skylab/MasterPassword
2
0
Fork 0
Code Releases Activity

Security page improvements.

Browse Source 
[ADDED]     Table of contents.
[FIXED]     Inline header style fixes.
[ADDED]     Trade-offs.
This commit is contained in:
Maarten Billemont 2014-02-09 17:57:20 -05:00
parent f9da568bfd
commit f57415a08b
2 changed files with 112 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Site/2013-05/css/main.css
View File

@ -18,6 +18,17 @@ nav {
h1, h2, h3, h4 {
margin-top: 1em;
}
/*
*[id]::before {
position: relative;
content: "";
display: block;
height: 60px;
width: 5px;
background: red;
margin-top: -60px;
}
*/
section {
padding: 1ex 0;
@ -46,7 +57,7 @@ section {
margin-left: -2em;
padding-left: 3em;
}
h3.inline {
h2.inline, h3.inline, h4.inline {
display: inline-block;
line-height: inherit;
}

123
Site/2013-05/security.html
View File

@ -72,6 +72,33 @@
<p>The following is an overview of the security properties of the Master Password solution. It aims to answer all questions related to the strengths and weaknesses of the algorithm behind Master Password. If you have any unanswered questions after reading this page, don't hesitate to <a href="support.html">get in touch</a>.</p>
<ol>
<li><a href="#prelude">How do I keep my accounts secure?</a>
<ol>
<li>Well Placed Trust</li>
<li>Adequate Protection</li>
<li>Secure Channels</li>
</ol>
</li>
<li><a href="#about">What Does Master Password Give Me?</a>
<ol>
<li><a href="#strength">STRENGTH: Why Is Master Password Strong?</a></li>
<li><a href="#trust">TRUST: Why Should I Trust Master Password?</a></li>
<li><a href="#loss">LOSS: Can I Lose Everything?</a></li>
<li><a href="#usability">USABILITY: I Don't Really Need A Secure Facebook...</a></li>
</ol>
</li>
<li><a href="#how">How Does It Manage To Do All That?</a>
<ol>
<li>To Be Stateless</li>
<li>To Be Strong</li>
</ol>
</li>
<li><a href="#tradeoffs">What Are Master Password's Trade-Offs?</a></li>
<li><a href="#conclusion">Conclusion</a></li>
<li><a href="#finalnote">A Final Note On Security</a></li>
</ol>
<div class="thumb clearfix">
<p>We'll begin with a prelude to account security. If you are interested specifically about Master Password, you can <a href="#about">skip right ahead to the next section</a>.</p>
@ -138,8 +165,8 @@
How hard is it for an attacker to get to all my passwords by attacking my password app?</li>
</ol>
<p><h3 class="inline">Master Password solves the <em>strong passwords</em> problem</h3>
by generating passwords for you with extremely high entropy. We've found that humans are exceedingly bad at coming up with good passwords, especially when they need a new one every week for a new site they sign up with. Master Password therefore takes the guesswork out of it and generates high-entropy, memorable passwords. High entropy means that when a hacker obtains all of <a
<h3 class="inline">Master Password solves the <em>strong passwords</em> problem</h3>
<p>by generating passwords for you with extremely high entropy. We've found that humans are exceedingly bad at coming up with good passwords, especially when they need a new one every week for a new site they sign up with. Master Password therefore takes the guesswork out of it and generates high-entropy, memorable passwords. High entropy means that when a hacker obtains all of <a
href="http://www.washingtonpost.com/business/technology/linkedin-eharmony-deal-with-breach-aftermath/2012/06/07/gJQAwqs5KV_story.html">LinkedIn's password hashes</a>
again, they won't be able to brute-force your real LinkedIn password from it.</p>
<p>If you used an evenly distributed custom 8-character alphanumeric password (<code>p4sSw0rD</code> doesn't count), it would only take a powerful attacker <em>1.7 days</em> to brute-force your password from a leaked hash. If you used Master Password's default <em>Long Password</em> instead, it would take that same attacker <em>1.4 years</em> of non-stop focus on your password, assuming they already know you used Master Password. If they don't,
@ -147,8 +174,8 @@
</div>
<div class="hlvl">
<p><h3 class="inline">Master Password solves the <em>strong cryptography</em> problem</h3>
through careful selection of strong cryptographic algorithms to counter all known attack vectors. It took quite a bit of research and tweaking to get a solid algorithm that adequately deals with any attack vectors known to specialists. Getting cryptography right isn't a simple matter of doing some encryption of your hashing. Algorithms should be as simple as possible, because each aspect of complexity introduces new attack vectors, and simple algorithms are
<h3 class="inline">Master Password solves the <em>strong cryptography</em> problem</h3>
<p>through careful selection of strong cryptographic algorithms to counter all known attack vectors. It took quite a bit of research and tweaking to get a solid algorithm that adequately deals with any attack vectors known to specialists. Getting cryptography right isn't a simple matter of doing some encryption of your hashing. Algorithms should be as simple as possible, because each aspect of complexity introduces new attack vectors, and simple algorithms are
easier to evaluate and trust.</p>
<p>A solution like Master Password needs to strengthen itself against a few different types of attacks, many of which are not immediately obvious. Master Password has been hardened to defeat:</p>
<ol>
@ -159,17 +186,17 @@
<li>Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms.</li>
</ol>
<p><h4>Brute-force attacks against the master key</h4>
are defeated by deriving a very long (64-byte) master key from the user's master password. As a result, brute-force attacks that aim to guess the master key used to compute a site's password would take up to <em>137983530581000001620252739433368710545408 years</em> to find the right master key.</p>
