Master Password

by Lyndir

© 2011

— 1 —

Find the site that you need a password for by entering its name into the search field.

While searching, the names of previously used sites will be listed.
Tap one of these results to go straight to its password.

— 2 —

The site's password is now displayed.
Tap it to copy the password. Once copied, you can switch to another application and paste it into a password field.

To change the password for this site, tap the edit icon .

Below the password you can set the password type. Some types create a password for you, others let you choose your own.

If the site complains when you try to set or update the password, try changing the password type.

To create a new password for this site, you can increment the password counter . This is useful, for example, after you've had to share the password with somebody else.

— F.A.Q. —

  1. What is it and how do I use it?
  2. Why do I need Master Password?
  3. A password was given to me.
  4. What if I loose my device?
  5. Am I dependant on my device?
  6. How do I maximize my security?
  7. A website I use got hacked!
  8. I forgot my master password!
  9. How does Master Password work?
  10. Do you offer enterprise solutions?

What is Master Password and how do I use it?

Master Password creates secure and unique passwords for you, so you don't have to.
The human brain is not well suited for creating secure and random passwords, and it's also terrible at remembering lots of unique passwords. Master Password does the work for you: all you need to do is remember a single long and secure master password to log into the app.

Begin by entering the name of the thing you want a password for. Naming is entirely up to you, but remember to be consistent.
Good names could be:
apple.com, john@doe.com, office safe, bike lock, etc.

Every name has a different password, so the following names may be difficult to recall:
pw for amazon, pin for my cell, etc.

Tap the resulting password to copy it for pasting in a different application or read it to type it in or use it manually elsewhere.

The thought behind this application is to secure your online (and offline) life by changing all of your passwords to passwords generated by this app.

That's crazy talk.
Why would I do that?

The theory of password authentication is simple: To log in to a site, you share a secret word with the site that only you and the site know. Since nobody else knows your secret password, nobody else can log into your account.

It sounds good in theory. In practice, it's an absolute hell. These days, people have hundreds of accounts on sites all over the Internet. Does that mean we're all remembering hundreds of secret passwords? No, of course not. That would be impossible. If you're like most people, you remember one or two passwords, and use those for all your sites everywhere.

So, what?, you might say.
Here's the problem: When you share a secret password with a site, and then share the same secret password with another site, both sites can now use the password you gave them to log into your account on the other site. Nothing is stopping them from trying to log into your GMail, Hotmail or Twitter accounts using the same password that you used to register an account on their site. Even if you only give your password to sites you trust, all it takes is for one of those sites to get hacked and lose their passwords database. Those hackers now have all it takes to impersonate you.

Some of you already try to remember unique-ish passwords for different sites. This causes problems too: with so many passwords to remember, you easily forget passwords for sites you haven't used in a while. Or you make up a simplification algorithm such as tacking your birth year onto the site name. This is really not any more secure than using the same password for every site. And then there's those sites with password policies: suddenly your long password isn't good enough, because it begins with a number, or because (god forbid) it's too long. You now find yourself forced to create a strange variant of your password that you'll have forgotten before the day is out.

This app solves the problem by letting you remember only a single password without requiring you to share the password with anyone else. Instead, the app creates secure passwords for use with whatever site or purpose you might need a password for.

I can't change all my passwords.
Some of them were assigned to me.

That's why this application allows you to change the password type to Personal or Device Private. These types let you enter a password for a site, and the app will encrypt and save it so you it's there for future reference.

These types of stored passwords don't have all the advantages that their generated counterparts have (they can be lost if you lose your device and don't back it up), but when you can't change a site's password to one generated by the app, this is as good as it gets.

So, what if I lose my device?
I'm locked out of everything?

Absolutely not! In fact, generated passwords aren't even stored on your device. No, not in the cloud either. They're not stored anywhere! What that basically means is, if you grab the iPhone of a colleague or friend and open this app on it, re-create your user and log in, it'll give you all your generated passwords. So, if you lose your iPhone or forget it, just open the app on your iPad, or borrow a friend's device, and you're back in business. No backups or restores needed.

This also means that, unlike all those apps that store your passwords or send them off to be stored on the Internet, this app makes your passwords much safer from theft. If your device is stolen, the thieves can't get at your passwords. There's also no cloud service that can be mis-managed or hacked.

Great, but that still means I need my device to get my passwords.

Correct. However, remember that usually you'll only need to use this app once for each site. After you log into a site once using the password generated by this app, your browser will probably ask you to remember the password for the future. Agree to that, and you won't need to bring up your device again the next time you log in to the account.

There is also a Mac version of Master Password that will be released on the Mac App Store. It allows you to generate any of your passwords without the need to bring out your device.

I'm paranoid.
How do I maximize my security?

