code></li> <li><code>aeiou</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>c</code></li> <li>Template character: <code>c</code></li>
<li> <li>
<ul> <ul>
<li><code>bcdfghjklmnpqrstvwxyz</code></li> <li><code>bcdfghjklmnpqrstvwxyz</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>A</code> (<code>= V . C</code>)</li> <li>Template character: <code>A</code> (<code>= V . C</code>)</li>
<li> <li>
<ul> <ul>
<li><code>AEIOUBCDFGHJKLMNPQRSTVWXYZ</code></li> <li><code>AEIOUBCDFGHJKLMNPQRSTVWXYZ</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>a</code> (<code>= V . v . C . c</code>)</li> <li>Template character: <code>a</code> (<code>= V . v . C . c</code>)</li>
<li> <li>
<ul> <ul>
<li><code>AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz</code></li> <li><code>AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>n</code></li> <li>Template character: <code>n</code></li>
<li> <li>
<ul> <ul>
<li><code>0123456789</code></li> <li><code>0123456789</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>o</code></li> <li>Template character: <code>o</code></li>
<li> <li>
<ul> <ul>
<li><code>!@#$%^&amp;*()</code></li> <li><code>@&amp;%?,=[]_:-+*$#!'^~;()/.</code></li>
</ul> </ul>
</li> </li>
<li>Cipher character: <code>X</code> (<code>= a . n . o</code>)</li> <li>Template character: <code>X</code> (<code>= a . n . o</code>)</li>
<li> <li>
<ul> <ul>
<li><code>AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&amp;*()</code></li> <li><code>AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789@&amp;%?,=[]_:-+*$#!'^~;()/.</code></li>
</ul> </ul>
</li> </li>
</ul> </ul>

4
Site/css/screen.css
View File

@ -21,7 +21,7 @@ h1 {
font-weight: 100; font-weight: 100;
} }
strong { strong {
font-weight: 400; font-weight: 600;
} }
h1 .sub { h1 .sub {
font-size: 0.5em; font-size: 0.5em;
@ -148,7 +148,7 @@ header .divider {
header a, header .link, header :link, header a, header .link, header :link,
#fixedheader a, #fixedheader .link, #fixedheader :link { #fixedheader a, #fixedheader .link, #fixedheader :link {
font-family: Exo; font-family: Exo;
font-weight: 700; font-weight: 600;
text-decoration: none; text-decoration: none;
} }
header a:hover, header .link:hover, header a:hover, header .link:hover,

