Security Overview

The following is an overview of the security properties of the Master Password solution. It aims to answer all questions related to the strengths and weaknesses of the algorithm behind Master Password. If you have any unanswered questions after reading this page, don't hesitate to get in touch.

  1. How do I keep my accounts secure?
    1. Well Placed Trust
    2. Adequate Protection
    3. Secure Channels
  2. What Does Master Password Give Me?
    1. STRENGTH: Why Is Master Password Strong?
    2. TRUST: Why Should I Trust Master Password?
    3. LOSS: Can I Lose Everything?
    4. USABILITY: I Don't Really Need A Secure Facebook...
  3. How Does It Manage To Do All That?
    1. To Be Stateless
    2. To Be Strong
  4. What Are Master Password's Trade-Offs?
  5. Conclusion
  6. A Final Note On Security

We'll begin with a prelude to account security. If you are interested specifically about Master Password, you can skip right ahead to the next section.

How do I keep my accounts secure?

Security is a tough subject, and yet we all need it. Knowledge about good security practices should not be limited to professionals: we all have to protect our privacy and keep our identities from getting abused.

Security doesn't need to be tough. It can just be common sense. We all know to lock our houses at night or cars in the parking lot. We all teach our children to buckle up in the car and not to blindly trust strangers. It's time to learn some common sense on digital security.

Let's dive in. What do you really need to keep your accounts and information secure?

  1. Well placed trust: every website you put information on can willfully or accidentally betray that trust.
  2. Adequate protection: websites assume that only you know your password. You need to ensure that remains true.
  3. Secure channels: contrary to how it appears, on the Internet you are never alone unless you are on a secure channel.

Well Placed Trust

The security of your account with a website is mostly in the hands of that website's care takers. Regardless of how strong your passwords are, sloppy administration on their end means attackers might be able to bypass your password or simply copy it from of their database. Websites should store passwords as uniquely salted hashes and you should insist that they do, for your protection.

It is also imperative that you use unique passwords for each site. It will prevent hackers or a rogue site administrator from secretly trying to steal your identity by using your password of one site to get into your other sites. Unique passwords are your only weapon against mistakes made by website owners.

Also be careful with what information you share and whether you truly feel that information is safe in the hands of a person or company you may not know as well as you think you do, or may not be as trustworthy as you feel they should be.

Adequate Protection

Passwords are a very sub-par protection measure, but they're the most convenient and wide-spread authentication method in use. A password is a secret "word" shared between you and the other end which is meant to convince them that you are who you say you are. They only work if you and they are the only ones who know that "word". Which means, passwords should be unguessable and they should not be shared with any person or any other site.

Secure Channels

The Internet is a very alien place to most of us. We are used to the real world where we know what's around us and we know who can hear us when we speak. These assumptions do not hold true on the Internet. Most of what you'll do on the Internet may feel like an interaction between you and a website, while in reality everything you say and do is recorded on hundreds of computers and possibly listened in on by many individuals hidden to you.

It is therefore essential that while on the Internet, you behave like you would in a public space, say a market square or cafe. Only when you are on a secure channel, such as an HTTPS website, should you feel safe to share private information. Before you type anything in on a website that you don't want to shout out in a market square (that includes passwords!), check whether your channel is secure and whether you trust the website to keep it private.

What Does Master Password Give Me?

What do you need from passwords? You need security. Security is an extremely vague term, and excessively over-used in marketing material. Terms such as encryption, military-strength, and so on are used freely without context. As a customer, it is now your responsibility to put these terms into context and evaluate how well a solution really helps with the safety of your private data.

How do you properly evaluate the security of a product? Investigate what kind of security the product really gives you. There are a few key points on which you should evaluate security:

  1. STRENGTH: How well does it protect against increasingly creative attackers? How easy is it to get in?
  2. TRUST: How much trust do you need to dish out? How many points of failure are there to this trust?
  3. LOSS: How safe are you from locking yourself out? What happens when your hardware breaks or your house burns down?
  4. USABILITY: How easy is it to use this product? How likely are you to bypass it for convenience?

