The following is an overview of the security properties of the Master Password solution. It aims to answer all questions related to the strengths and weaknesses of the algorithm behind Master Password. If you have any unanswered questions after reading this page, don't hesitate to get in touch.
What do you need from passwords? You need security. Security is an extremely vague term, and excessively over-used in marketting material. Terms such as encryption, military-strength, and so on are used freely without context. As a customer, it is now your responsibility to put these terms into context and evaluate how well a solution really helps with the safety of your private data.
How do you properly evaluate the security of a product? Investigate what kind of security the product really gives you. There are a few key points on which you should evaluate security:
The first point is pretty obvious, we want to keep malicious people out. Unfortunately, these people are getting increasingly more creative and are targetting as many people as they possibly can. In the next few years, you WILL become the target of somebody's attack, most likely more than once. News reports of millions of people's accounts having been put at risk are becoming ever more frequent.
When we evaluate the strength of a password solution, there are two important aspects that we need to consider:
If you used an evenly distributed custom 6-character alphanumeric password (0wn3dZ doesn't count), it might take an insistant attacker 3 months to brute-force your password from a leaked hash. If you used Master Password's default Long Password instead, it would take that same attacker more than a year of non-stop focus on your password. If you used Master Password's Maximum Security type, it would take him up to 312409704477000007680
years.
Security is hard to get right. Applying some "military strength" encryption, doing some "hashing" and topping it off with some "proprietory" encoding doesn't suffice. There are many ways in which you can unintentionally open the door for attackers to weaken your solution or make it trivial to get in. When you evaluate a product consider proprietary algorithms and missing details on why it is "secure" as glaring red flags.
Regardless of how strong a solution is, all that strength can be easily defeated by misplaced or violated trust. If you're looking for a security product, you will need to trust something but it is important that you carefully consider and minimize that trust. Some prefer to put their trust in large organizations with a track record. Some prefer to put it in secret algorithms they aren't even allowed to evaluate themselves.
Most other solutions that get strength right don't care so much about the trust front. They figure, if you're going to pay them for their app, you might as well trust them with all your passwords too. This really shouldn't be an implicit assumption. They're your passwords, and nobody else should have a say.
Loss is another one of those points that are very often overlooked. It's as though the implicit assumptions are that everybody backs all of their stuff up to at least two different devices and backups in the cloud in at least two separate countries. Well, people don't always have perfect backups. In fact, they usually don't have any.
So what happens when you drop your phone in the toilet, spill your coffee on your laptop, or worse, your kid drops a candle into the arts and crafts box and sets the house alight? You lose everything. You lose your own identity.
When all is lost, you just need to open up Master Password, be it on a brand new computer, or a friend's iPhone, and you can just add your name and site back to it. Your passwords will re-appear "out of thin air".
Vaults make the password problem really easy: passwords can be encrypted and stored on your hard disk for when you need the password again. You only notice the trouble vaults inflict when disaster strikes and you either lose the vault, it falls in the wrong hands, or a foreign government confiscates it. Be extremely wary of all vault-based password solutions and make sure you understand the down sides well.
And then there's the biggest obstacle of all. Bigger even than password strength, trust issues and risk of total loss, is the risk that you'll get lazy. Usability should be a primary concern for password solutions, but it is often overlooked.
When a security solution becomes just a little bit too hard to use, people become extremely eager to just skip it. At first, only for those "innocent" cases where they "don't really need security". Not only is that a very slippery slope, it also gives attackers a way to climb up from your weakly protected sites to your strong ones through various methods including social engineering with your friends, your sites' support staff and even with you directly.
All your sites should be equally well protected, each of them with unique passwords and you need to remain ever encouraged to keep it that way.
For the more technical details, please see the Algorithm page instead. I will give a more down-to-earth overview here.
As mentioned, Master Password is a stateless solution which means it derives its passwords solely from things that you can easily remember and nothing more. So what does it use?
Using those givens, Master Password applies its algorithm to get you a password for the site. Why can you trust that this algorithm is strong against possible attacks? How does it work and what attacks does it prevent?
Here's how it works. To get your password, Master Password goes through the following steps:
The first part of the process it to obtain a very strong "token" of your personal identity. We call this token your master key, because it is very much like the one and only main key that opens all your doors. It is a personal key, it represents your identity.
The master key is derived from your name and your master password, and thrown away as soon as it's no longer needed to minimize the risk of loss.
Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is unsurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.
These are two different types of brute-force attacks and we need to make sure to defeat both of them.
To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to 2256 guesses, or try 115792089237316195423570985008687907853269984665640564039457584007913129639936 master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them.
A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.
