The following is an overview of the security properties of the Master Password solution. It aims to answer all questions related to the strengths and weaknesses of the algorithm behind Master Password. If you have any unanswered questions after reading this page, don't hesitate to get in touch.
+We'll begin with a prelude to account security. If you are interested specifically about Master Password, you can skip right ahead to the next section.
@@ -138,8 +165,8 @@ How hard is it for an attacker to get to all my passwords by attacking my password app? -by generating passwords for you with extremely high entropy. We've found that humans are exceedingly bad at coming up with good passwords, especially when they need a new one every week for a new site they sign up with. Master Password therefore takes the guesswork out of it and generates high-entropy, memorable passwords. High entropy means that when a hacker obtains all of LinkedIn's password hashes again, they won't be able to brute-force your real LinkedIn password from it.
If you used an evenly distributed custom 8-character alphanumeric password (p4sSw0rD doesn't count), it would only take a powerful attacker 1.7 days to brute-force your password from a leaked hash. If you used Master Password's default Long Password instead, it would take that same attacker 1.4 years of non-stop focus on your password, assuming they already know you used Master Password. If they don't,
@@ -147,8 +174,8 @@
through careful selection of strong cryptographic algorithms to counter all known attack vectors. It took quite a bit of research and tweaking to get a solid algorithm that adequately deals with any attack vectors known to specialists. Getting cryptography right isn't a simple matter of doing some encryption of your hashing. Algorithms should be as simple as possible, because each aspect of complexity introduces new attack vectors, and simple algorithms are easier to evaluate and trust.
A solution like Master Password needs to strengthen itself against a few different types of attacks, many of which are not immediately obvious. Master Password has been hardened to defeat:
are defeated by deriving a very long (64-byte) master key from the user's master password. As a result, brute-force attacks that aim to guess the master key used to compute a site's password would take up to 137983530581000001620252739433368710545408 years to find the right master key.
+are defeated through the use of resource-intensive scrypt-based key derivation which makes this attack a few million times harder to execute than an ordinary brute-force attack. Thanks to this defence, it would take 560 years to discover a 6-character alphanumeric master password.
+are mitigated by selecting hashing functions that have no known length extension attack vectors, concatenating their inputs in careful ordering and delimiting them with field-length prefixes.
+are mitigated through the introduction of a unique salt to each person's master key derivation process. Since we need a solution that remains stateless, we can't use a blob of secure random data as the salt. We've instead opted to use the user's full name to seed the key derivation. Even though there are some people with the exact same full name, the fact that there's so many possible full name combinations makes the effort to construct an expensive rainbow table for each name entirely invaluable.
-is especially important in the world of cryptography. Computers are getting ever more powerful and new attack vectors are found. To protect the algorithm against factors we don't yet know about, we've ensured that the security guarantees are sufficiently excessive such that if they're weakened in the future, there'll likely remain sufficiently strong to not be broken. We've employed defensive algorithms that perform operations in moderate excess of the bare minimum we'd need but are known to provide extra mitigation facilities against possible weaknesses in, for example, the hash functions in use. For example, we've chosen to use HMAC-SHA-256 as opposed to simply SHA-256, even though the latter has no known attack vectors today. If in the future a length extension attack or similar is found against this algorithm that might weaken our use of it, it is likely that the HMAC component will defeat such an attack.
Regardless of how strong a solution is, all that strength can be easily defeated by misplaced or violated trust. If you're looking for a security product, you will need to trust something but it is important that you carefully consider and minimize that trust. Some prefer to put their trust in large organizations with a track record. Some prefer to put it in secret algorithms they aren't even allowed to evaluate themselves.
-is the result of transparency. Which is why we've made our algorithm open, published it on our website, described it in full and exposed it to cryptographic experts. We've also made our applications that implement it open-source so that you can see how they work and even bypass our binary distributions and instead install them from source.
