The following is an overview of the security properties of the Master Password solution. It aims to answer all questions related to the strengths and weaknesses of the algorithm behind Master Password. If you have any unanswered questions after reading this page, don't hesitate to get in touch.
We'll begin with a prelude to account security. If you are interested specifically about Master Password, you can skip right ahead to the next section.
Security is a tough subject, and yet we all need it. Knowledge about good security practices should not be limited to professionals: we all have to protect our privacy and keep our identities from getting abused.
Security doesn't need to be tough. It can just be common sense. We all know to lock our houses at night or cars in the parking lot. We all teach our children to buckle up in the car and not to blindly trust strangers. It's time to learn some common sense on digital security.
Let's dive in. What do you really need to keep your accounts and information secure?
The security of your account with a website is mostly in the hands of that website's care takers. Regardless of how strong your passwords are, sloppy administration on their end means attackers might be able to bypass your password or simply copy it from of their database. Websites should store passwords as uniquely salted hashes and you should insist that they do, for your protection.
It is also imperative that you use unique passwords for each site. It will prevent hackers or a rogue site administrator from secretly trying to steal your identity by using your password of one site to get into your other sites. Unique passwords are your only weapon against mistakes made by website owners.
Also be careful with what information you share and whether you truly feel that information is safe in the hands of a person or company you may not know as well as you think you do, or may not be as trustworthy as you feel they should be.
Passwords are a very sub-par protection measure, but they're the most convenient and wide-spread authentication method in use. A password is a secret "word" shared between you and the other end which is meant to convince them that you are who you say you are. They only work if you and they are the only ones who know that "word". Which means, passwords should be unguessable and they should not be shared with any person or any other site.
The Internet is a very alien place to most of us. We are used to the real world where we know what's around us and we know who can hear us when we speak. These assumptions do not hold true on the Internet. Most of what you'll do on the Internet may feel like an interaction between you and a website, while in reality everything you say and do is recorded on hundreds of computers and possibly listened in on by many individuals hidden to you.
It is therefore essential that while on the Internet, you behave like you would in a public space, say a market square or cafe. Only when you are on a secure channel, such as an HTTPS website, should you feel safe to share private information. Before you type anything in on a website that you don't want to shout out in a market square (that includes passwords!), check whether your channel is secure and whether you trust the website to keep it private.
What do you need from passwords? You need security. Security is an extremely vague term, and excessively over-used in marketing material. Terms such as encryption, military-strength, and so on are used freely without context. As a customer, it is now your responsibility to put these terms into context and evaluate how well a solution really helps with the safety of your private data.
How do you properly evaluate the security of a product? Investigate what kind of security the product really gives you. There are a few key points on which you should evaluate security:
In summary: Master Password aims to solve each of these security problems rather than just focussing on one. It gives you unique strong passwords for each site that are also easy to use, generated in a way that makes them immune to data loss, completely independant from any third parties using an algorithm hardened against any known attack vector.
The first point is pretty obvious, we want to keep malicious people out. Unfortunately, these people are getting increasingly more creative and are targeting as many people as they possibly can. In the next few years, you will become the target of somebody's attack, most likely more than once. News reports of millions of people's accounts having been put at risk are becoming ever more frequent.
When we evaluate the strength of a password solution, there are two important aspects that we need to consider:
If you used an evenly distributed custom 8-character alphanumeric password (p4sSw0rD doesn't count), it would only take a powerful attacker 1.7 days to brute-force your password from a leaked hash. If you used Master Password's default Long Password instead, it would take that same attacker 1.4 years of non-stop focus on your password, assuming they already know you used Master Password. If they don't,
that time goes up to 26 billion years. If you used Master Password's Maximum Security type, it would take up to 422460722753999994880 years.
A solution like Master Password needs to strengthen itself against a few different types of attacks, many of which are not immediately obvious. Master Password has been hardened to defeat:
Security is hard to get right. Applying some "military strength" encryption, doing some "hashing" and topping it off with some "proprietary" encoding doesn't suffice. There are many ways in which you can unintentionally open the door for attackers to weaken your solution or make it trivial to get in. When you evaluate a product consider proprietary algorithms and missing details on why it is "secure" as glaring red flags.