<p><h4>Brute-force attacks against the user's master password</h4>
are defeated through the use of resource-intensive <em>scrypt</em>-based key derivation which makes this attack a few million times harder to execute than an ordinary brute-force attack. Thanks to this defence, it would take <em>560 years</em> to discover a 6-character alphanumeric master password.</p>
<p><h4>Length extension attacks against the hash functions</h4>
are mitigated by selecting hashing functions that have no known length extension attack vectors, concatenating their inputs in careful ordering and delimiting them with field-length prefixes.</p>
<p><h4>Rainbow table attacks against the master password</h4>
are mitigated through the introduction of a unique salt to each person's master key derivation process. Since we need a solution that remains stateless, we can't use a blob of secure random data as the salt. We've instead opted to use the user's full name to seed the key derivation. Even though there are some people with the exact same full name, the fact that there's so many possible full name combinations makes the effort to construct an expensive rainbow
<h4 class="inline">Brute-force attacks against the master key</h4>
<p>are defeated by deriving a very long (64-byte) master key from the user's master password. As a result, brute-force attacks that aim to guess the master key used to compute a site's password would take up to <em>137983530581000001620252739433368710545408 years</em> to find the right master key.</p>
<h4 class="inline">Brute-force attacks against the user's master password</h4>
<p>are defeated through the use of resource-intensive <em>scrypt</em>-based key derivation which makes this attack a few million times harder to execute than an ordinary brute-force attack. Thanks to this defence, it would take <em>560 years</em> to discover a 6-character alphanumeric master password.</p>
<h4 class="inline">Length extension attacks against the hash functions</h4>
<p>are mitigated by selecting hashing functions that have no known length extension attack vectors, concatenating their inputs in careful ordering and delimiting them with field-length prefixes.</p>
<h4 class="inline">Rainbow table attacks against the master password</h4>
<p>are mitigated through the introduction of a unique salt to each person's master key derivation process. Since we need a solution that remains stateless, we can't use a blob of secure random data as the salt. We've instead opted to use the user's full name to seed the key derivation. Even though there are some people with the exact same full name, the fact that there's so many possible full name combinations makes the effort to construct an expensive rainbow
table for each name entirely invaluable.</p>
<p><h4>Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms</h4>
is especially important in the world of cryptography. Computers are getting ever more powerful and new attack vectors are found. To protect the algorithm against factors we don't yet know about, we've ensured that the security guarantees are sufficiently excessive such that if they're weakened in the future, there'll likely remain sufficiently strong to not be broken. We've employed defensive algorithms that perform operations in moderate excess of the
<h4 class="inline">Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms</h4>
<p>is especially important in the world of cryptography. Computers are getting ever more powerful and new attack vectors are found. To protect the algorithm against factors we don't yet know about, we've ensured that the security guarantees are sufficiently excessive such that if they're weakened in the future, there'll likely remain sufficiently strong to not be broken. We've employed defensive algorithms that perform operations in moderate excess of the
bare minimum we'd need but are known to provide extra mitigation facilities against possible weaknesses in, for example, the hash functions in use. For example, we've chosen to use <em>HMAC-SHA-256</em> as opposed to simply <em>SHA-256</em>, even though the latter has no known attack vectors today. If in the future a length extension attack or similar is found against this algorithm that might weaken our use of it, it is likely that the HMAC component
will defeat such an attack.</p>
</div>
@ -182,11 +209,11 @@
<h2 id="trust">TRUST: Why Should I Trust Master Password?</h2>
<p>Regardless of how strong a solution is, all that strength can be easily defeated by misplaced or violated trust. If you're looking for a security product, you <strong>will need to trust something</strong> but it is important that you carefully consider and minimize that trust. Some prefer to put their trust in large organizations with a track record. Some prefer to put it in secret algorithms they aren't even allowed to evaluate themselves.</p>
<p><h3 class="inline">At Master Password we've decided that real trust</h3>
is the result of <strong>transparency</strong>. Which is why we've made our algorithm open, published it on our website, described it in full and exposed it to cryptographic experts. We've also made our applications that implement it open-source so that you can see how they work and even bypass our binary distributions and instead install them from source.</p>
<h3 class="inline">At Master Password we've decided that real trust</h3>
<p>is the result of <strong>transparency</strong>. Which is why we've made our algorithm open, published it on our website, described it in full and exposed it to cryptographic experts. We've also made our applications that implement it open-source so that you can see how they work and even bypass our binary distributions and instead install them from source.</p>
