skylab/MasterPassword
2
0
Fork 0
Code Releases Activity
c03d547ad8
MasterPassword/Resources/help.html
Maarten Billemont 7be9884075 Better abstraction for key & algorithm + V1 
[IMPROVED]  A master password key is now better abstracted in an object.
[IMPROVED]  A master password algorithm is now better astracted in an
            object.
[ADDED]     Elements now have a specific algorithm version.
[ADDED]     Automatic/explicit migration of elements.
[ADDED]     Searching outdated elements.
2012-07-17 22:57:11 +02:00

343 lines
20 KiB
HTML
Raw Blame History

<!DOCTYPE HTML>
<html>
<head>
<style>
body {
color: white;
text-align: center;
text-shadow: 0 1px black;
font: 16px "Baskerville";
}
h1, h2 {
margin-top: 1.5em;
padding-top: 1em;
font-family: inherit;
font-weight: bold;
}
h2 {
font-size: inherit;
}
h3 {
padding-top: 1.5em;
font-size: 12px;
}
i {
font-weight: bold;
}
q {
font-style: italic;
}
img {
display: inline-block;
height: 1.4em;
margin: -0.2em 0;
vertical-align: middle;
}
a, a:link {
color: inherit;
font-weight: bold;
}
header {
height: 8em;
padding: 3em 0 0;
}
header h1, header h2 {
margin: 0;
padding: 0.5ex;
}
header h3 {
padding-top: 2em;
}
</style>
<script src="jquery-1.6.1.min.js" type="text/javascript"></script>
<script type="text/javascript">
function setClass(activeClass) {
$(".Class").css("display", "none");
if (!$(".Class." + activeClass).length)
return "Not found: " + activeClass;
$(".Class." + activeClass).css("display", "block");
}
</script>
</head>
<body>
<header>
<h1>Master Password</h1>
<h2>by <a href="http://www.lyndir.com">Lyndir</a></h2>
<h3>&copy; 2011</h3>
</header>
<h2 id="1">&mdash; 1 &mdash;</h2>
<p>
<b>Find the site</b> that you need a password for by entering its name into the <i>search field</i>.
</p>
<p>
<b>While searching</b>, the names of previously used sites will be listed.<br />
Tap one of these results to go straight to its password.
</p>
<h2 id="2">&mdash; 2 &mdash;</h2>
<p>
<b>The site</b>'s password is now displayed.<br />
Tap it to <i>copy the password</i>. Once copied, you can switch to another application and paste it into a password field.
</p>
<p class="Class MPElementStoredEntity">
<b>To change</b> the password for this site, tap the <i>edit icon</i> <img src="icon_edit.png" />.
</p>
<p>
<b>Below the password</b> you can set the <i>password type</i>. Some types <i>create a password for you</i>,
others let you <i>choose your own</i>.
</p>
<p class="Class MPElementGeneratedEntity">
<b>If the site complains</b> when you try to set or update the password, try changing the password type.
</p>
<p class="Class MPElementGeneratedEntity">
<b>To create a new</b> password for this site, you can increment the <i>password counter</i> <img src="icon_plus.png" />.
This is useful, for example, after you've had to share the password with somebody else.
</p>
<h2 id="faq">&mdash; F.A.Q. &mdash;</h2>
<ol>
<li><a href="#what" >What is it and how do I use it?</a></li>
<li><a href="#why" >Why do I need Master Password?</a></li>
<li><a href="#custom" >A password was given to me.</a></li>
<li><a href="#loss" >What if I loose my device?</a></li>
<li><a href="#device" >Am I dependant on my device?</a></li>
<li><a href="#paranoid" >How do I maximize my security?</a></li>
<li><a href="#hacked" >A website I use got hacked!</a></li>
<li><a href="#forgot" >I forgot my master password!</a></li>
<li><a href="#algorithm">How does Master Password work?</a></li>
<li><a href="#branded" >Do you offer enterprise solutions?</a></li>
</ol>
<h3 id="what">What is Master Password and how do I use it?</h3>
<p>
Master Password <b>creates secure and unique passwords for you</b>, so you don't have to.<br />
The human brain is not well suited for creating secure and random passwords, and it's also terrible at remembering lots of unique passwords.
Master Password does the work for you: all you need to do is remember a single long and secure master password to log into the app.
</p>
<p>
<b>Begin by entering the name</b> of the thing you want a password for. Naming is entirely up to you, but remember to be consistent.<br />
<i>Good names</i> could be:<br />
<code>apple.com</code>, <code>john@doe.com</code>, <code>office safe</code>, <code>bike lock</code>, etc.
</p>
<p>
Every name has a different password, so the following names may be <i>difficult to recall</i>:<br />
<code>pw for amazon</code>, <code>pin for my cell</code>, etc.
</p>
<p>
<b>Tap the resulting password</b> to copy it for pasting in a different application or read it to type it in or use it manually elsewhere.
</p>
<p id="why">
The thought behind this application is to secure your online (and offline) life by <b>changing all of your passwords</b>
to passwords generated by this app.