In summary: Master Password aims to solve each of these security problems rather than just focussing on one. It gives you unique strong passwords for each site that are also easy to use, generated in a way that makes them immune to data loss, completely independent from any third parties using an algorithm hardened against any known attack vector.

STRENGTH: Why Is Master Password Strong?

The first point is pretty obvious, we want to keep malicious people out. Unfortunately, these people are getting increasingly more creative and are targeting as many people as they possibly can. In the next few years, you will become the target of somebody's attack, most likely more than once. News reports of millions of people's accounts having been put at risk are becoming ever more frequent.

When we evaluate the strength of a password solution, there are two important aspects that we need to consider:

  1. STRONG PASSWORDS: How hard is it for an attacker to get into one of my web accounts protected by these passwords?
  2. STRONG CRYPTOGRAPHY: How hard is it for an attacker to get to all my passwords by attacking my password app?

Master Password solves the strong passwords problem

by generating passwords for you with extremely high entropy. We've found that humans are exceedingly bad at coming up with good passwords, especially when they need a new one every week for a new site they sign up with. Master Password therefore takes the guesswork out of it and generates high-entropy, memorable passwords. High entropy means that when a hacker obtains all of LinkedIn's password hashes again, they won't be able to brute-force your real LinkedIn password from it.

If you used an evenly distributed custom 8-character alphanumeric password (p4sSw0rD doesn't count), it would only take a powerful attacker 1.7 days to brute-force your password from a leaked hash. If you used Master Password's default Long Password instead, it would take that same attacker 1.4 years of non-stop focus on your password, assuming they already know you used Master Password. If they don't, that time goes up to 26 billion years. If you used Master Password's Maximum Security type, it would take up to 422460722753999994880 years.

Master Password solves the strong cryptography problem

through careful selection of strong cryptographic algorithms to counter all known attack vectors. It took quite a bit of research and tweaking to get a solid algorithm that adequately deals with any attack vectors known to specialists. Getting cryptography right isn't a simple matter of doing some encryption of your hashing. Algorithms should be as simple as possible, because each aspect of complexity introduces new attack vectors, and simple algorithms are easier to evaluate and trust.

A solution like Master Password needs to strengthen itself against a few different types of attacks, many of which are not immediately obvious. Master Password has been hardened to defeat:

  1. Brute-force attacks against the master key.
  2. Brute-force attacks against the user's master password.
  3. Length extension attacks against the hash functions.
  4. Rainbow table attacks against the master password.
  5. Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms.

Brute-force attacks against the master key

are defeated by deriving a very long (64-byte) master key from the user's master password. As a result, brute-force attacks that aim to guess the master key used to compute a site's password would take up to 137983530581000001620252739433368710545408 years to find the right master key.

Brute-force attacks against the user's master password

are defeated through the use of resource-intensive scrypt-based key derivation which makes this attack a few million times harder to execute than an ordinary brute-force attack. Thanks to this defence, it would take 560 years to discover a 6-character alphanumeric master password.

Length extension attacks against the hash functions

are mitigated by selecting hashing functions that have no known length extension attack vectors, concatenating their inputs in careful ordering and delimiting them with field-length prefixes.

Rainbow table attacks against the master password

are mitigated through the introduction of a unique salt to each person's master key derivation process. Since we need a solution that remains stateless, we can't use a blob of secure random data as the salt. We've instead opted to use the user's full name to seed the key derivation. Even though there are some people with the exact same full name, the fact that there's so many possible full name combinations makes the effort to construct an expensive rainbow table for each name entirely invaluable.

Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms

is especially important in the world of cryptography. Computers are getting ever more powerful and new attack vectors are found. To protect the algorithm against factors we don't yet know about, we've ensured that the security guarantees are sufficiently excessive such that if they're weakened in the future, there'll likely remain sufficiently strong to not be broken. We've employed defensive algorithms that perform operations in moderate excess of the bare minimum we'd need but are known to provide extra mitigation facilities against possible weaknesses in, for example, the hash functions in use. For example, we've chosen to use HMAC-SHA-256 as opposed to simply SHA-256, even though the latter has no known attack vectors today. If in the future a length extension attack or similar is found against this algorithm that might weaken our use of it, it is likely that the HMAC component will defeat such an attack.

These things are hard to get right.

Security is hard to get right. Applying some "military strength" encryption, doing some "hashing" and topping it off with some "proprietary" encoding doesn't suffice. There are many ways in which you can unintentionally open the door for attackers to weaken your solution or make it trivial to get in. When you evaluate a product consider proprietary algorithms and missing details on why it is "secure" as glaring red flags.

TRUST: Why Should I Trust Master Password?

Regardless of how strong a solution is, all that strength can be easily defeated by misplaced or violated trust. If you're looking for a security product, you will need to trust something but it is important that you carefully consider and minimize that trust. Some prefer to put their trust in large organizations with a track record. Some prefer to put it in secret algorithms they aren't even allowed to evaluate themselves.

At Master Password we've decided that real trust

is the result of transparency. Which is why we've made our algorithm open, published it on our website, described it in full and exposed it to cryptographic experts. We've also made our applications that implement it open-source so that you can see how they work and even bypass our binary distributions and instead install them from source.

Master Password minimizes the parties

you need to trust by implementing a completely stateless solution that requires no storage (you don't need to trust your hard disk or hardware), requires no backups or syncing (you don't need to trust that all your passwords are safely backed up and synced across your devices so they're actually available to you), requires no cloud services (you don't need to trust that your Internet connection is safe, or a cloud provider won't lose your data or secretly send it to your or a foreign government).

Trust is the most common failure point.

Most other solutions that get strength right don't care so much about the trust front. They figure, if you're going to pay them for their app, you might as well trust them with all your passwords too. This really shouldn't be an implicit assumption. They're your passwords, and nobody else should have a say.

Knowing what happened to Silent Circle and Lavabit, knowing how extremely powerful and persuasive governments and share-holders can be, you would be well advised to consider very carefully giving the keys to your digital identity to a separate entity.

LOSS: Can I Lose Everything?

Loss is another one of those points that are very often overlooked. It's as though the implicit assumptions are that everybody backs all of their stuff up to at least two different devices and backups in the cloud in at least two separate countries. Well, people don't always have perfect backups. In fact, they usually don't have any.

So what happens when you drop your phone in the toilet, spill your coffee on your laptop, or worse, your kid drops a candle into the arts and crafts box and sets the house alight? You lose everything. You lose your own identity.

Master Password is engineered to be immune

to data loss. And what better a way to fight data loss than by using no data at all? Master Password is a stateless solution, which means that its passwords are a result of only the things you can remember. Additionally, it minimizes the things you need to remember to little more than your own name, the site you want to use and one password (to rule them all).

When all is lost, you just need to open up Master Password, be it on a brand new computer, or a friend's iPhone, and you can just add your name and site back to it. Your passwords will re-appear "out of thin air".

Most password solutions rely on "vaults".

Vaults make the password problem really easy: passwords can be encrypted and stored on your hard disk for when you need the password again. You only notice the trouble vaults inflict when disaster strikes and you either lose the vault, it falls in the wrong hands, or a foreign government confiscates it. Be extremely wary of all vault-based password solutions and make sure you understand the trade-offs well.

USABILITY: I Don't Really Need A Secure Facebook...

And then there's the biggest obstacle of all. Bigger even than password strength, trust issues and risk of total loss, is the risk that you'll get lazy. Usability should be a primary concern for password solutions, but it is often overlooked.

When a security solution becomes just a little bit too hard to use, people become extremely eager to just skip it. At first, only for those "innocent" cases where they "don't really need security". Not only is that a very slippery slope, it also gives attackers a way to climb up from your weakly protected sites to your strong ones through various methods including social engineering with your friends, your sites' support staff and even with you directly.