Even if you used a 6-character evenly distributed random alphanumeric password (such as yIp6X1), an attacker with an decent GPU could brute-force such a password in less than 3 years. With a powerful setup (eg. a cluster of 10 Nvidia 8800GT GPUs which can try about 2 billion passwords a second), that time could conceivibly go down to 3 or 4 months.
To solve this problem, we introduce an expensive scrypt
-based key derivation step. scrypt specifically improves on standard key derivation techniques by not only wasting a lot of CPU time, but also consuming huge amounts of RAM. We need to be careful to choose the right parameters so that logging into Master Password doesn't take too long on weaker mobile devices while the possibility of guessing at passwords is sufficiently
cippled for attackers. The theory is, the longer it takes for an attacker to try out one guess of your master password, the longer it'll take him to find the right one. We pull this theory into the extreme so that guessing your password now takes 19477911.1969 years instead of 3 months while logging into Master Password on an iPhone 4S takes less than 3 seconds.
It bears note that scrypt's approach is specifically interesting because it costs both a lot of CPU and a lot of RAM to derive a master key. That means that the more computers an attacker buys, the more his $ cost goes up. CPU and RAM are expensive, and forcing the derivation to use a lot instead of minuscule amounts causes the $ cost of a brute-force attack to become phenomenal.
Given these solutions, we feel confident Master Password is adequately protected against attacks on your private master key.
With your master key, we can move on to getting a site-specific secret, since the idea behind Master Password is that each site needs to have a unique password.
To derive a site-specific secret from your master key, we employ HMAC-SHA-256
(a SHA-Hashed Message Authentication Code of 256-bit in length) to compute an authentication token by carefully hashing the site's name and counter with the master key. The result is a 256-bit password seed, which is essentially your key to get into the website.
It's obvious why we include the site name in this operation: it gets us a site-specific result. The password counter exists to allow you to get a new and completely different password for the site in case your old one becomes lost or compromised.
Some may wonder why this password seed is quite so large. We've chosen a 256-bit password seed not because it gives us any added security, but specifically because it gives us enough entropy in case the user wants to encode a really long password (see the "Maximum Security" password template in the next section).
Even though we now already have a site-specific key, called the password seed, this is a 256-bit sequence, which is definitely not something you can type into a password field. The last step involves encoding a nice password using the secret bits in this seed.
While we're encoding a password, we have one final problem to solve: password policies. Most websites nowadays have taken it upon themselves to restrict the kinds of passwords you can use. The point is usually to keep you from using passwords that are too weak, but these policies unfortunately often include rules that are detrimental for the strength of passwords (such as your password MUST contain a number, it MUST start with a letter, and it MUST
NOT be longer than 6 characters. Oh yeah, and it MUST NOT contain quotes or anything fancy because we strip that since we don't know how else to sanitize data against SQL injection while we store your passwords in plain text.
(did you detect a little rant there?).
Master Password comes with a set of templates which are carefully crafted to give you passwords which strike an optimal balance between security and usability while dodging the rules of the most common password policies.
Master Password's default Long Password template produces memorable passwords such as XikuFuzzFosu9[ which have just under 56 bits of entropy. It would take an Nvidia 8800GT about 10 years at 200 million passwords per second. That same machine would crack a perfectly random 6-character alphanumeric password in 3 years.
Master Password's Secure Password template uses a lot of bits from the password seed to give you a password that's 20 characters long, looks something like A2/IczT2BKx^(bVa18Kp and would take that same machine up to 3124097044769999945728 years to crack.
Given these numbers we feel confident that Master Password's output passwords offer you the maximum amount of confidence in the strength of your external accounts.
We've explained all the important factors in which password managers can and should protect the security of your private information. We've also clarified in which ways Master Password deals with each of these factors and backed these clarifications with numbers and reasoning.
Hopefully this information has given you sufficient confidence in the Master Password algorithm and has taught you important ways to evaluate other competing security products so that you can make an informed decision.
Of course, there are much easier ways for attackers to get at your passwords than through brute-forcing them or the solutions that provide them. When sites like Yahoo! store your passwords as plain-text in their databases, or you log into websites via plain HTTP connections where middle men can read everything that goes over the wire, your extra strong password can instantly be defeated. These problems cannot be solved by a password manager, and it is therefore important that users remain ever vigilant and don't rely on a "security solution" to keep them "secure" from "everything".
Master Password aims to provide you with secure passwords and protects you from loss. It cannot protect your wire as you send passwords over the internet, it cannot protect the note paper if you write these passwords down somewhere, and it cannot protect your web account when the web master has been negligent and the site gets hacked. Security, as always, must come in many forms, and the weakest link easily breaks the entire chain.
Don't hesitate to send us a message at masterpassword@lyndir.com. I'll get right on your case. Try to include any details you can. Good or common questions will have their answers added to this page.