-you need to trust by implementing a completely stateless solution that requires no storage (you don't need to trust your hard disk or hardware), requires no backups or syncing (you don't need to trust that all your passwords are safely backed up and synced across your devices so they're actually available to you), requires no cloud services (you don't need to trust that your Internet connection is safe, or a cloud provider won't lose your data or secretly send it to your or a foreign government).
Loss is another one of those points that are very often overlooked. It's as though the implicit assumptions are that everybody backs all of their stuff up to at least two different devices and backups in the cloud in at least two separate countries. Well, people don't always have perfect backups. In fact, they usually don't have any.
So what happens when you drop your phone in the toilet, spill your coffee on your laptop, or worse, your kid drops a candle into the arts and crafts box and sets the house alight? You lose everything. You lose your own identity.
-to data loss. And what better a way to fight data loss than by using no data at all? Master Password is a stateless solution, which means that its passwords are a result of only the things you can remember. Additionally, it minimizes the things you need to remember to little more than your own name, the site you want to use and one password (to rule them all).
When all is lost, you just need to open up Master Password, be it on a brand new computer, or a friend's iPhone, and you can just add your name and site back to it. Your passwords will re-appear "out of thin air".
@@ -217,11 +244,10 @@All your sites should be equally well protected, each of them with unique passwords and you need to remain ever encouraged to keep it that way.
-in various ways. It tries to minimize the time it takes to get to the password you need. It generates easily memorable and typeable passwords to facilitate their usage. It removes the need for you to take the time to think of strong passwords by doing it for you. You can copy-paste the password to avoid having to type it in manually. And we're constantly thinking of more ways to speed things up.
-Whenever choices are made, they come with trade-offs. We'll highlight the trade-offs involved with using Master Password, why we feel the benefits outweigh them and how.
+So what are the trade-offs with the Master Password solution?
+This trade-off is a direct result of the desire to create a stateless solution which is immune to data loss. The solution relies entirely on the master password you can remember, which means that the only point of failure is now entirely under your control.
+The Master Password application however functions as a hybrid password manager, implementing both the Master Password algorithm and a vault-like password solution. In the second mode, Master Password uses your master key to encrypt custom passwords and store the encrypted result in a vault. Since we use the master key for this process, the result is a vault that is much harder to break into than that used by many other vault-based password solutions (specifically + because the encryption key is a 64-byte key derived from your master pasword using scrypt key derivation). As a result, this trade-off has been mitigated.
+This decision has been made in the interest of password recovery after a total loss scenario. Recovering the correct password for sites that use such custom templates would be extra difficult, since now you're forced to recall the specific custom template you drafted for this site. This problem becomes more difficult the more sites you've made custom templates for.
+As a partial mitigation of this trade-off, we've created a set of password templates designed to cover nearly all use cases. The default template should work on nearly all websites. When this template fails, it's usually because the site imposes a low maximum-password-length restriction. This type of restriction is a serious red flag which almost always indicates a sloppy security implementation on their end. When you encounter it, you should + contact the website administrator and demand an explanation (it's your security!). Usually, the explanation involves database-imposed limitations which mean they're storing your password in clear text, and you should be extremely wary about your continued use of this website.
+A vault-based password manager is often considered two-factor, since it relies on your vault password as well as access to your vault file. Most security experts disagree, however. To be truly multi-factor, the security factors should come from separate categories:
+When two factors are derived from the same category, they don't really add a significant extra hurdle for the attacker to overcome. An attacker could steal your master password by installing a key-logger on your computer. But at that point he's probably also already copied your vault file.
+Additionally, the weaker link with using a password-based authentication method is the password itself. Irrespective of how many truly distinct security factors you've used to obtain your password, your actual act of authentication involves sending a single password to the remote party, which means your actual authentication remains only one-factor secure.
+So while Master Password is indeed a one-factor authentication solution, we don't aim or pretend to be anything more than that since the reality is that it's not truly possible when you're just doing password authentication.
+We've explained all the important factors in which password managers can and should protect the security of your private information. We've also clarified in which ways Master Password deals with each of these factors and backed these clarifications with numbers and reasoning.