Regardless of how strong a solution is, all that strength can be easily defeated by misplaced or violated trust. If you're looking for a security product, you will need to trust something but it is important that you carefully consider and minimize that trust. Some prefer to put their trust in large organizations with a track record. Some prefer to put it in secret algorithms they aren't even allowed to evaluate themselves.
Most other solutions that get strength right don't care so much about the trust front. They figure, if you're going to pay them for their app, you might as well trust them with all your passwords too. This really shouldn't be an implicit assumption. They're your passwords, and nobody else should have a say.
Knowing what happened to Silent Circle and Lavabit, knowing how extremely powerful and persuasive governments and share-holders can be, you would be well advised to consider very carefully giving the keys to your digital identity to a separate entity.
Loss is another one of those points that are very often overlooked. It's as though the implicit assumptions are that everybody backs all of their stuff up to at least two different devices and backups in the cloud in at least two separate countries. Well, people don't always have perfect backups. In fact, they usually don't have any.
So what happens when you drop your phone in the toilet, spill your coffee on your laptop, or worse, your kid drops a candle into the arts and crafts box and sets the house alight? You lose everything. You lose your own identity.
When all is lost, you just need to open up Master Password, be it on a brand new computer, or a friend's iPhone, and you can just add your name and site back to it. Your passwords will re-appear "out of thin air".
Vaults make the password problem really easy: passwords can be encrypted and stored on your hard disk for when you need the password again. You only notice the trouble vaults inflict when disaster strikes and you either lose the vault, it falls in the wrong hands, or a foreign government confiscates it. Be extremely wary of all vault-based password solutions and make sure you understand the trade-offs well.
And then there's the biggest obstacle of all. Bigger even than password strength, trust issues and risk of total loss, is the risk that you'll get lazy. Usability should be a primary concern for password solutions, but it is often overlooked.
When a security solution becomes just a little bit too hard to use, people become extremely eager to just skip it. At first, only for those "innocent" cases where they "don't really need security". Not only is that a very slippery slope, it also gives attackers a way to climb up from your weakly protected sites to your strong ones through various methods including social engineering with your friends, your sites' support staff and even with you directly.
All your sites should be equally well protected, each of them with unique passwords and you need to remain ever encouraged to keep it that way.
For the more technical details, please see the Algorithm page instead. I will give a more down-to-earth overview here.
As mentioned, Master Password is a stateless solution which means it derives its passwords solely from things that you can easily remember and nothing more. So what does it use?
Using those givens, Master Password applies its algorithm to get you a password for the site. Why can you trust that this algorithm is strong against possible attacks? How does it work and what attacks does it prevent?
Here's how it works. To get your password, Master Password goes through the following steps:
The first part of the process it to obtain a very strong "token" of your personal identity. We call this token your master key, because it is very much like the one and only main key that opens all your doors. It is a personal key, it represents your identity.
The master key is derived from your name and your master password, and thrown away as soon as it's no longer needed to minimize the risk of loss.
Since it's vital that nobody else can gain access to your master key, it's important that the process of deriving the key is unsurmountably difficult. An attacker could try a brute-force attack against your master key or password by convincing you to make an account on his website, and then guessing at your master password or your master key until he finds one that gives him your password for his fake site.
These are two different types of brute-force attacks and we need to make sure to defeat both of them.
To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to 2256 guesses, or try 115792089237316195423570985008687907853269984665640564039457584007913129639936 master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them.
A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.
Even if you used an 8-character evenly distributed random alphanumeric password (such as yIp6X2qd), a smart attacker could brute-force such a password in less than 1.7 days.
To solve this problem, we introduce an expensive scrypt
-based key derivation step. scrypt specifically improves on standard key derivation techniques by not only wasting a lot of CPU time, but also consuming huge amounts of RAM. We need to be careful to choose the right parameters so that logging into Master Password doesn't take too long on weaker mobile devices while the possibility of guessing at passwords is sufficiently
crippled for attackers. The theory is, the longer it takes for an attacker to try out one guess of your master password, the longer it'll take him to find the right one. We pull this theory into the extreme so that guessing your password now takes 2151076 years instead of 1.7 days while logging into Master Password on an iPhone 4S takes no more than 3 seconds.
