2
0
MasterPassword/Site/2013-05/faq.html
2014-07-18 12:03:27 -04:00

330 lines
21 KiB
HTML

<!DOCTYPE html>
<html class="no-js" itemscope itemtype="http://schema.org/Product">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title itemprop="name">Master Password &mdash; Secure your life, forget your passwords.</title>
<meta itemprop="description" content="Master Password is an ingenious password solution that makes your passwords truly impossible to lose." />
<meta itemprop="image" content="http://masterpassword.lyndir.com/img/iTunesArtwork-Rounded.png" />
<meta name="apple-itunes-app" content="app-id=510296984" />
<meta name="viewport" content="width=device-width">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" href="img/favicon.png" type="image/x-png" />
<link rel="shortcut icon" href="img/favicon.png" type="image/x-png" />
<link rel="stylesheet" href="css/bootstrap.min.css">
<link rel="stylesheet" href="css/bootstrap-responsive.min.css">
<link rel="stylesheet" href="css/main.css?1">
<script src="js/vendor/modernizr-2.6.2.min.js"></script>
<script src="js/vendor/prefixfree.min.js"></script>
</head>
<body itemscope itemtype="http://schema.org/MobileSoftwareApplication" id="trouble">
<!--[if lt IE 7]>
<p class="chromeframe">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> or <a href="http://www.google.com/chromeframe/?redirect=true">activate Google Chrome Frame</a> to improve your experience.</p>
<![endif]-->
<nav class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="brand" href="./">●●●|</a>
<div class="nav-collapse collapse">
<ul class="nav">
<li><a href="./">App</a></li>
<li><a href="security.html">Security</a></li>
<li class="active"><a href="faq.html">FAQ</a></li>
<li><a href="algorithm.html">Algorithm</a></li>
<li><a href="support.html">Support</a></li>
<li><a href="http://github.com/Lyndir/MasterPassword/" onclick="_gaq.push(['_trackPageview', '/outbound/github']);">Source (GPL)</a></li>
</ul>
<ul class="nav pull-right">
<li><a href="irc://irc.freenode.net/#masterpassword" onclick="_gaq.push(['_trackPageview', '/outbound/irc']);">#masterpassword (freenode)</a></li>
<li class="divider-vertical"></li>
<li><a href="MasterPassword_PressKit.zip" onclick="_gaq.push(['_trackPageview', '/outbound/presskit']);">⬇ Press Kit</a></li>
<li><a href="http://itunes.apple.com/app/id510296984" onclick="goog_report_conversion('index-fixed-header');_gaq.push(['_trackPageview', '/outbound/itunes']);" class="img"><img src="img/appstore.svg" /></a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
</nav>
<header>
<img class="background" src="img/mp-process-angled.png" data-stellar-ratio="2.5" />
<div class="container">
<!-- <div class="box effect-8">
iframe id="ytplayer" type="text/html" width="640" height="360" frameborder="0"
src="http://www.youtube.com/embed/QTfA0O7YnHQ?origin=http://masterpassword.lyndir.com&autohide=1&autoplay=0&rel=0&showinfo=0&theme=light&color=white"></iframe
<iframe width="640" height="360" frameborder="0" webkitAllowFullScreen mozallowfullscreen allowFullScreen
src="http://player.vimeo.com/video/45803664?title=0&amp;byline=0&amp;portrait=0&amp;color=ffffff"></iframe>
</div> -->
<div class="content">
<h2>Security Overview</h2>
</div>
</div>
</header>
<section><div class="content">
<p>Master Password is an "unconventional" way of managing passwords. If you've got questions and need answers, read on. For a full overview of the security features in this app, see the <a href="security.html">Security page</a>. For the technical details on how Master
Password works, see the <a href="algorithm.html">Algorithm page</a>.</p>
<ol>
<li><a href="#hacking">Can Master Password get hacked?</a></li>
<li><a href="#theft">Can a thief get to my passwords if he steals my phone?</a></li>
<li><a href="#masterpassword">What should my master password be?</a></li>
<li><a href="#numbers">What is the basis for your numbers?</a></li>
</ol>
<div class="thumb clearfix">
