Master Password (algorithm)
   HOME

TheInfoList



Click Here for Items Related To - Master Password (algorithm)
OR:
Master Password (algorithm) on:   [Wikipedia]   [Google]   [Amazon]

Master Password is a type of
algorithm In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algorithms are used as specificat ...
first implemented by Maarten Billemont for creating unique
password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
s in a reproducible manner. It differs from traditional
password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...
s in that the passwords are not stored on disk or in the cloud, but are regenerated every time from information entered by the user: Their name, a
master password A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...
, and a unique identifier for the service the password is intended for (usually the URL). By not storing the passwords anywhere, this approach makes it harder for attackers to steal or intercept them. It also removes the need for synchronization between devices, backups of potential password databases and risks of
data breach A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...
. This is sometimes called ''sync-less password management''.


Algorithm

Billemont's implementation involves the following parameters: * name: The username, used as a
salt Salt is a mineral composed primarily of sodium chloride (NaCl), a chemical compound belonging to the larger class of salts; salt in the form of a natural crystalline mineral is known as rock salt or halite. Salt is present in vast quantitie ...
. The user's full name is chosen as it provides a sufficiently high level of entropy while being unlikely to be forgotten. * master_password: The secret for generating the master key. * site_name: A unique name for the service the password is intended for. Usually the bare domain name. * counter: An integer that can be incremented when the service requests a new password. By default, it is 1. * password_type: The password type defines the length and the constitution of the resulting password, see below.


Master key generation

In Billemont's implementation, the master key is a global 64-byte secret key generated from the user's secret
master password A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...
and salted by their full name. The salt is used to avoid attacks based on
rainbow tables A rainbow table is an efficient way to store data that has been computed in advance to facilitate cracking passwords. To protect stored passwords from compromise in case of a data breach, organizations avoid storing them directly, instead transfo ...
. The
scrypt In cryptography, scrypt (pronounced "ess crypt") is a password-based key derivation function created by Colin Percival in March 2009, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly ...
algorithm, an intentionally slow
key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a crypto ...
, is used for generating the master key to make a
brute-force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...
infeasible. salt = "com.lyndir.masterpassword" + length(name) + name master_key = scrypt(master_password, salt, 32768, 8, 2, 64)


Template seed generation

The template seed is a site-specific secret in binary form, generated from the master key, the site name and the counter using the
HMAC-SHA256 In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
algorithm. It is later converted to a character string using the password templates. The template seed makes every password unique to the website and to the user. seed = hmac_sha256(master_key, "com.lyndir.masterpassword" + length(site_name) + site_name + counter)


Password generation

The binary template seed is then converted to one of six available password types. The default type is the ''Maximum Security Password'', others can be selected if the service's password policy does not allow passwords of that format: * Maximum Security Password (20
ASCII printable characters ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because of ...
) * Long Password (14 ASCII printable characters) * Medium Password (8 ASCII printable characters) * Short Password (4 ASCII printable characters) * Basic Password (8 alphanumeric characters) * PIN (4 digits)


Implementations

Billemont also created multiple
free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...
implementations of the Master Password algorithm, licensed under the
GPLv3 The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general us ...
.: * An app for
iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...
. The iOS implementation was first released in 2012. * An app for
Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...
* An app for Android * A Graphical desktop application written in
Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's List ...
* A command-line application written in C * A
browser plugin A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, HTTP cookie, cookie management, ad blocking, and the custom userscript, scriptin ...
for
Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...
and
Chromium Chromium is a chemical element with the symbol Cr and atomic number 24. It is the first element in group 6. It is a steely-grey, lustrous, hard, and brittle transition metal. Chromium metal is valued for its high corrosion resistance and hardne ...
-based browsers * A web client written in
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
.


References


External links

{{Official website, http://masterpasswordapp.com/ Cryptographic algorithms Free security software