14
Site/index.html
View File

@ -69,8 +69,8 @@
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script>
<!-- Nivo Slider --> <!-- Nivo Slider -->
<link rel="stylesheet" href="nivo-slider.css" type="text/css" media="screen" /> <link rel="stylesheet" href="js/nivo-slider/nivo-slider.css" type="text/css" media="screen" />
<script src="jquery.nivo.slider.pack.js" type="text/javascript"></script> <script src="js/nivo-slider/jquery.nivo.slider.pack.js" type="text/javascript"></script>
<!-- Page JS --> <!-- Page JS -->
<script type="text/javascript"> <script type="text/javascript">
@ -89,10 +89,10 @@
</head> </head>
<body id="frontpage"> <body id="frontpage">
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<header> <header>
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1> <h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1>
<div class="divider"></div> <div class="divider"></div>
@ -138,7 +138,7 @@
<p>&nbsp;</p> <p>&nbsp;</p>
<p><b>Master Password is a <em>stateless solution</em></b>, which means <strong>your passwords aren't saved <em>anywhere</em></strong>. Not in your head, not in a notebook, not on your computer and not in the cloud.<br /> <p><strong>Master Password is a <em>stateless solution</em></strong>, which means <strong>your passwords aren't saved <em>anywhere</em></strong>. Not in your head, not in a notebook, not on your computer and not in the cloud.<br />
Nothing to store means nothing to keep safe and nothing to lose.</p> Nothing to store means nothing to keep safe and nothing to lose.</p>
<p>Master Password just recreates the passwords for your sites whenever you need them: instantly and on-demand. At the same time it makes sure that your accounts are adequately protected with <em>secure and unique</em> passwords.</p> <p>Master Password just recreates the passwords for your sites whenever you need them: instantly and on-demand. At the same time it makes sure that your accounts are adequately protected with <em>secure and unique</em> passwords.</p>
@ -146,11 +146,11 @@
</section--> </section-->
<section> <section>
<p>Master Password is <b>different</b> from other vault-like password solutions. It helps you set <b>secure passwords</b> for your sites, and at the same time makes <b>losing your passwords almost impossible</b>.</p> <p>Master Password is <strong>different</strong> from other vault-like password solutions. It helps you set <strong>secure passwords</strong> for your sites, and at the same time makes <strong>losing your passwords almost impossible</strong>.</p>
<p>Built on algorithms such as <a href="http://www.bsdcan.org/2009/schedule/events/147.en.html">scrypt</a> and <a href="http://en.wikipedia.org/wiki/HMAC">HMAC-SHA256</a>, your master password is kept safe even if websites you use get hacked.</p> <p>Built on algorithms such as <a href="http://www.bsdcan.org/2009/schedule/events/147.en.html">scrypt</a> and <a href="http://en.wikipedia.org/wiki/HMAC">HMAC-SHA256</a>, your master password is kept safe even if websites you use get hacked.</p>
<p>As to prove a point, <a href="http://www.washingtonpost.com/business/technology/linkedin-eharmony-deal-with-breach-aftermath/2012/06/07/gJQAwqs5KV_story.html"><b>LinkedIn</b>, <b>eHarmony</b></a>, and <a href="http://securitywatch.pcmag.com/none/298865-last-fm-joins-eharmony-linkedin-to-celebrate-breach-week"><b>Last.FM</b></a> have announced breaches that compromise millions of passwords in the past month alone. These breaches have leaked "<em>hashes</em>" of people's passwords, which make it trivial for attackers to find out the actual passwords <em>if they're not secure enough</em>.</p> <p>As to prove a point, <a href="http://www.washingtonpost.com/business/technology/linkedin-eharmony-deal-with-breach-aftermath/2012/06/07/gJQAwqs5KV_story.html"><strong>LinkedIn</strong>, <strong>eHarmony</strong></a>, and <a href="http://securitywatch.pcmag.com/none/298865-last-fm-joins-eharmony-linkedin-to-celebrate-breach-week"><strong>Last.FM</strong></a> have announced breaches that compromise millions of passwords in the past month alone. These breaches have leaked "<em>hashes</em>" of people's passwords, which make it trivial for attackers to find out the actual passwords <em>if they're not secure enough</em>.</p>
<hr class="clear" /> <hr class="clear" />
<!--p> <!--p>

4
Site/support.html
View File

@ -31,13 +31,13 @@
<body> <body>
<header> <header>
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1> <h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1>
<div class="divider"></div> <div class="divider"></div>
</header> </header>
<div id="fixedheader"> <div id="fixedheader">
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore-small.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore-small.png" /></a>
<h2><a href="index.html">Master Password</a></h2> <h2><a href="index.html">Master Password</a></h2>
</div> </div>
<!--a href="http://bit.ly/vNN5Zi" onclick="_gaq.push(['_trackPageview', '/outbound/testflight']);" id="ribbon"></a--> <!--a href="http://bit.ly/vNN5Zi" onclick="_gaq.push(['_trackPageview', '/outbound/testflight']);" id="ribbon"></a-->

4
Site/what.html
View File

@ -85,10 +85,10 @@
</script> </script>
</head> </head>
<body> <body>
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<header> <header>
<a class="appstore" href="http://itunes.com/apps/MasterPassword"><img src="img/appstore.png" /></a> <a class="appstore" href="http://itunes.apple.com/app/id510296984"><img src="img/appstore.png" /></a>
<h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1> <h1><a href="index.html"><img class="logo" src="img/iTunesArtwork-Bare.png" /> Master Password</a></h1>
<div class="divider"></div> <div class="divider"></div>