<h1 id="hacking">Can Master Password get hacked?</h1>
<p>There are ways around everything, including Master Password's algorithm. A hacker could install a program on your computer that watches as you send your password to the website. At this point, however, no amount of password management will help you, if this is your worry, you need to use two-factor authentication methods which most sites don't support.</p>
<p>A hacker could also attempt to derive your master password from a password stolen from a site. Master Password has been designed specifically to thwart any attempts to break its security model. For more information, <a href="security.html#strength">read "Why Is Master Password Strong?"</a>.</p>
<h1 id="theft">Can a thief get to my passwords if he steals my phone?</h1>
<p>Master Password has been engineered not to store any secrets on your phone. The secret is your master password and it is only in your head. You enter it when opening the app at which point Master Password remembers it only as long as you leave the app open. Once you ask the app for a site's password, your master password is used to calculate the site's password.</p>
<p>To answer the question directly: not unless the app is showing at the time he steals your phone, or you configured it to save the master password and used a weak PIN on your phone.</p>
<p>There is an exception: Master Password allows you to save "custom" or "personal" passwords in the app. These passwords don't use Master Password's special algorithm and are merely encrypted using the strong master key derived from your master password. These types of passwords behave more like conventional vault-based passwords do. They are however very well protected and an attacker would still need to find a way to crack your master password (which is extremely
difficult, see below) before being able to decode the passwords in its vault.</p>
<h1 id="masterpassword">What should my master password be?</h1>
<p>The simple answer to that question is: First and foremost, memorable and unrelated to you. What that means is that the most important thing about your master password is that you need to be able to recall it any time and yet it should not be derived from anything personal.</p>
<p>That advice usually doesn't help very much with actually picking a good master password. <strong>The goal of a good password is that it'll take an attacker a lot of guesses before he'll find it</strong>. That is the core idea behind good passwords.</p>
<p>There are a few strategies of getting good passwords. The speed with which an attacker can guess your password depends a lot on whether he knows what kind of password you're using or not. So we'll compare a few password strategies, their strength and how memorable they are.</p>
<p>The simplest strategy for picking good passwords is by just picking a bunch of random letters, digits and symbols and mixing them up. This is a great strategy for strong passwords but those passwords are usually not very memorable.</p>
<p>Another strategy is by "encoding" something you already know. This can seem like a good way to make memorable passwords, but recalling the "encoding" you used two years later can be tricky. This also makes it much easier for attackers that know you to find your password.</p>
<p>Master Password itself generates very random passwords that look semi-legible, for instance <code>Togu3]ToxiBuzb</code>. Such passwords have been found to be very memorable while also being very high in entropy (hard to guess).</p>
<p>A strategy that's gaining traction lately is that of combining words into a sentence. Some claim it's best for the sentence to make no grammatical sense, others dispute these claims. It's a fact, though, that if your attacker doesn't expect such a password, they're nearly impossible to defeat.</p>
<p>Let's sum these strategies up in a table, note that this type of comparison is very subjective.</p>
<table>
