Small fixes to the website.
This commit is contained in:
Maarten Billemont
@@ -134,6 +134,8 @@
|
||||
</p>
|
||||
<p>In practice, the secret master password is the only extra thing users will actually need to remember. Their full name, they'll hopefully remember regardless. If the site is always named after the bare domain name, it needn't explicitly be remembered but can be found in the browser's address bar. The counter and type need only be remembered if they are changed from their default values.</p>
|
||||
|
||||
<hr />
|
||||
|
||||
<p>In short, the algorithm involves the following steps:
|
||||
<ol>
|
||||
<li>Calculate the <strong>master key</strong> from a user's name and master password.</li>
|
||||
@@ -142,6 +144,13 @@
|
||||
</ol>
|
||||
</p>
|
||||
|
||||
<p>To ensure cross-platform compatibility, we define all data as byte streams using the following encodings for other types:
|
||||
<ul>
|
||||
<li>Strings (eg. <code>"com.lyndir"</code>) are encoded as UTF-8.</li>
|
||||
<li>Numbers (eg. <code>name length</code>) are encoded as 32-bit unsigned integers in network byte order.</li>
|
||||
</ul>
|
||||
</p>
|
||||
|
||||
<h1>The Master Key</h1>
|
||||
<p>The master <code>key</code> is a 64-byte secret key generated by performing expensive key derivation using the user's master password salted by their full name. It represents the user's global secret.</p>
|
||||
<p>The purpose of this process is to deter any attempts at brute-forcing a user's master password from a known site password. The key derivation is done using the <a href="http://www.tarsnap.com/scrypt.html" onclick="_gaq.push(['_trackPageview', '/outbound/tarsnap.com/scrypt.html">scrypt</a> algorithm, which guarantees that the process sufficiently time- and resource-consuming to make brute-forcing an infeasible attack.</p>
|
||||
|
||||
Reference in New Issue
Block a user