diff --git a/Site/2013-05/security.html b/Site/2013-05/security.html index 5c5687d1..c40df242 100644 --- a/Site/2013-05/security.html +++ b/Site/2013-05/security.html @@ -73,8 +73,43 @@

The following is an overview of the security properties of the Master Password solution. It aims to answer all questions related to the strengths and weaknesses of the algorithm behind Master Password. If you have any unanswered questions after reading this page, don't hesitate to get in touch.

-

What Does Master Password Give Me?

-

What do you need from passwords? You need security. Security is an extremely vague term, and excessively over-used in marketting material. Terms such as encryption, military-strength, and so on are used freely without context. As a customer, it is now your responsibility to put these terms into context and evaluate how well a solution really helps with the safety of your private data.

+

We'll begin with a prelude to account security. If you are interested specifically about Master Password, you can skip right ahead to the next section.

+ +

How do I keep my accounts secure?

+

Security is a tough subject, and yet we all need it. Knowledge about good security practices should not be limited to professionals: we all have to protect our privacy and keep our identities from getting abused.

+

Security doesn't need to be tough. It can just be common sense. We all know to lock our houses at night or cars in the parking lot. We all teach our children to buckle up in the car and not to blindly trust strangers. It's time to learn some common sense on digital security.

+

Let's dive in. What do you really need to keep your accounts and information secure?

+
+
    +
  1. Well placed trust: every website you put information on can willfully or accidentally betray that trust.
    2. +
  2. Adequate protection: websites assume that only you know your password. You need to ensure that remains true.
    3. +
  3. Secure channels: contrary to how it appears, on the Internet you are never alone unless you are on a secure channel.
    4. +
+ +
+

Well Placed Trust

+

The security of your account with a website is mostly in the hands of that website's care takers. Regardless of how strong your passwords are, sloppy administration on their end means attackers might be able to bypass your password or simply copy it from of their database. Websites should store passwords as uniquely salted hashes and you should insist that they do, for your protection.

+

It is also imperative that you use unique passwords for each site. It will prevent hackers or a rogue site administrator from secretly trying to steal your identity by using your password of one site to get into your other sites. Unique passwords are your only weapon against mistakes made by website owners.

+

Also be careful with what information you share and whether you truly feel that information is safe in the hands of a person or company you may not know as well as you think you do, or may not be as trustworthy as you feel they should be.

+
+ +
+

Adequate Protection

+

Passwords are a very sub-par protection measure, but they're the most convenient and wide-spread authentication method in use. A password is a secret "word" shared between you and the other end which is meant to convince them that you are who you say you are. They only work if you and they are the only ones who know that "word". Which means, passwords should be unguessable and they should not be shared with any person or any other site.

+
+ +
+

Secure Channels

+

The Internet is a very alien place to most of us. We are used to the real world where we know what's around us and we know who can hear us when we speak. These assumptions do not hold true on the Internet. Most of what you'll do on the Internet may feel like an interaction between you and a website, while in reality everything you say and do is recorded on hundreds of computers and possibly listened in on by many individuals hidden to you.

+

It is therefore essential that while on the Internet, you behave like you would in a public space, say a market square or cafe. Only when you are on a secure channel, such as an HTTPS website, should you feel safe to share private information. Before you type anything in on a website that you don't want to shout out in a market square (that includes passwords!), check whether your channel is secure and whether you trust the website to + keep it private.

+
+
+
+ +
+

What Does Master Password Give Me?

+

What do you need from passwords? You need security. Security is an extremely vague term, and excessively over-used in marketing material. Terms such as encryption, military-strength, and so on are used freely without context. As a customer, it is now your responsibility to put these terms into context and evaluate how well a solution really helps with the safety of your private data.

How do you properly evaluate the security of a product? Investigate what kind of security the product really gives you. There are a few key points on which you should evaluate security:

@@ -89,31 +124,58 @@ How easy is it to use this product? How likely are you to bypass it for convenience? +

In summary: Master Password aims to solve each of these security problems rather than just focussing on one. It gives you unique strong passwords for each site that are also easy to use, generated in a way that makes them immune to data loss, completely independant from any third parties using an algorithm hardened against any known attack vector.

+

STRENGTH: Why Is Master Password Strong?

-

The first point is pretty obvious, we want to keep malicious people out. Unfortunately, these people are getting increasingly more creative and are targetting as many people as they possibly can. In the next few years, you WILL become the target of somebody's attack, most likely more than once. News reports of millions of people's accounts having been put at risk are becoming ever more frequent.

+

The first point is pretty obvious, we want to keep malicious people out. Unfortunately, these people are getting increasingly more creative and are targeting as many people as they possibly can. In the next few years, you will become the target of somebody's attack, most likely more than once. News reports of millions of people's accounts having been put at risk are becoming ever more frequent.