<caption>Time to crack a master password</caption>
<thead>
<tr>
<th colspan="4">Strategy</th>
</tr>
<tr>
<th>Example</th>
<th>Time to crack<br />(bulk/ignorant&nbsp;attack)</th>
<th>Time to crack<br />(attacker&nbsp;knows&nbsp;strategy)</th>
<th>Memorability</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="4">Random password, 4 number PIN</th>
</tr>
<tr>
<td><code>9174</code></td>
<td>50 minutes<span class="red box"></span></td>
<td>50 minutes<span class="red box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Random password, 4 alphanumeric characters</th>
</tr>
<tr>
<td><code>a1qd</code></td>
<td>1.7 months<span class="red box"></span></td>
<td>1.7 months<span class="red box"></span></td>
<td>Difficult</td>
</tr>
<tr>
<th colspan="4">Random password, 6 alphanumeric characters</th>
</tr>
<tr>
<td><code>v9ea30</code></td>
<td>560 years<span class="green box"></span></td>
<td>560 years<span class="green box"></span></td>
<td>Difficult</td>
</tr>
<tr>
<th colspan="4">Encoding a word, <a href="http://xkcd.com/936/" onclick="_gaq.push(['_trackPageview', '/outbound/xkcd/troubador']);">Tr0ub4dor</a> style</th>
</tr>
<tr>
<td><code>Tr0ub4dor</code></td>
<td>2.6 years<span class="red box"></span></td>
<td>2.6 years<span class="red box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Master Password style</th>
</tr>
<tr>
<td><code>Togu3]ToxiBuzb</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>632 million years<span class="green box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Nonsense sentence, <a href="http://xkcd.com/936/" onclick="_gaq.push(['_trackPageview', '/outbound/xkcd/correct-horse']);">correct horse</a> style</th>
</tr>
<tr>
<td><code>correct horse battery staple</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>173 thousand years<span class="green box"></span></td>
<td>Moderate</td>
</tr>
<tr>
<th colspan="4">Real sentence, 4 words (1 verb, 1 noun)</th>
</tr>
<tr>
<td><code>I have a dream</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>8.7 months<span class="orange box"></span></td>
<td>Easy</td>
</tr>
<tr>
<th colspan="4">Real sentence, 4 words (1 adjective, 2 nouns)</th>
</tr>
<tr>
<td><code>My red beach ball</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>551 years<span class="green box"></span></td>
<td>Easy</td>
</tr>
<tr>
<th colspan="4">Real sentence, 6 words (1 adverb, 1 verb, 1 adjective, 1 nouns)</th>
</tr>
<tr>
<td><code>I once had a red ball</code></td>
<td>&gt; age of the universe<span class="green box"></span></td>
<td>27 thousand years<span class="green box"></span></td>
<td>Easy</td>
</tr>
</tbody>
</table>
<p>The numbers on sentences assume the attacker thinks you know no more than 500 adjectives, 2000 nouns, 333 verbs and 300 adverbs. These calculations are very subjective, since language is such a complex thing to write a password cracker for. Never mind adding in punctuation, names or using other languages.</p>
<p>Pick a strategy that works best for you, but remember that <strong>far more important than maximizing the "time to crack" is making your master password memorable and impersonal</strong>.</p>
<h1 id="numbers">What is the basis for your numbers?</h1>
<p>The time-to-crack numbers throughout this website are based on the following assumptions:</p>
<ul>
<li>The attacker can calculate <code>1 479 million</code> SHA-256 hashes per second (<a href="http://hashcat.net/oclhashcat/" onclick="_gaq.push(['_trackPageview', '/outbound/hashcat']);">hashcat on AMD HD 6990</a>)</li>
<li>The attacker can calculate <code>3.3</code> Master Password passwords per second (2GHz MacBook Pro, scrypt N=32768, r=8, p=2, dkLen=64).</li>
</ul>
</div>
<div class="thumb clearfix">
<h1>Other Questions / Issues</h1>
<p>Don't hesitate to send us a message at <a href="mailto:masterpassword@lyndir.com">masterpassword@lyndir.com</a>. I'll get right on your case. Try to include any details you can. Good or common questions will have their answers added to this page.</p>