<p><h3 class="inline">Master Password minimizes the parties</h3>
you need to trust by implementing a completely stateless solution that requires <em>no storage</em> (you don't need to trust your hard disk or hardware), requires <em>no backups or syncing</em> (you don't need to trust that all your passwords are safely backed up and synced across your devices so they're actually available to you), requires <em>no cloud services</em> (you don't need to trust that your Internet connection is safe, or a cloud provider won't lose your
<h3 class="inline">Master Password minimizes the parties</h3>
<p>you need to trust by implementing a completely stateless solution that requires <em>no storage</em> (you don't need to trust your hard disk or hardware), requires <em>no backups or syncing</em> (you don't need to trust that all your passwords are safely backed up and synced across your devices so they're actually available to you), requires <em>no cloud services</em> (you don't need to trust that your Internet connection is safe, or a cloud provider won't lose your
data or <a href="http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data">secretly send it to your or a foreign government</a>).
<h3>Trust is the most common failure point.</h3>
@ -199,8 +226,8 @@
<p>Loss is another one of those points that are very often overlooked. It's as though the implicit assumptions are that everybody backs all of their stuff up to at least two different devices and backups in the cloud in at least two separate countries. Well, <strong>people don't always have perfect backups</strong>. In fact, they usually don't have <em>any</em>.</p>
<p>So what happens when you drop your phone in the toilet, spill your coffee on your laptop, or worse, your kid drops a candle into the arts and crafts box and sets the house alight? You lose everything. <strong>You lose your own identity</strong>.</p>
<p><h3 class="inline">Master Password is engineered to be immune</h3>
to data loss. And what better a way to fight data loss than by using <em>no data at all</em>? Master Password is a stateless solution, which means that its passwords are a result of only the things you can remember. Additionally, it minimizes the things you need to remember to little more than your own name, the site you want to use and one password (to rule them all).</p>
<h3 class="inline">Master Password is engineered to be immune</h3>
<p>to data loss. And what better a way to fight data loss than by using <em>no data at all</em>? Master Password is a stateless solution, which means that its passwords are a result of only the things you can remember. Additionally, it minimizes the things you need to remember to little more than your own name, the site you want to use and one password (to rule them all).</p>
<p>When all is lost, you just need to open up Master Password, be it on a brand new computer, or a friend's iPhone, and you can just add your name and site back to it. Your passwords will re-appear "out of thin air".</p>
@ -217,11 +244,10 @@
<p>All your sites should be <strong>equally well protected</strong>, each of them with <strong>unique passwords</strong> and you need to remain ever encouraged to keep it that way.</p>
<p><h3 class="inline">Master Password makes it easier on you</h3>
in various ways. It tries to minimize the time it takes to get to the password you need. It generates easily memorable and typeable passwords to facilitate their usage. It removes the need for you to take the time to think of strong passwords by doing it for you. You can copy-paste the password to avoid having to type it in manually. And we're constantly thinking of more ways to speed things up.</p>
<h3 class="inline">Master Password makes it easier on you</h3>
<p>in various ways. It tries to minimize the time it takes to get to the password you need. It generates easily memorable and typeable passwords to facilitate their usage. It removes the need for you to take the time to think of strong passwords by doing it for you. You can copy-paste the password to avoid having to type it in manually. And we're constantly thinking of more ways to speed things up.</p>
</div>
</div>
</div>
<div class="thumb clearfix">
@ -307,6 +333,57 @@
</div>
</div>
<div class="thumb clearfix">
<h1 id="tradeoffs">What Are Master Password's Trade-Offs?</h1>
<p>Whenever choices are made, they come with trade-offs. We'll highlight the trade-offs involved with using Master Password, why we feel the benefits outweigh them and how.</p>
<p>So what are the trade-offs with the Master Password solution?</p>
<div class="hlvl">
<ol>
<li>You cannot change your master password without also changing all your site passwords.</li>
<li>You cannot "generate" your own custom passwords.</li>
<li>You cannot freely build your password template.</li>
<li>This is only a one-factor solution (something you know).</li>
</ol>
<div class="hlvl">
<p><h2 class="inline">Changing your master password</h2>
results in all your site passwords to change, since they are the mathematical result of your master key, which in turn is a mathematical result of your master password. That means, if somebody learns your master password, you'll need to reset all your site passwords to new ones. It also means the solution is incompatible with "password recovery". It is your responsibility to think of a good and memorable master password, and more importantly,
<em>ensure that nobody learns your master password</em>. If you chose to share it anyway (say, with your spouse), you should do so in full expectation that you'll need to change all your sites' passwords if your trust relationship with them degrades.</p>