It bears note that scrypt's approach is specifically interesting because it costs both a lot of CPU and a lot of RAM to derive a master key. That means that the more computers an attacker buys, the more his $ cost goes up. CPU and RAM are expensive, and forcing the derivation to use a lot instead of minuscule amounts causes the $ cost of a brute-force attack to become phenomenal.
Given these solutions, we feel confident Master Password is adequately protected against attacks on your private master key.
With your master key, we can move on to getting a site-specific secret, since the idea behind Master Password is that each site needs to have a unique password.
To derive a site-specific secret from your master key, we employ HMAC-SHA-256
(a SHA-Hashed Message Authentication Code of 256-bit in length) to compute an authentication token by carefully hashing the site's name and counter with the master key. The result is a 256-bit password seed, which is essentially your key to get into the website.
It's obvious why we include the site name in this operation: it gets us a site-specific result. The password counter exists to allow you to get a new and completely different password for the site in case your old one becomes lost or compromised.
Some may wonder why this password seed is quite so large. We've chosen a 256-bit password seed not because it gives us any added security, but specifically because it gives us enough entropy in case the user wants to encode a really long password (see the "Maximum Security" password template in the next section).
Even though we now already have a site-specific key, called the password seed, this is a 256-bit sequence, which is definitely not something you can type into a password field. The last step involves encoding a nice password using the secret bits in this seed.
While we're encoding a password, we have one final problem to solve: password policies. Most websites nowadays have taken it upon themselves to restrict the kinds of passwords you can use. The point is usually to keep you from using passwords that are too weak, but these policies unfortunately often include rules that are detrimental for the strength of passwords (such as your password MUST contain a number, it MUST start with a letter, and it MUST
NOT be longer than 6 characters. Oh yeah, and it MUST NOT contain quotes or anything fancy because we strip that since we don't know how else to sanitize data against SQL injection while we store your passwords in plain text.
(did you detect a little rant there?).
Master Password comes with a set of templates which are carefully crafted to give you passwords which strike an optimal balance between security and usability while dodging the rules of the most common password policies.
Master Password's default Long Password template produces memorable passwords such as XikuFuzzFosu9[ which have just under 56 bits of entropy. An attacker that knows you use Master Password would still need to dedicate 1.4 years of powerful computer time to crack that password's hash. If he doesn't know you, that time goes up to 26 billion years.
Master Password's Secure Password template uses encodes many more bits from the password seed resulting in a password that's 20 characters long, looks something like A2/IczT2BKx^(bVa18Kp and would take that same machine up to 422460722753999994880 years to crack.
Given these numbers we feel confident that Master Password's output passwords offer you the maximum amount of confidence in the strength of your external accounts.
We've explained all the important factors in which password managers can and should protect the security of your private information. We've also clarified in which ways Master Password deals with each of these factors and backed these clarifications with numbers and reasoning.
Hopefully this information has given you sufficient confidence in the Master Password algorithm and has taught you important ways to evaluate other competing security products so that you can make an informed decision.
Of course, there are much easier ways for attackers to get at your passwords than through brute-forcing them or the solutions that provide them. When sites like Yahoo! store your passwords as plain-text in their databases, or you log into websites via plain HTTP connections where middle men can read everything that goes over the wire, your extra strong password can instantly be defeated. These problems cannot be solved by a password manager, and it is therefore important that users remain ever vigilant and don't rely on a "security solution" to keep them "secure" from "everything".
Master Password aims to provide you with secure passwords and protects you from loss. It cannot protect your wire as you send passwords over the internet, it cannot protect the note paper if you write these passwords down somewhere, and it cannot protect your web account when the web master has been negligent and the site gets hacked. Security, as always, must come in many forms, and the weakest link easily breaks the entire chain.
Don't hesitate to send us a message at masterpassword@lyndir.com. I'll get right on your case. Try to include any details you can. Good or common questions will have their answers added to this page.