</p>
<h3>That's crazy talk.<br />
Why would I do that?</h3>
<p>
The theory of password authentication is simple: To log in to a site, you share a secret word with the site
that <b>only you and the site know</b>. Since nobody else knows your secret password, nobody else can log
into your account.
</p>
<p>
It sounds good in theory. In practice, it's an <b>absolute hell</b>. These days, people have hundreds of
accounts on sites all over the Internet. Does that mean we're all remembering hundreds of secret passwords?
No, of course not. That would be impossible. If you're like most people, you remember one or two
passwords, and use those for all your sites everywhere.
</p>
<p>
<q>So, what?</q>, you might say.<br />
Here's the problem: When you share a secret password with a site, and then share the same secret password
with another site, both sites can now use the password you gave them to log into your account on the
<i>other</i> site. Nothing is stopping them from trying to log into <i>your</i> GMail, Hotmail or Twitter
accounts using the same password that you used to register an account on their site. Even if you only give
your password to sites you trust, all it takes is for one of those sites to get hacked and lose their
passwords database. Those hackers now have all it takes to impersonate you.
</p>
<p>
Some of you already try to remember unique-ish passwords for different sites. This causes problems too:
with so many passwords to remember, you easily forget passwords for sites you haven't used in a while. Or
you make up a simplification algorithm such as tacking your birth year onto the site name. This is really
not any more secure than using the same password for every site. And then there's those sites with
<q>password policies</q>: suddenly your long password isn't good enough, because it begins with a number,
or because (god forbid) it's <q>too long</q>. You now find yourself forced to create a strange variant
of your password that you'll have forgotten before the day is out.
</p>
<p>
This app <b>solves the problem</b> by letting you remember only a single password without requiring you to
share the password with anyone else. Instead, the app creates secure passwords for use with whatever site
or purpose you might need a password for.
</p>
<h3 id="custom">I can't change all my passwords.<br />
Some of them were assigned to me.</h3>
<p>
That's why this application allows you to change the password type to <code>Personal</code> or <code>Device
Private</code>. These types let you enter a password for a site, and the app will encrypt and save it so
you it's there for future reference.
</p>
<p>
These types of <q>stored</q> passwords don't have all the advantages that their generated counterparts have
(they can be lost if you lose your device and don't back it up), but when you can't change a site's
password to one generated by the app, this is as good as it gets.
</p>
<h3 id="loss">So, what if I lose my device?<br />
I'm locked out of everything?</h3>
<p>
<b>Absolutely not!</b> In fact, generated passwords aren't even stored on your device. No, not in the
cloud either. They're not stored anywhere! What that basically means is, if you grab the iPhone of a
colleague or friend and open this app on it, re-create your user and log in, <i>it'll give you all your
generated passwords</i>. So, if you lose your iPhone or forget it, just open the app on your iPad,
or borrow a friend's device, and you're back in business. No backups or restores needed.
</p>
<p>
This also means that, unlike all those apps that store your passwords or send them off to be stored on the
Internet, this app makes your passwords much safer from theft. If your device is stolen, the thieves can't
get at your passwords. There's also no cloud service that can be mis-managed or hacked.
</p>
<h3 id="device">Great, but that still means I need my device to get my passwords.</h3>
<p>
Correct. However, remember that usually you'll only need to use this app once for each site. After you log
into a site once using the password generated by this app, your browser will probably ask you to remember
the password for the future. Agree to that, and you won't need to bring up your device again the next time
you log in to the account.
</p>
<p>
There is also a <b>Mac version</b> of Master Password that will be released on the Mac App Store.
It allows you to generate any of your passwords without the need to bring out your device.
</p>
<h3 id="paranoid">I'm paranoid.<br />
How do I maximize my security?</h3>
<p>
The <b>most important</b> aspect to the security of your passwords is your <b>master password</b>. Make sure
you've chosen a <em>long and unique master password</em>. Master Password's algorithm makes it exceedingly
difficult for an attacker to try and guess your master password, but that doesn't make you invulnerable when
your master password is short or easy to guess. Ideally, your master password should be <em>longer than 10 characters</em>.
<b>An absurd sentence is a great idea</b>, especially if you add non-english or gibberish words to it.
Absurd sentences are long and high in entropy, but also particularly easy for the human brain to remember.
</p>
<p>
Armed with a good master password, your next step is to assign generated passwords to all of your sites.
By default, Master Password creates passwords that are secure and still easy to copy from your device to a
computer by keyboard. If you prefer, you can go into Master Password's preferences (using the top-right icon)
and change the default password type to <code>Maximum Security</code>. Any new sites will now generate
passwords that are even higher in entropy. These types of passwords are nigh impossible for an attacker to
brute-force (though a <code>Long Password</code> really is secure enough for most any purpose, see
<a href="#hacked">What if a site I use gets hacked?</a>).
</p>
<p>
Also check out the application's preferences (using the action icon on the top right, select <code>Preferences</code>).