</div>
</div></section>
<footer><div class="muted content">
<p><em>Master Password is a security product and algorithm by <a href="http://www.lhunath.com" onclick="_gaq.push(['_trackPageview', '/outbound/lhunath']);">Maarten Billemont</a>, <a href="http://www.lyndir.com" onclick="_gaq.push(['_trackPageview', '/outbound/lyndir']);">Lyndir</a> (&copy; 2011-2013).</em></p>
<p><a href="http://gorillas.lyndir.com" onclick="_gaq.push(['_trackPageview', '/outbound/gorillas']);">Gorillas</a><a href="http://deblock.lyndir.com" onclick="_gaq.push(['_trackPageview', '/outbound/deblock']);">DeBlock</a><a href="http://github.com/Lyndir" onclick="_gaq.push(['_trackPageview', '/outbound/github']);">GitHub</a><a href="http://thanks.lhunath.com" onclick="_gaq.push(['_trackPageview', '/outbound/thanks']);">Send Thanks</a></p>
</div></footer>
<!-- Scripts -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="js/vendor/jquery-1.9.1.min.js"><\/script>')</script>
<script src="js/vendor/bootstrap.min.js"></script>
<script src="js/plugins.js"></script>
<script src="js/main.js"></script>
<!-- Internet Defense League -->
<script type="text/javascript">
window._idl = {};
_idl.variant = "modal";
(function() {
var idl = document.createElement('script');
idl.type = 'text/javascript';
idl.async = true;
idl.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'members.internetdefenseleague.org/include/?url=' + (_idl.url || '') + '&campaign=' + (_idl.campaign || '') + '&variant=' + (_idl.variant || 'banner');
document.getElementsByTagName('body')[0].appendChild(idl);
})();
</script>
<!-- Google Analytics -->
<script>
var _gaq=[['_setAccount','UA-90535-15'],['_trackPageview']];
(function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];
g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
s.parentNode.insertBefore(g,s)}(document,'script'));
</script>
<!-- Google +1 -->
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<!-- Get Satisfaction -->
<!--script type="text/javascript" charset="utf-8">
var is_ssl = ("https:" == document.location.protocol);
var asset_host = is_ssl ? "https://d3rdqalhjaisuu.cloudfront.net/" : "http://d3rdqalhjaisuu.cloudfront.net/";
document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript" charset="utf-8">
var feedback_widget_options = {};
feedback_widget_options.display = "overlay";
feedback_widget_options.company = "lyndir";
feedback_widget_options.placement = "right";
feedback_widget_options.color = "#222";
feedback_widget_options.style = "question";
var feedback_widget = new GSFN.feedback_widget(feedback_widget_options);
</script-->
<!-- UserEcho -->
<script type='text/javascript'>
var _ues = {
host:'support.lyndir.com',
forum:'13031',
lang:'en',
tab_icon_show:false,
tab_corner_radius:5,
tab_font_size:20,
tab_image_hash:'RmVlZGJhY2s%3D',
tab_alignment:'right',
tab_text_color:'#FFFFFF',
tab_bg_color:'#DDDDDD',
tab_hover_color:'#CCCCCC'
};
(function() {
var _ue = document.createElement('script'); _ue.type = 'text/javascript'; _ue.async = true;
_ue.src = ('https:' == document.location.protocol ? 'https://s3.amazonaws.com/' : 'http://') + 'cdn.userecho.com/js/widget-1.4.gz.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(_ue, s);
})();
</script>
<!-- AdWords -->
<script type="text/javascript">
/* <![CDATA[ */
goog_snippet_vars = function() {
var w = window;
w.google_conversion_id = 1015576061;
w.google_conversion_label = "PcXqCPPz5AIQ_euh5AM";
w.google_conversion_value = 4;
}
goog_report_conversion = function(url) {
goog_snippet_vars();
window.google_conversion_format = "3";
window.google_is_call = true;
var opt = new Object();
opt.onload_callback = function() {
if (typeof(url) != 'undefined') {
window.location = url;
}
}
var conv_handler = window['google_trackConversion'];
if (typeof(conv_handler) == 'function') {
conv_handler(opt);
}
}
/* ]]> */
</script>
<script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion_async.js"></script>
</body>
</html>