All your sites should be equally well protected, each of them with unique passwords and you need to remain ever encouraged to keep it that way.

Master Password makes it easier on you

in various ways. It tries to minimize the time it takes to get to the password you need. It generates easily memorable and typeable passwords to facilitate their usage. It removes the need for you to take the time to think of strong passwords by doing it for you. You can copy-paste the password to avoid having to type it in manually. And we're constantly thinking of more ways to speed things up.

How Does It Manage To Do All That?

For the more technical details, please see the Algorithm page instead. I will give a more down-to-earth overview here.

To Be Stateless

As mentioned, Master Password is a stateless solution which means it derives its passwords solely from things that you can easily remember and nothing more. So what does it use?

  1. Your Name: We recommend you use your full given names and family name.
  2. Your Master Password: This one is your personal secret. Don't give it to anyone. Ever.
  3. The Site Name: This tells Master Password which password to generate. If you just use the site's bare domain name, you won't need to remember anything extra.
  4. The Site Counter: The least obvious, it's a number that starts at 1 and only ever goes up if you want a new password for the site.

The fact that we need

a master password is obvious, why do we need a name?
The name is a key element to the security of the algorithm: It is a seed to the key derivation that happens on your master password. Without this seed, the key derivation could be weakened by attackers generating a rainbow table. In practice, it ensures that two different people won't by chance pick the same master password and end up with all the same site passwords.

The name of the site

is also an obvious requirement, it ensures each site has a unique password. What's the counter about? Well, if a site's password was the result of just your name, your master password, and the site's name, what would you do if somebody saw your password? Or if the site told you its password database was compromised and you need to set a new password? You'd need a way to make a new password for the site. The solution is the password counter. Increase the counter, get a new password. Don't worry too much about not remembering the counter. If you ever need to, just start the counter from one and bump it until you get the password that logs you into your site.

To Be Strong

Using those givens, Master Password applies its algorithm to get you a password for the site. Why can you trust that this algorithm is strong against possible attacks? How does it work and what attacks does it prevent?

Here's how it works. To get your password, Master Password goes through the following steps:

  1. The Master Key: We use the master password and your name to derive a very long master key using scrypt key derivation.
  2. The Password Seed: We create a password seed from the site's name and counter using your master key and HMAC-SHA-256.
  3. The Site Password: We compose a good password by encoding your password seed using a password template.

The Master Key

The first part of the process it to obtain a very strong "token" of your personal identity. We call this token your master key, because it is very much like the one and only main key that opens all your doors. It is a personal key, it represents your identity.

The master key is derived from your name and your master password, and thrown away as soon as it's no longer needed to minimize the risk of loss.

Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is insurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.

These are two different types of brute-force attacks and we need to make sure to defeat both of them.

To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to 2256 guesses, or try 115792089237316195423570985008687907853269984665640564039457584007913129639936 master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them.

A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.

Even if you used an 8-character evenly distributed random alphanumeric password (such as yIp6X2qd), a smart attacker could brute-force such a password in less than 1.7 days.

To solve this problem, we introduce an expensive scrypt-based key derivation step. scrypt specifically improves on standard key derivation techniques by not only wasting a lot of CPU time, but also consuming huge amounts of RAM. We need to be careful to choose the right parameters so that logging into Master Password doesn't take too long on weaker mobile devices while the possibility of guessing at passwords is sufficiently crippled for attackers. The theory is, the longer it takes for an attacker to try out one guess of your master password, the longer it'll take him to find the right one. We pull this theory into the extreme so that guessing your password now takes 2151076 years instead of 1.7 days while logging into Master Password on an iPhone 4S takes no more than 3 seconds.

It bears note that scrypt's approach is specifically interesting because it costs both a lot of CPU and a lot of RAM to derive a master key. That means that the more computers an attacker buys, the more his $ cost goes up. CPU and RAM are expensive, and forcing the derivation to use a lot instead of minuscule amounts causes the $ cost of a brute-force attack to become phenomenal.