When we evaluate the strength of a password solution, there are two important aspects that we need to consider:

  1. STRONG PASSWORDS: How hard is it for an attacker to get into one of my web accounts protected by these passwords?
  2. STRONG CRYPTOGRAPHY: - How hard is it for an attacker to get to all my passwords by attacking my app itself?
    3. + How hard is it for an attacker to get to all my passwords by attacking my password app?

Master Password solves the strong passwords problem

- by generating passwords for you with extremely high entropy. We've found that humans are exceedingly bad at coming up with good passwords, especially when they need a new one every week for a new site they sign up with. Master Password therefore takes the guesswork out of it and generates high-entropy, memorable passwords. Thanks to the high entropy, when a hacker obtains all of LinkedIn's password hashes - again, they likely still won't be able to brute-force your real LinkedIn password out of it.

-

If you used an evenly distributed custom 6-character alphanumeric password (0wn3dZ doesn't count), it might take an insistant attacker 3 months to brute-force your password from a leaked hash. If you used Master Password's default Long Password instead, it would take that same attacker more than a year of non-stop focus on your password. If you used Master Password's Maximum Security type, it would take him up to 312409704477000007680 - years.

+ again, they won't be able to brute-force your real LinkedIn password from it.

+

If you used an evenly distributed custom 8-character alphanumeric password (p4sSw0rD doesn't count), it would only take a powerful attacker 1.7 days to brute-force your password from a leaked hash. If you used Master Password's default Long Password instead, it would take that same attacker 1.4 years of non-stop focus on your password, assuming they already know you used Master Password. If they don't, + that time goes up to 26 billion years. If you used Master Password's Maximum Security type, it would take up to 422460722753999994880 years.

+
+

Master Password solves the strong cryptography problem

- by using key derivation.

+ through careful selection of strong cryptographic algorithms to counter all known attack vectors. It took quite a bit of research and tweaking to get a solid algorithm that adequately deals with any attack vectors known to specialists. Getting cryptography right isn't a simple matter of doing some encryption of your hashing. Algorithms should be as simple as possible, because each aspect of complexity introduces new attack vectors, and simple algorithms are + easier to evaluate and trust.

+

A solution like Master Password needs to strengthen itself against a few different types of attacks, many of which are not immediately obvious. Master Password has been hardened to defeat:

+
    +
  1. Brute-force attacks against the master key.
    2. +
  2. Brute-force attacks against the user's master password.
    3. +
  3. Length extension attacks against the hash functions.
    4. +
  4. Rainbow table attacks against the master password.
    5. +
  5. Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms.
    6. +
+ +

Brute-force attacks against the master key

+ are defeated by deriving a very long (64-byte) master key from the user's master password. As a result, brute-force attacks that aim to guess the master key used to compute a site's password would take up to 137983530581000001620252739433368710545408 years to find the right master key.

+

Brute-force attacks against the user's master password

+ are defeated through the use of resource-intensive scrypt-based key derivation which makes this attack a few million times harder to execute than an ordinary brute-force attack. Thanks to this defence, it would take 560 years to discover a 6-character alphanumeric master password.

+

Length extension attacks against the hash functions

+ are mitigated by selecting hashing functions that have no known length extension attack vectors, concatenating their inputs in careful ordering and delimiting them with field-length prefixes.

+

Rainbow table attacks against the master password

+ are mitigated through the introduction of a unique salt to each person's master key derivation process. Since we need a solution that remains stateless, we can't use a blob of secure random data as the salt. We've instead opted to use the user's full name to seed the key derivation. Even though there are some people with the exact same full name, the fact that there's so many possible full name combinations makes the effort to construct an expensive rainbow + table for each name entirely invaluable.

+

Future-proofing by considering more powerful computers and as yet unknown weaknesses in hashing algorithms

+ is especially important in the world of cryptography. Computers are getting ever more powerful and new attack vectors are found. To protect the algorithm against factors we don't yet know about, we've ensured that the security guarantees are sufficiently excessive such that if they're weakened in the future, there'll likely remain sufficiently strong to not be broken. We've employed defensive algorithms that perform operations in moderate excess of the + bare minimum we'd need but are known to provide extra mitigation facilities against possible weaknesses in, for example, the hash functions in use. For example, we've chosen to use HMAC-SHA-256 as opposed to simply SHA-256, even though the latter has no known attack vectors today. If in the future a length extension attack or similar is found against this algorithm that might weaken our use of it, it is likely that the HMAC component + will defeat such an attack.

These things are hard to get right.

