3

I've just discovered the open source project MasterPassword. It generates a password per site based on name, master password, site and counter. So you need to know your name and the master password to get access.

I like the idea behind this project. Based on this question, I feel like this would improve security, because there is absolutely no data stored in the cloud.

Am I wrong? What speaks against it?

Guildenstern
  • 115
  • 5
ReeCube
  • 441
  • 1
  • 4
  • 7
  • 5
    Sound like a common password manager except passwords are always generated, without a possibiliy to set own passwords. In other words, a old normal password manager can do everything this software can, and more. – user155462 Feb 23 '18 at 08:25

3 Answers3

8

These "stateless" password solutions all have the same general structure:

  1. There's a master password that you memorize, and input into the program when you need to use it.
  2. The program derives a master cryptographic key from your master password.
  3. The program prompts you for some set of site and account metadata that describes each site or service you use.
  4. Using the master key and metadata, the program uses a pseudorandom function to generate a site password in a way that's both pseudorandom and repeatable.

The problem with these programs is that they falsely advertise themselves as being more secure than plain old encrypted password managers like KeePass, 1Password or LastPass. In this case, the page of the program you ask about says this:

Master Password is not a password manager. It does not store your website passwords. Therefore, there is zero risk of you losing your website passwords (or them falling in the wrong hands).

And later down:

  • You don't need to worry about your password manager website getting hacked, your phone getting duplicated, somebody taking a picture of your passwords book - Master Password stores no secrets.

But a more accurate statement would be this:

  • With a password manager, an attacker has to steal your encrypted database and guess your master password to recover your site passwords.
  • With their program, there's no "steal the encrypted database" step; all that an attacker needs to do is guess your master password and the account metadata.

So the reason they claim they are more secure than a password manager, turns out, is actually the reason they are less secure than a password manager. Ooops.

Luis Casillas
  • 10,181
  • 2
  • 27
  • 42
5

According to the documentation, instead of remembering a password, you have to remember per website : site-name (was it .com or .co.uk? did you put the TLD at the end?), site-counter and site-template. That is not much better than remembering a password.

I do not understand the purpose of the site-counter : if it is incremented, your password breaks every time, so this should be a constant value. If it is a constant, it does not add any security. Update: as mentioned in a comment (thanks), it could be used to update a website password when needed. The same effect could be achieved as efficiently by appending a digit to the website name (that's in theory a tiny bit less secure), so it looks like over-engineering to me.

This software could have been done in pure JavaScript. Instead you provide your credentials to another party. It's open source, thus someone with more time than me could check that it's legit.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • 1
    I believe the purpose of site-counter is to allow for sites that require you to change the password from time to time. Otherwise, I agree with you: the method is less secure and more complex than using a real password manager. So much that I can't understand why anyone would consider it. – Stephane Feb 23 '18 at 09:53
  • I think the main problem with this setup is that if one password is leaked, all passwords has to be changed. – Anders Feb 23 '18 at 12:02
  • @Anders How do you reverse the HMAC to get the master-key? – A. Hersean Feb 23 '18 at 16:18
  • You brute force the master password. – Anders Feb 23 '18 at 16:20
1

In in end, MasterPassword is like a standard password manager except for the following drawbacks:

1) it is inconvenient to keep track of URLs, site counters, etc

2) it is less well-known than solutions such as 1password, LastPass, etc

user196499
  • 1,121
  • 6
  • 11