Given these solutions, we feel confident Master Password is adequately protected against attacks on your private master key.

The Password Seed

With your master key, we can move on to getting a site-specific secret, since the idea behind Master Password is that each site needs to have a unique password.

To derive a site-specific secret from your master key, we employ HMAC-SHA-256 (a SHA-Hashed Message Authentication Code of 256-bit in length) to compute an authentication token by carefully hashing the site's name and counter with the master key. The result is a 256-bit password seed, which is essentially your key to get into the website.

It's obvious why we include the site name in this operation: it gets us a site-specific result. The password counter exists to allow you to get a new and completely different password for the site in case your old one becomes lost or compromised.

Some may wonder why this password seed is quite so large. We've chosen a 256-bit password seed not because it gives us any added security, but specifically because it gives us enough entropy in case the user wants to encode a really long password (see the "Maximum Security" password template in the next section).

The Site Password

Even though we now already have a site-specific key, called the password seed, this is a 256-bit sequence, which is definitely not something you can type into a password field. The last step involves encoding a nice password using the secret bits in this seed.

While we're encoding a password, we have one final problem to solve: password policies. Most websites nowadays have taken it upon themselves to restrict the kinds of passwords you can use. The point is usually to keep you from using passwords that are too weak, but these policies unfortunately often include rules that are detrimental for the strength of passwords (such as your password MUST contain a number, it MUST start with a letter, and it MUST NOT be longer than 6 characters. Oh yeah, and it MUST NOT contain quotes or anything fancy because we strip that since we don't know how else to sanitize data against SQL injection while we store your passwords in plain text. (did you detect a little rant there?).

Master Password comes with a set of templates which are carefully crafted to give you passwords which strike an optimal balance between security and usability while dodging the rules of the most common password policies.

Master Password's default Long Password template produces memorable passwords such as XikuFuzzFosu9[ which have just under 56 bits of entropy. An attacker that knows you use Master Password would still need to dedicate 1.4 years of powerful computer time to crack that password's hash. If he doesn't know you, that time goes up to 26 billion years.

Master Password's Secure Password template uses encodes many more bits from the password seed resulting in a password that's 20 characters long, looks something like A2/IczT2BKx^(bVa18Kp and would take that same machine up to 422460722753999994880 years to crack.

Given these numbers we feel confident that Master Password's output passwords offer you the maximum amount of confidence in the strength of your external accounts.

What Are Master Password's Trade-Offs?

Whenever choices are made, they come with trade-offs. We'll highlight the trade-offs involved with using Master Password, why we feel the benefits outweigh them and how.

So what are the trade-offs with the Master Password solution?

  1. You cannot change your master password without also changing all your site passwords.
  2. You cannot "generate" your own custom passwords.
  3. You cannot freely build your password template.
  4. This is only a one-factor solution (something you know).

Changing your master password

results in all your site passwords to change, since they are the mathematical result of your master key, which in turn is a mathematical result of your master password. That means, if somebody learns your master password, you'll need to reset all your site passwords to new ones. It also means the solution is incompatible with "password recovery". It is your responsibility to think of a good and memorable master password, and more importantly, ensure that nobody learns your master password. If you chose to share it anyway (say, with your spouse), you should do so in full expectation that you'll need to change all your sites' passwords if your trust relationship with them degrades.

This trade-off is a direct result of the desire to create a stateless solution which is immune to data loss. The solution relies entirely on the master password you can remember, which means that the only point of failure is now entirely under your control.

Custom passwords

are sometimes still a necessity. You may want to store a password you've been using for a long time in your manager, or your boss may have set an unchangeable password on your computer for you to use. Since Master Password's passwords are a mathematical result of your unchanging master password, it is impossible for it to be used with passwords that are created via another way.

