skylab/MasterPassword
2
0
Fork 0
Code Releases Activity

Improvements to UI cleanup, confirm new master passwords, texts updates.

Browse Source 
[FIXED]     Immediately open the application on the password entry view
            if the key is forgotten instead of revealing the internals
            in a blink.
[FIXED]     Clean up the UI better when switching between master
            passwords.
[ADDED]     Ask spelling confirmation when a master password is used
            that doesn't have any known sites yet.
[ADDED]     iPad HD quality icon.
[IMPROVED]  Artworks re-generated, downscale improved, convertImages
            improved.
[IMPROVED]  Small guide text improvements.
[UPDATED]   Help texts updated for current operation and UI.
This commit is contained in:
Maarten Billemont
2012-05-20 19:17:22 +02:00
parent 16fc32ee30
commit 44911f1d9e
642 changed files with 215 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
Resources/help.html
View File

@@ -18,6 +18,7 @@
font-size: inherit;
}
h3 {
padding-top: 1.5em;
font-size: 12px;
}
i {
@@ -68,11 +69,11 @@
<h2 id="1">&mdash; 1 &mdash;</h2>
<p>
<b>Find the site</b> that you need a password for by entering it into the <i>search field</i>.
<b>Find the site</b> that you need a password for by entering its name into the <i>search field</i>.
</p>
<p>
<b>While searching</b>, previously used sites will show up along with a <i>usage counter</i>.<br />
The counter indicates the amount of times you've generated a password for that site.
<b>While searching</b>, the names of previously used sites will be listed.<br />
Tap one of these results to go straight to its password.
</p>
<h2 id="2">&mdash; 2 &mdash;</h2>
@@ -84,31 +85,38 @@
<p class="Class MPElementStoredEntity">
<b>To change</b> the password for this site, tap the <i>edit icon</i> <img src="icon_edit.png" />.
</p>
<p>
<b>Below the password</b> you can set the <i>password type</i>. Some types <i>create a password for you</i>,
others let you <i>choose your own</i>.
</p>
<p class="Class MPElementGeneratedEntity">
<b>If the site complains</b> when you try to set or update the password, try changing the password type.
</p>
<p class="Class MPElementGeneratedEntity">
<b>To create another</b> password for this site, you can increment the <i>password counter</i> <img src="icon_plus.png" />.
This is useful, for example, when you've had to share the password with somebody else.
<b>To create a new</b> password for this site, you can increment the <i>password counter</i> <img src="icon_plus.png" />.
This is useful, for example, after you've had to share the password with somebody else.
</p>
<h2 id="faq">&mdash; F.A.Q. &mdash;</h2>
<h3>What is this thing?<br />
How do I use it?</h3>
<p>
You use it by searching for the name of your site (you choose this yourself. For Twitter, you could use
<code>twitter</code>, <code>twitter.com</code>, or something else entirely as the name. Just remember how
you name your sites and try to be consistent). Tap the resulting password to copy it for pasting elsewhere
or type it manually on your computer.
<b>Begin by entering the name</b> of the thing you want a password for. Naming is entirely up to you, but remember to be consistent.<br />
<i>Good names</i> could be:<br />
<code>apple.com</code>, <code>john@doe.com</code>, <code>office safe</code>, <code>bike lock</code>, etc.
</p>
<p>
The thought behind this application is to secure your online life by <b>changing all of your passwords</b>
Every name has a different password, so the following names may be <i>difficult to recall</i>:<br />
<code>pw for amazon</code>, <code>pin for my cell</code>, etc.
</p>
<p>
<b>Tap the resulting password</b> to copy it for pasting in a different application or read it to type it in or use it manually elsewhere.
</p>
<p>
The thought behind this application is to secure your online (and offline) life by <b>changing all of your passwords</b>
to passwords generated by this app.
</p>
@@ -116,8 +124,8 @@
Why would I do that?</h3>
<p>
The theory of password authentication is simple: To log in to a site, you share a secret word with the site
that <b>only you and the site know</b>. Because nobody else knows your secret password, nobody else can log
into your site.
that <b>only you and the site know</b>. Since nobody else knows your secret password, nobody else can log
into your account.
</p>
<p>
It sounds good in theory. In practice, it's an <b>absolute hell</b>. These days, people have hundreds of
@@ -187,10 +195,8 @@
you log in to the account.
</p>
<p>
A <b>Mac version</b> of this app is also in the works so that you can easily get to all of your passwords
without needing to bring up your phone. More technically savvy users can already download a <b>Bash
script</b> from the homepage that can generate these passwords for you on any POSIX system (such as your
Mac).
There is also a <b>Mac version</b> of Master Password available from the App Store. It allows you to
generate any of your passwords without even needing to take out your phone.
</p>
<h3>I'm paranoid.<br />
@@ -202,16 +208,18 @@
</p>
<p>
It's also important that you've chosen a long master password. Short master passwords, especially 4-digit
PIN codes, are easily brute-forced by attackers. Using a <b>12-character master password</b> provides
PIN codes, are trivial to guess by attackers. Using a <b>10-character master password</b> provides
sufficient entropy to protect against any modern-day attempt at brute-forcing, assuming the password is not
based on easily determined facts (names, birth dates, etc.). If you're really paranoid, install a keyboard
of a non-latin script (russian, chinese, ...) and create a master password using these characters or even a
mix between scripts. Just don't forget it! :-)