-

Security is hard to get right. Applying some "military strength" encryption, doing some "hashing" and topping it off with some "proprietory" encoding doesn't suffice. There are many ways in which you can unintentionally open the door for attackers to weaken your solution or make it trivial to get in. When you evaluate a product consider proprietary algorithms and missing details on why it is "secure" as glaring red flags. +

Security is hard to get right. Applying some "military strength" encryption, doing some "hashing" and topping it off with some "proprietary" encoding doesn't suffice. There are many ways in which you can unintentionally open the door for attackers to weaken your solution or make it trivial to get in. When you evaluate a product consider proprietary algorithms and missing details on why it is "secure" as glaring red flags.

@@ -121,7 +183,7 @@

Regardless of how strong a solution is, all that strength can be easily defeated by misplaced or violated trust. If you're looking for a security product, you will need to trust something but it is important that you carefully consider and minimize that trust. Some prefer to put their trust in large organizations with a track record. Some prefer to put it in secret algorithms they aren't even allowed to evaluate themselves.

At Master Password we've decided that real trust

- is the result of transparancy. Which is why we've made our algorithm open, published it on our website, described it in full and exposed it to cryptographic experts. We've also made our applications that implement it open-source so that you can see how they work and even bypass our binary distributions and instead install them from source.

+ is the result of transparency. Which is why we've made our algorithm open, published it on our website, described it in full and exposed it to cryptographic experts. We've also made our applications that implement it open-source so that you can see how they work and even bypass our binary distributions and instead install them from source.

Master Password minimizes the parties

you need to trust by implementing a completely stateless solution that requires no storage (you don't need to trust your hard disk or hardware), requires no backups or syncing (you don't need to trust that all your passwords are safely backed up and synced across your devices so they're actually available to you), requires no cloud services (you don't need to trust that your Internet connection is safe, or a cloud provider won't lose your @@ -129,6 +191,7 @@

Trust is the most common failure point.

Most other solutions that get strength right don't care so much about the trust front. They figure, if you're going to pay them for their app, you might as well trust them with all your passwords too. This really shouldn't be an implicit assumption. They're your passwords, and nobody else should have a say.

+

Knowing what happened to Silent Circle and Lavabit, knowing how extremely powerful and persuasive governments and share-holders can be, you would be well advised to consider very carefully giving the keys to your digital identity to a separate entity.

@@ -136,14 +199,13 @@

Loss is another one of those points that are very often overlooked. It's as though the implicit assumptions are that everybody backs all of their stuff up to at least two different devices and backups in the cloud in at least two separate countries. Well, people don't always have perfect backups. In fact, they usually don't have any.

So what happens when you drop your phone in the toilet, spill your coffee on your laptop, or worse, your kid drops a candle into the arts and crafts box and sets the house alight? You lose everything. You lose your own identity.

-

Master Password is engineered to immune

- to data loss. And what better a way to fight data loss than by using no data at all? Master Password is a stateless solution, which means that its passwords are a result of only the things you can remember. Additionally, it minimizes the things you need to remember to little more than your own name, the site you want to use and a sentence as long as three or four words in a song's lyrics (don't use an actual song's lyrics for your master password! The - point is small sentences are very memorable).

+

Master Password is engineered to be immune

+ to data loss. And what better a way to fight data loss than by using no data at all? Master Password is a stateless solution, which means that its passwords are a result of only the things you can remember. Additionally, it minimizes the things you need to remember to little more than your own name, the site you want to use and one password (to rule them all).

When all is lost, you just need to open up Master Password, be it on a brand new computer, or a friend's iPhone, and you can just add your name and site back to it. Your passwords will re-appear "out of thin air".

Most password solutions rely on "vaults".

-

Vaults make the password problem really easy: passwords can be encrypted and stored on your hard disk for when you need the password again. You only notice the trouble vaults inflict when disaster strikes and you either lose the vault, it falls in the wrong hands, or a foreign government confiscates it. Be extremely wary of all vault-based password solutions and make sure you understand the down sides well.

+

Vaults make the password problem really easy: passwords can be encrypted and stored on your hard disk for when you need the password again. You only notice the trouble vaults inflict when disaster strikes and you either lose the vault, it falls in the wrong hands, or a foreign government confiscates it. Be extremely wary of all vault-based password solutions and make sure you understand the trade-offs well.

@@ -156,14 +218,14 @@

All your sites should be equally well protected, each of them with unique passwords and you need to remain ever encouraged to keep it that way.

Master Password makes it easier on you

- in various ways. It tries to minimize the time it takes to get to the password you need. It uses copy/paste functionality and generates easily memorable and typeable passwords to facilitate their usage. It removes the need for you to take the time to think of strong passwords by doing it for you. And we're constantly thinking of more ways to speed things up.

+ in various ways. It tries to minimize the time it takes to get to the password you need. It generates easily memorable and typeable passwords to facilitate their usage. It removes the need for you to take the time to think of strong passwords by doing it for you. You can copy-paste the password to avoid having to type it in manually. And we're constantly thinking of more ways to speed things up.

-

How Does It Manage To Do All That?