<p>This trade-off is a direct result of the desire to create a stateless solution which is immune to data loss. The solution relies entirely on the master password you can remember, which means that <strong>the only point of failure is now entirely under your control</strong>.</p>
</div>
<div class="hlvl">
<p><h2 class="inline">Custom passwords</h2>
are sometimes still a necessity. You may want to store a password you've been using for a long time in your manager, or your boss may have set an unchangable password on your computer for you to use. Since Master Password's passwords are a mathematical result of your unchanging master password, it is impossible for it to be used with passwords that are created via another way.</p>
<p>The Master Password application however <em>functions as a hybrid password manager, implementing both the Master Password algorithm and a vault-like password solution</em>. In the second mode, Master Password uses your master key to encrypt custom passwords and store the encrypted result in a vault. Since we use the master key for this process, the result is a vault that is much harder to break into than that used by many other vault-based password solutions (specifically
because the encryption key is a 64-byte key derived from your master pasword using scrypt key derivation). As a result, <strong>this trade-off has been mitigated</strong>.</p>
</div>
<div class="hlvl">
<p><h2 class="inline">Password templates</h2>
are the presets that tell Master Password what your final password should look like. They specify where to put the letters, numbers or other characters. We've made the decision to only provide a set of template presets rather than allowing users to determine their own templates to use for a site. As a result, you cannot chose to design your own custom template, such as, "a 6-digit password that starts with a lower-case letter".</p>
<p>This decision has been made in the interest of password recovery after a total loss scenario. Recovering the correct password for sites that use such custom templates would be extra difficult, since now you're forced to recall the specific custom template you drafted for this site. This problem becomes more difficult the more sites you've made custom templates for.</p>
<p>As a partial mitigation of this trade-off, <strong>we've created a set of password templates designed to cover nearly all use cases</strong>. The default template should work on nearly all websites. When this template fails, it's usually because the site imposes a low maximum-password-length restriction. This type of restriction is a <em>serious red flag</em> which almost always indicates a sloppy security implementation on their end. When you encounter it, you <em>should</em>
contact the website administrator and demand an explanation (it's <em>your</em> security!). Usually, the explanation involves database-imposed limitations which mean they're storing your password in clear text, and you should be extremely wary about your continued use of this website.</p>
</div>
<div class="hlvl">
<p><h2 class="inline">A one-factor solution</h2>
is an authentication solution that requires only one factor of security. Master Password is a one-factor solution since its security relies solely on "something you know". That means, if somebody steals your master password, that's all they need to gain access to your sites. The alternative is usually a two-factor solution which relies on two distinct security factors, such as "something you know" and "something you have". Now, when somebody's obtained
the "something you know", they'll still need to obtain the "something you have" before they can break in. The most popular example of a two-factor solution is a bank card: Your PIN number is the secret you know, but with the PIN alone a thief can't get to your money. They'll need to first steal your card as well.</p>
<p>A vault-based password manager is often considered two-factor, since it relies on your vault password as well as access to your vault file. <em>Most security experts disagree, however</em>. To be truly multi-factor, the security factors should come from separate categories:</p>
<ul>
<li><strong>Knowledge factors</strong>: passwords, keyfiles, other secret data or information</li>
<li><strong>Possession factors</strong>: physical tokens, smart cards</li>
<li><strong>Inherence factors</strong>: biometrics</li>
</ul>
<p>When two factors are derived from the same category, they don't really add a significant extra hurdle for the attacker to overcome. An attacker could steal your master password by installing a key-logger on your computer. But at that point he's probably also already copied your vault file.</p>
<p>Additionally, the weaker link with using a password-based authentication method is the password itself. Irrespective of how many truly distinct security factors you've used to obtain your password, your actual act of authentication involves sending a single password to the remote party, which means your actual authentication remains only one-factor secure.</p>
<p>So while Master Password is indeed a one-factor authentication solution, we don't aim or pretend to be anything more than that since the reality is that <strong>it's not truly possible when you're just doing password authentication</strong>.</p>
</div>
</div>
</div>
<div class="thumb clearfix">
<h1 id="conclusion">Conclusion</h1>
<p>We've explained all the important factors in which password managers can and should protect the security of your private information. We've also clarified in which ways Master Password deals with each of these factors and backed these clarifications with numbers and reasoning.</p>