based on easily determined facts (names, birth dates, etc.). A better idea yet is to use a pass phrase,
ideally an absurd sentence. These are usually much easier to remember and much harder to guess by attackers.
If you're really paranoid, install a keyboard of a non-latin script (russian, chinese, ...) and create a
master password using these characters or even a mix between scripts.<br />
<b>Just don't forget it!</b> :-)
</p>
<p>
If you go into <code>Settings</code>, on the bottom you'll find an entry for this application; tap it to
find some advanced settings for the app. Here, you can disable <code>Remember my password</code>. Doing
so will force the app to ask for your master password each time you open it. That way, when you show your
Using the action icon on the top right, select <code>Settings</code> to find some advanced settings for
the application. Here, you can disable <code>Remember my password</code>. Doing so will force the
application to ask for your master password each time you open it. That way, when you show your
phone to somebody else after unlocking it, they can't go through your passwords.
</p>
@@ -222,32 +230,42 @@
passwords are <b>gone</b>.
</p>
<p>
Where you go from here is, you change your master password (In <code>Settings</code>, flip <code>Change my
password</code> and start the app again), and for each of your accounts, you go through the password
recovery procedure (which will usually involve sending a message to your E-Mail account) and reset the
passwords of these accounts to passwords generated by your newly chosen master password. Just don't forget
it again! :-)
Where you go from here is, you log in with a new master password, and for each of your accounts, you go
through the password recovery procedure (which will usually involve sending a message to your email account)
and reset the passwords of these accounts to passwords generated by your newly chosen master password.<br />
Just don't forget it again! :-)
</p>
<h3>So how does this thing work internally?</h3>
<p>
Alright, let's describe the process in detail. This part will likely make sense to you only if you're
well versed in computer security jargon. If you're the kind of person who likes to know how the clock
ticks before deciding that it can be trusted to keep ticking, read on.
The way Master Password works internally is <i>fully disclosed</i>. The source code for this application
is also available from <b>GitHub</i>. I invite anyone with a technical background to go through these
resources to make certain of the trustworthyness of Master Password.
</p>
<p>
This part will likely make sense to you only if you're well versed in computer security jargon. If you're
the kind of person who likes to know how the clock ticks before deciding that it can be trusted to keep
ticking, read on.
</p>
<p>
The user chooses a single master password, preferably sufficiently long to harden against brute-force
attacks. When the user requests a password be generated for a site, the application composes a string
consisting of the site name, the master password, and a password counter, delimited in that order by a dash
character, and hashes those <code>UTF-8</code> bytes using the <code>SHA-1</code> algorithm. The bytes
resulting from this hashing operation are called the <code>keyBytes</code> in the next steps.
attacks. The application then creates a scrypt key derivative from the user's password. This process
takes quite a bit of processing time and memory. It makes brute-forcing the master password
<b>far more difficult</b>, to practically infeasible, even for otherwise vulnerable password strings.
</p>
<p>
When the user requests a password be generated for a site, the application composes a byte buffer
consisting of the site's name (<code>UTF-8</code> encoded), the key derived from the master password,
and a password counter, delimited in that order by a NUL byte. The bytes are hashed using the
<code>SHA-1</code> algorithm. The bytes resulting from this hashing operation are called the
<code>seed</code> in the next steps.
</p>
<p>
Next, we need the password type that the user has chosen to use for the site. Password types determine the
<q>cipher</q> that will be used to encrypt <code>keyBytes</code> into a readable password. For
<q>cipher</q> that will be used to encrypt <code>seed</code> into a readable password. For
instance, the standard password type <q>Long Password</q> activates one of three pre-set ciphers:
<code>CvcvCvcvnoCvcv</code>, <code>CvcvnoCvcvCvcv</code> or <code>CvcvCvcvCvcvno</code>. Which of those
will be used, depends on the first of the <code>keyBytes</code>. Take the byte value modulo the amount of
will be used, depends on the first of the <code>seed</code> bytes. Take the byte value modulo the amount of
pre-set ciphers (in this case, three), and the result tells you which of the three ciphers to use.
</p>
<p>
@@ -256,8 +274,8 @@
character in the cipher represents a set of possible output characters. For instance, a <code>C</code>
character in the cipher indicates that we need to choose a capital consonant character. An <code>o</code>
character in the cipher indicates that we need to choose an <q>other</q> (symbol) character. Exactly which
character to choose in that set for the password output depends on the next byte from <code>keyBytes</code>.
Like before, take the next unused <code>keyByte</code>'s byte value modulo the amount of characters in the
character to choose in that set for the password output depends on the next byte from <code>seed</code> bytes.
Like before, take the next unused <code>seed</code> byte's byte value modulo the amount of characters in the
set of possible output characters for the cipher iteration and use the result to choose the output
character. Repeat until you've iterated the whole cipher.
</p>