Make sure that <code>Save Password</code> is disabled. Saving your password is a convenience feature that lets your
device save your master password so you don't need to enter it anymore. It also means that if somebody finds your device
somewhere or steals it, the only obstacle between them and your passwords are your device's PIN code (assuming you even
have one set).<br />
If you go into <code>Settings</code> from the <code>Preferences</code> page, you'll see some global application settings.
Make sure that <code>Stay logged in</code> is disabled here. If enabled, Master Password will not log you out when you
close the app. Your master password isn't saved on your device, but kept in memory for as long as your device remains
powered on. Again, a malignent person can easily get to your passwords if they find your device powered on and logged
into Master Password.
</p>
<h3 id="hacked">What if a site I use gets hacked?</h3>
<p>
There have been some high-profile password database leaks lately. LinkedIn, eHarmony, Last.fm, to name a few,
have lost millions of people's password hashes. In these cases, attackers have obtained a <q>hash</q> of
the passwords of all of these people, which makes it much easier for them to guess their real password.
A single sophisticated computer can be used to try about 200 million password combinations per second in an
attempt to find the real password behind a hash. That means these millions of people should be really worried
about their account's security.<br />
However, if your account is protected by a <code>Long Password</code> generated by Master Password, it would
take an attacker with ten sophisticated machines multiple lifetimes to find your actual password from a hash.
If the attacker knew beforehand that you had used Master Password to generate your password, he could make
his approach smarter and ten sophisticated machines would still take more than a year of constantly trying
millions of password combinations to find out your actual password.<br />
If instead you used a <code>Maximum Security</code> password to protect your account, the time it would take
for an attacker to brute-force your password goes completely off the scale: 10,000 sophisticated machines
would take up to 312409704477000000 years to try and find your password, even if the attacker knew you're
using Master Password.
</p>
<p>
If you're worried anyway or you need a new password for your site for some other reason, tap the password
counter button (the plus icon) to instantly create a new password for that site.
</p>
<p>
Long story short: When a website you use gets hacked and your password hashes are revealed to hackers, this
is a big problem for the security of your account, but only if you're <b>not</b> using Master Password.
</p>
<h3 id="forgot">I forgot my master password. What are my options?</h3>
<p>
Due to the nature of this app's algorithms and the decisions that were made to protect against brute-force
attacks, it is simply infeasible to recover your master password. If you really can't remember it, your
passwords are <b>gone</b>.
</p>
<p>
Where you go from here is: on the unlock screen, tap and hold your user. A dialog will pop-up that will allow
you to reset your master password. Assign a new master password, log in, and for each of your accounts, go
through the password recovery procedure (which will usually involve the site sending a mail to your email account)
and reset the passwords of these accounts to passwords generated by your newly chosen master password.<br />
Now don't forget it again! :-)
</p>
<h3 id="algorithm">So how does this thing work internally?</h3>
<p>
The way Master Password works internally is <a href="http://masterpassword.lyndir.com/algorithm.html">fully disclosed</a>.
The source code for this application is also available from <a href="https://github.com/Lyndir/MasterPassword">GitHub</a>.
I invite anyone with a technical background to go through these resources to make certain of the trustworthiness of Master Password.
</p>
<h3 id="outdated">Is the algorithm stable?<br />
Will my passwords ever change?</h3>
<p>
While we're very confident of the strength of the Master Password algorithm, we're also constantly keeping an eye out
for what the evolutions are of hackers' tools and capabilities. To give you the best possible protection, there is
always the possibility that we'll have to make tweaks to the Master Password algorithm in order to fend off any
attempts at breaking in.
</p>
<p>
Usually, these tweaks will be automatically applied when you install the latest version. In this case, you will notice
nothing and all you need to take away from this is that it's best to always be running the latest version of Master Password.
</p>
<p>
It is possible, however, that to apply an upgrade to your passwords, a new password will need to be set for your site's
account. In this case, Master Password will leave your passwords the way they are but give you the <em>option</em> of
upgrading your passwords when it's convenient to you. Whenever you're ready, just tap the upgrade password icon and
Master Password will show you the old password and the new one so that you can easily update your site's account.
</p>
<p>
<em>Please note</em>: if Master Password warns you that you have outdated passwords, it's best to upgrade them all
as soon as convenient. If you lose your device or data and recreate your Master Password user on another device,
Master Password can only regenerate the passwords for you that you've upgraded. iCloud/iTunes sync or exports are not
affected, so these are good ways to safely back up your passwords.
</p>
<p>
<a href="?outdated">Tap here</a> to check if you have any outdated passwords.
</p>
<h3 id="branded">This stuff is gold.<br />
I want one branded for our company.</h3>
<p>
<a href="mailto:masterpassword@lyndir.com">Contact me</a> directly for enterprise inquiries.
I can provide branded clients and enterprise distribution if your company is interested in deploying this solution internally.
</p>
<p>
Master Password can also be used as a One-Time Password token generator to secure your infrastructure and client access.
</p>
<footer>
<a href="http://masterpassword.lyndir.com">Homepage</a> | <a href="http://www.lyndir.com">Lyndir</a> |
<a href="http://www.lyndir.com/contact">Contact</a>
</footer>
</body>
</html>
View Git Blame Copy Permalink