The most important aspect to the security of your passwords is your master password. Make sure you've chosen a long and unique master password. Master Password's algorithm makes it exceedingly difficult for an attacker to try and guess your master password, but that doesn't make you invulnerable when your master password is short or easy to guess. Ideally, your master password should be longer than 10 characters. An absurd sentence is a great idea, especially if you add non-english or gibberish words to it. Absurd sentences are long and high in entropy, but also particularly easy for the human brain to remember.

Armed with a good master password, your next step is to assign generated passwords to all of your sites. By default, Master Password creates passwords that are secure and still easy to copy from your device to a computer by keyboard. If you prefer, you can go into Master Password's preferences (using the top-right icon) and change the default password type to Maximum Security. Any new sites will now generate passwords that are even higher in entropy. These types of passwords are nigh impossible for an attacker to brute-force (though a Long Password really is secure enough for most any purpose, see What if a site I use gets hacked?).

Also check out the application's preferences (using the action icon on the top right, select Preferences). Make sure that Save Password is disabled. Saving your password is a convenience feature that lets your device save your master password so you don't need to enter it anymore. It also means that if somebody finds your device somewhere or steals it, the only obstacle between them and your passwords are your device's PIN code (assuming you even have one set).
If you go into Settings from the Preferences page, you'll see some global application settings. Make sure that Stay logged in is disabled here. If enabled, Master Password will not log you out when you close the app. Your master password isn't saved on your device, but kept in memory for as long as your device remains powered on. Again, a malignent person can easily get to your passwords if they find your device powered on and logged into Master Password.

What if a site I use gets hacked?

There have been some high-profile password database leaks lately. LinkedIn, eHarmony, Last.fm, to name a few, have lost millions of people's password hashes. In these cases, attackers have obtained a hash of the passwords of all of these people, which makes it much easier for them to guess their real password. A single sophisticated computer can be used to try about 200 million password combinations per second in an attempt to find the real password behind a hash. That means these millions of people should be really worried about their account's security.
However, if your account is protected by a Long Password generated by Master Password, it would take an attacker with ten sophisticated machines multiple lifetimes to find your actual password from a hash. If the attacker knew beforehand that you had used Master Password to generate your password, he could make his approach smarter and ten sophisticated machines would still take more than a year of constantly trying millions of password combinations to find out your actual password.
If instead you used a Maximum Security password to protect your account, the time it would take for an attacker to brute-force your password goes completely off the scale: 10,000 sophisticated machines would take up to 312409704477000000 years to try and find your password, even if the attacker knew you're using Master Password.

If you're worried anyway or you need a new password for your site for some other reason, tap the password counter button (the plus icon) to instantly create a new password for that site.

Long story short: When a website you use gets hacked and your password hashes are revealed to hackers, this is a big problem for the security of your account, but only if you're not using Master Password.

I forgot my master password. What are my options?

Due to the nature of this app's algorithms and the decisions that were made to protect against brute-force attacks, it is simply infeasible to recover your master password. If you really can't remember it, your passwords are gone.

Where you go from here is: on the unlock screen, tap and hold your user. A dialog will pop-up that will allow you to reset your master password. Assign a new master password, log in, and for each of your accounts, go through the password recovery procedure (which will usually involve the site sending a mail to your email account) and reset the passwords of these accounts to passwords generated by your newly chosen master password.
Now don't forget it again! :-)

So how does this thing work internally?

The way Master Password works internally is fully disclosed. The source code for this application is also available from GitHub. I invite anyone with a technical background to go through these resources to make certain of the trustworthiness of Master Password.

Is the algorithm stable?
Will my passwords ever change?

While we're very confident of the strength of the Master Password algorithm, we're also constantly keeping an eye out for what the evolutions are of hackers' tools and capabilities. To give you the best possible protection, there is always the possibility that we'll have to make tweaks to the Master Password algorithm in order to fend off any attempts at breaking in.

Usually, these tweaks will be automatically applied when you install the latest version. In this case, you will notice nothing and all you need to take away from this is that it's best to always be running the latest version of Master Password.

It is possible, however, that to apply an upgrade to your passwords, a new password will need to be set for your site's account. In this case, Master Password will leave your passwords the way they are but give you the option of upgrading your passwords when it's convenient to you. Whenever you're ready, just tap the upgrade password icon and Master Password will show you the old password and the new one so that you can easily update your site's account.

Please note: if Master Password warns you that you have outdated passwords, it's best to upgrade them all as soon as convenient. If you lose your device or data and recreate your Master Password user on another device, Master Password can only regenerate the passwords for you that you've upgraded. iCloud/iTunes sync or exports are not affected, so these are good ways to safely back up your passwords.

Tap here to check if you have any outdated passwords.

This stuff is gold.
I want one branded for our company.

Contact me directly for enterprise inquiries. I can provide branded clients and enterprise distribution if your company is interested in deploying this solution internally.

Master Password can also be used as a One-Time Password token generator to secure your infrastructure and client access.