Master Password

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Master Password

#1 Post by labbe5 »

So many password managers out there, why bother with this one? Because there is no other like it.

A password is a secret that is known only to the party providing a service and the party that should be allowed access to this service.

Simple enough - a secret that you know and your website knows but nobody else, thereby guaranteeing that you and only you have access to your account on this website. Unfortunately, in practice, the ubiquitous use of passwords has us completely overwhelmed. And the only way we can cope with that is by finding ways of making the problem manageable
.

The theory behind Master Password starts with accepting that it is impossible to keep track of passwords for all your accounts. Instead, we return to the core premise of the password: a secret phrase that you can remember easily, all by yourself.

Master Password solves this problem by letting you remember one and only one password. You use this password with Master Password only. Master Password then gives you access to any website or service you want by creating a website-specific key for it.



1-You sign into Master Password using your one password.
2-You ask Master Password for the key to enter your website, eg. twitter.
3-You log into twitter using your username and the key from Master Password.

Master Password is not a password manager. It does not store your website passwords. Therefore, there is zero risk of you losing your website passwords (or them falling in the wrong hands). Master Password simply uses your one password and the name of the site to generate a site-specific secret.


Let's find out more about Master Password :
http://masterpasswordapp.com/

https://github.com/Lyndir/MasterPasswor ... /README.md

Use Java for Master Password to be platform-independent and build it from source.

Java

Go into the gradle directory and run ./gradlew build. All Java components will then be built:

platform-independent/gui-java/build/distributions: contains an archive with the Master Password Java GUI. Unpack it and run the gui script.
platform-independent/cli-java/build/distributions: contains an archive with the Master Password Java command-line interface. Unpack it and run the cli script.
platform-android/build/outputs/apk: contains the Android application package. Install it on your Android device.

Note that in order to build the Android application, you will need to have the Android SDK installed and either have the environment variable ANDROID_HOME set to its location or a gradle/local.properties file with its location, eg. (for Homebrew users who installed the SDK using brew install android-sdk):

sdk.dir=/usr/local/opt/android-sdk

Git : https://github.com/Lyndir/MasterPassword.git

Further reading :
classic password managers :
https://www.linux.com/learn/two-best-pa ... apps-linux
Political consideration to take into account about passwords and cryptography, referred to as key disclosure law

In fact, many countries provide their officers with a legal grounds for forcing you to divulge your encryption keys to any encrypted information they've recovered during a warranted search.

Again, unlike ordinary password managers, Master Password might have an edge here. If you make no use of stored passwords, Master Password doesn't actually encrypt anything with your master password. That means, when your devices are seized, these legal grounds may no longer apply. Note however that this does not constitute legal advice and that this theory has never been tested in practice.

For your safety, we recommend that in preparation of travelling, you change the master password for your user on the device. That way, if your device is seized by a foreign entity and they force you to divulge your master password, you'll likely be fully compliant by simply giving up the new master password even though it will cause the app to generate invalid passwords for all your sites. Later, you can always change the master password back to the real one.


Time to crack a master password :
http://masterpasswordapp.com/faq.html

9174 50 minutes
v9ea30 560 years
correct horse battery staple > age of the universe
I once had a red ball > age of the universe

Conclusion :
A master password does not need to be difficult to remember, such as Togu3]ToxiBuzb.

To use the platform-independant java Master Password, download it from here :
https://github.com/Lyndir/MasterPassword/, clicking on Desktop link, and save file in your download folder. Then open folder and a terminal :
java -jar masterpasswordgui.jar.

But before you can use Master Password, you need to build its components. To that end, you need openjdk-8-jdk. Download it from PPA or with APT (#apt install openjdk-8-jdk).
Once this is done, go to your master password folder, downloaded from git, and open gradle folder. In terminal : ./gradlew build
It takes about 10 minutes to build.

Now you are ready to use Master Password, and make the most of its unique features.

It should not be long before this application is part of Debian/Ubuntu repositories. It is sooooooooooo much better than other password managers.

Further reading :
https://www.linuxuprising.com/2018/09/m ... prising%29

A secure password generator : Packetizer
https://secure.packetizer.com/pwgen/

Post Reply