+

How Does It Manage To Do All That?

For the more technical details, please see the Algorithm page instead. I will give a more down-to-earth overview here.

@@ -218,9 +280,9 @@

These are two different types of brute-force attacks and we need to make sure to defeat both of them.

To defeat a brute-force attack against your master key, we make sure the master key is sufficiently high in entropy. Since the master key is a 256-bit key, an attacker would now have to make up to 2256 guesses, or try 115792089237316195423570985008687907853269984665640564039457584007913129639936 master keys before finding the right one. Even at an ambitious rate of 2 billion tries per second, it would take several times the age of the universe to try all of them.

A brute-force attack against your master password is more feasible, since your master password will be tiny compared to such a huge master key.

-

Even if you used a 6-character evenly distributed random alphanumeric password (such as yIp6X1), an attacker with an decent GPU could brute-force such a password in less than 3 years. With a powerful setup (eg. a cluster of 10 Nvidia 8800GT GPUs which can try about 2 billion passwords a second), that time could conceivibly go down to 3 or 4 months.

+

Even if you used an 8-character evenly distributed random alphanumeric password (such as yIp6X2qd), a smart attacker could brute-force such a password in less than 1.7 days.

To solve this problem, we introduce an expensive scrypt-based key derivation step. scrypt specifically improves on standard key derivation techniques by not only wasting a lot of CPU time, but also consuming huge amounts of RAM. We need to be careful to choose the right parameters so that logging into Master Password doesn't take too long on weaker mobile devices while the possibility of guessing at passwords is sufficiently - cippled for attackers. The theory is, the longer it takes for an attacker to try out one guess of your master password, the longer it'll take him to find the right one. We pull this theory into the extreme so that guessing your password now takes 19477911.1969 years instead of 3 months while logging into Master Password on an iPhone 4S takes less than 3 seconds.

+ crippled for attackers. The theory is, the longer it takes for an attacker to try out one guess of your master password, the longer it'll take him to find the right one. We pull this theory into the extreme so that guessing your password now takes 2151076 years instead of 1.7 days while logging into Master Password on an iPhone 4S takes no more than 3 seconds.

It bears note that scrypt's approach is specifically interesting because it costs both a lot of CPU and a lot of RAM to derive a master key. That means that the more computers an attacker buys, the more his $ cost goes up. CPU and RAM are expensive, and forcing the derivation to use a lot instead of minuscule amounts causes the $ cost of a brute-force attack to become phenomenal.

Given these solutions, we feel confident Master Password is adequately protected against attacks on your private master key.

@@ -237,8 +299,8 @@

While we're encoding a password, we have one final problem to solve: password policies. Most websites nowadays have taken it upon themselves to restrict the kinds of passwords you can use. The point is usually to keep you from using passwords that are too weak, but these policies unfortunately often include rules that are detrimental for the strength of passwords (such as your password MUST contain a number, it MUST start with a letter, and it MUST NOT be longer than 6 characters. Oh yeah, and it MUST NOT contain quotes or anything fancy because we strip that since we don't know how else to sanitize data against SQL injection while we store your passwords in plain text. (did you detect a little rant there?).

Master Password comes with a set of templates which are carefully crafted to give you passwords which strike an optimal balance between security and usability while dodging the rules of the most common password policies.

-

Master Password's default Long Password template produces memorable passwords such as XikuFuzzFosu9[ which have just under 56 bits of entropy. It would take an Nvidia 8800GT about 10 years at 200 million passwords per second. That same machine would crack a perfectly random 6-character alphanumeric password in 3 years.

-

Master Password's Secure Password template uses a lot of bits from the password seed to give you a password that's 20 characters long, looks something like A2/IczT2BKx^(bVa18Kp and would take that same machine up to 3124097044769999945728 years to crack.

+

Master Password's default Long Password template produces memorable passwords such as XikuFuzzFosu9[ which have just under 56 bits of entropy. An attacker that knows you use Master Password would still need to dedicate 1.4 years of powerful computer time to crack that password's hash. If he doesn't know you, that time goes up to 26 billion years.

+

Master Password's Secure Password template uses encodes many more bits from the password seed resulting in a password that's 20 characters long, looks something like A2/IczT2BKx^(bVa18Kp and would take that same machine up to 422460722753999994880 years to crack.

Given these numbers we feel confident that Master Password's output passwords offer you the maximum amount of confidence in the strength of your external accounts.

@@ -246,7 +308,7 @@
-

Conclusion

+

Conclusion

We've explained all the important factors in which password managers can and should protect the security of your private information. We've also clarified in which ways Master Password deals with each of these factors and backed these clarifications with numbers and reasoning.

Hopefully this information has given you sufficient confidence in the Master Password algorithm and has taught you important ways to evaluate other competing security products so that you can make an informed decision.