The Master Password application however functions as a hybrid password manager, implementing both the Master Password algorithm and a vault-like password solution. In the second mode, Master Password uses your master key to encrypt custom passwords and store the encrypted result in a vault. Since we use the master key for this process, the result is a vault that is much harder to break into than that used by many other vault-based password solutions (specifically because the encryption key is a large key derived from your master password using scrypt key derivation). As a result, this trade-off has been mitigated.

Password templates

are the presets that tell Master Password what your final password should look like. They specify where to put the letters, numbers or other characters. We've made the decision to only provide a set of template presets rather than allowing users to determine their own templates to use for a site. As a result, you cannot chose to design your own custom template, such as, "a 6-digit password that starts with a lower-case letter".

This decision has been made in the interest of password recovery after a total loss scenario. Recovering the correct password for sites that use such custom templates would be extra difficult, since now you're forced to recall the specific custom template you drafted for this site. This problem becomes more difficult the more sites you've made custom templates for.

As a partial mitigation of this trade-off, we've created a set of password templates designed to cover nearly all use cases. The default template should work on nearly all websites. When this template fails, it's usually because the site imposes a low maximum-password-length restriction. This type of restriction is a serious red flag which almost always indicates a sloppy security implementation on their end. When you encounter it, you should contact the website administrator and demand an explanation (it's your security!). Usually, the explanation involves database-imposed limitations which mean they're storing your password in clear text, and you should be extremely wary about your continued use of this website.

A one-factor solution

is an authentication solution that requires only one factor of security. Master Password is a one-factor solution since its security relies solely on "something you know". That means, if somebody steals your master password, that's all they need to gain access to your sites. The alternative is usually a two-factor solution which relies on two distinct security factors, such as "something you know" and "something you have". Now, when somebody's obtained the "something you know", they'll still need to obtain the "something you have" before they can break in. The most popular example of a two-factor solution is a bank card: Your PIN number is the secret you know, but with the PIN alone a thief can't get to your money. They'll need to first steal your card as well.

A vault-based password manager is often considered two-factor, since it relies on your vault password as well as access to your vault file. Most security experts disagree, however. To be truly multi-factor, the security factors should come from separate categories:

  • Knowledge factors: passwords, key files, other secret data or information
  • Possession factors: physical tokens, smart cards
  • Inherence factors: biometrics

When two factors are derived from the same category, they don't really add a significant extra hurdle for the attacker to overcome. An attacker could steal your master password by installing a key-logger on your computer. But at that point he's probably also already copied your vault file.

Additionally, the weaker link with using a password-based authentication method is the password itself. Irrespective of how many truly distinct security factors you've used to obtain your password, your actual act of authentication involves sending a single password to the remote party, which means your actual authentication remains only one-factor secure.

So while Master Password is indeed a one-factor authentication solution, we don't aim or pretend to be anything more than that since the reality is that it's not truly possible when you're just doing password authentication.

Conclusion

We've explained all the important factors in which password managers can and should protect the security of your private information. We've also clarified in which ways Master Password deals with each of these factors and backed these clarifications with numbers and reasoning.

Hopefully this information has given you sufficient confidence in the Master Password algorithm and has taught you important ways to evaluate other competing security products so that you can make an informed decision.

A Final Note On Security

Of course, there are much easier ways for attackers to get at your passwords than through brute-forcing them or the solutions that provide them. When sites like Yahoo! store your passwords as plain-text in their databases, or you log into websites via plain HTTP connections where middle men can read everything that goes over the wire, your extra strong password can instantly be defeated. These problems cannot be solved by a password manager, and it is therefore important that users remain ever vigilant and don't rely on a "security solution" to keep them "secure" from "everything".

Master Password aims to provide you with secure passwords and protects you from loss. It cannot protect your wire as you send passwords over the internet, it cannot protect the note paper if you write these passwords down somewhere, and it cannot protect your web account when the web master has been negligent and the site gets hacked. Security, as always, must come in many forms, and the weakest link easily breaks the entire chain.

Other Questions / Issues

Don't hesitate to send us a message at masterpassword@lyndir.com. I'll get right on your case. Try to include any details you can. Good or common questions will have their answers added to this page.