The master key is a 64-byte secret key generated by performing expensive key derivation using the user's master password salted by their full name. It represents the user's global secret.
The purpose of this process is to deter any attempts at brute-forcing a user's master password from a known site password. The key derivation is done using the scrypt algorithm, which guarantees that the process sufficiently time- and resource-consuming to make brute-forcing an infeasible attack.
+The purpose of this process is to deter any attempts at brute-forcing a user's master password from a known site password. The key derivation is done using the scrypt algorithm, which guarantees that the process sufficiently time- and resource-consuming to make brute-forcing an infeasible attack.
The key derivation is salted by the user's full name to prevent the generation of rainbow tables on the algorithm. This salt is not secret, and the user's full name is chosen because it is an input of sufficiently high entropy while being (hopefully) impossible to forget by the user.
key = scrypt( P, S, N, r, p, dkLen ) @@ -281,7 +281,7 @@ passWord[i] = passChardiff --git a/Site/2013-05/faq.html b/Site/2013-05/faq.html index 9a9eca4c..692ce39f 100644 --- a/Site/2013-05/faq.html +++ b/Site/2013-05/faq.html @@ -44,7 +44,7 @@
|
+ iPhone / iPad |
Mac
|
- Desktop (Java)
|
- Terminal (Java
/
+ Desktop (Java) |
+ Terminal (Java /
Native C
) |
- Android (Beta)
|
+ Android (Beta) |
Web (Beta)
Master Password is based on a stateless algorithm which frees it from the reliance on storage of secrets.
Since your generated passwords aren't saved to your device, there is no risk you'll be forced to divulge them to aggressive peers. And since these passwords don't need to be backed up or synchronized between devices over the network, there is no risk of them getting intercepted.
-Finally, Master Password is free software (GPLv3), its algorithm extensively documented and does not require you to trust any external party. This is particularly interesting in a society where things like Finally, Master Password is free software (GPLv3), its algorithm extensively documented and does not require you to trust any external party. This is particularly interesting in a society where things like PRISM and gag orders are a real threat.
@@ -132,7 +133,7 @@ diff --git a/Site/2013-05/privacy.html b/Site/2013-05/privacy.html index a9fe547f..1092216b 100644 --- a/Site/2013-05/privacy.html +++ b/Site/2013-05/privacy.html @@ -44,7 +44,7 @@