Master Password and the No Hack Band
Feat. Fifty Cent & Nickleback
What is a password?
If you don't know what a password is, you're an infant. Please create a Pornhub account and then come. I don't care if a baby has the sex drive of a flash drive, better late than never to learn about dicks.
Retarded tangents about masturbating infants aside, I'm assuming you came here because you already know what a password is, and are instead interested to know how to actually make them secure. Seeing as a savvy individual like you is reading this blog, I believe you would be very interested in hearing about what the great Froghand uses to store his passwords, information when you can then use to crack my fimfiction account and write incestuous My Little Pony porn in my image. Which is a bigger shame - to write horses fucking, or to have it written in your honour?
Cardinal rule of security, mate: never reveal your methods. They can be reverse engineered and then used against you. Any sort of information you use regarding your setup will narrow down the information of what you use to secure your workspace, and as a result, reduce the opportunities of attack by many orders of magnitude. Hackers can only hack if they know what they're looking for, and if an individual reveals their methods, it becomes easier for targets against that individual to occur.
So while I won't tell you what I am currently using, I can offer you a very strong solution. Here comes Master Password, and why it kicks ass.
This is Master Password. It kicks ass.
Alright, so Master Password is what's known as a password manager. A password manager puts all your passwords in all place so you don't have to remember them, and you can make super secure and unique passwords that can't be guessed or cracked within your lifetime. The benefits of which is so you never forget your passwords, and they can't be guessed.
"Now this is a bad idea on the face of it", says Tyler, not that I asked for your input. But your ignorance of social norms brings up a very good point: it is a horrible idea to put all your passwords in one place. A password manager, even though you need a separate password for it, still represents a single point of entry for a cracker to get into the manager and steal all the login creditentals for every site you saved with the manager. This is so catastrophic to your online life that it's next to impossible to overstate.
And that's just for an offline password manager. For an online password manager, you're giving up your passwords to somebody else. Let me make this clear: you're giving up your passwords, the very thing which seperates your online accounts from the rest of the Internet, to a random group of assholes who store it in their servers alongside the cheapest admins they can hire. No matter what a company says about how secure their technology is, or how they can't see it, the simple fact of the matter is that you're trusting your entire online identity to somebody elses computer, and you have absolutely no idea what they're doing with it.
No matter what Lastpass says about how "they can't see your passwords" or that they use "leading encryption algorithms", it's still giving up every piece of personal information about you to a company who uses the data in ways that you have no idea about, including being forced to disclose passwords by the United States government, during which they can't say anything or have their owners go to jail. And when somebody is forced to decide whether or not to compromise their users or spend time in Club Fed, it's usually your ass that's the first to fall.
So let's break down the good and bad of password managers:
Create passwords that can't be brute-forced (put through every single possible combination until they find one that works) within your lifetime, E.G. can't be brute-force cracked in any less than the age of the universe. Basically there's no way in Hell anybody will be able to guess your password.
Don't have to remember a single password, thereby being impossible to divulge to anybody, and impossible for anybody to be able to guess or manipulate the password out of you. Can you remember "l9+6KN7x)M@RIFArVmXO"? Fuck no. And nobody else can, either, thereby making it harder for thugs to get (and retain) the information out of you.
If you lose your vault password, you're fucked. So don't lose it, asshole. Seriously, you set up a vault that has every single password in it, and you don't even remember the one? Call that natural selection for the digital world.
All the passwords are just sitting there, waiting to be picked from your hard drive! In a worst-case scenario of some thugs being able to access your computer's hard drive, they'd be able to spend as much time as they needed to crack the passcode for the vault file. Even though it'll be encrypted, it's still there, and you'd have no idea which sites were compromised unless you made a backup. And even then, that's still another backup to be plucked out of the open. It's a bad idea to put all your eggs in one basket.
You can synchronise that "in the cloud" (note: there is no cloud. it's somebody else's computer) and get all your passwords from the Internet... even though that still means you're giving up your files to a remote location that somebody else can gain access to without your knowledge. The trade-off between security and convenience is innate, and those who give up security in exchange for a little bit of rest deserve neither security nor rest.
All the passwords are stored somewhere else, in servers and in offline backups, thereby increasing the spread of your passwords and making it more likely that they will be compromised, as opposed to a singular location that you have 100% control over. The greater exposure that your files have, the more eyes are on it, and you don't get a say whether or not they're allowed to peep at them.
If a government agency so desired, they could subpoena the storage company and make them give up all of your passwords, and they wouldn't have to tell anybody (or would be gagged not to) about the intrusion. It doesn't matter whether or not it's still encrypted, what matters is that the government now has your shit and you don't know anything about that. If your passwords were stored locally, they would need a search warrant in order to invade your privacy and then take your property, making it obvious that they have your data and giving you time to change all your passwords.
A hack on the storage company means every single user account is compromised, and when (not if, as anything can be hacked) this happens, all of your data is shared with anybody who wants to buy it off the Deep Web, including criminals and governments et cetera. You'd get a chance to change your passwords, but if the hack is undetected (or more likely, isn't disclosed by the company for publicity reasons), you're pretty much screwed.
A lot of password companies let you do "two-factor authentication", which in it's simplest form is using your phone to generate another password. Even though this involves giving these companies your phone number. Whether or not the added security is worth giving them your phone number is up to you, but remember that anybody who can hack your vault password is also likely to hack your authentication password.
And the conclusions:
So it seems to me that the best password manager would be that provides the convenience of online storage without the liabilities, combined with the security and secrecy that is afforded by an offline manager. Why doesn't anybody make such a program?
Oh shit, they did. It's the subject of this article, actually. It's called Master Password (I'm not a shiller but don't push me), and it solves a great deal of the problems that are faced by most password managers. It was recommended by privacytools.io (an open-source website) as their first-pick password manager, and I agree with them. The site said to Kopimi, so fuck it, let me do that.
"Master Password is based on an ingenious password generation algorithm that guarantees your passwords can never be lost. Its passwords aren't stored: they are generated on-demand from your name, the site and your master password. No syncing, backups or internet access needed."
What the fuck does all this mean? Let me break it down for you.
Boi he boutta do it:
There is no vault with Master Password, because it doesn't store your passwords, and yet they can be accessed on almost any device in the world without needing an account, or even Internet access. Now how in the rooting tooting Sons of Liberty does it pull that off? If you knew your math, and then used that math to develop advanced thinking skills, and then developed an algorith which allowed you to do what I'm describing, you'd already have invented Master Password, and so wouldn't even need me to talk about it.
Let's make this simpler. There is no vault, because there doesn't need to be a vault. It's an algorithm, which generates a password for you based on the information you give it. If the information is wrong, it will still generate a password, but it'll be wrong. If the information is right, it'll be right. The key difference here is generate, as it doesn't store a single password anywhere at all, meaning that there is literally nothing to hack into, because a hacker wouldn't even have anything to crack.
It is counter-intuitive to put on the condom after sex, so let's not get ahead of ourselves. Let me demonstrate to you a step-by-step detail of how the thing works, and how it's a more secure solution as a result.
1. Get an app
Master Password is an open-source solution, meaning it's been audited by multiple pairs of eyes and checked for any security deficiencies. It also means that it's able to be ported to pretty much any platform, like a website or your phone or whatever. There's even a command line version, in case you're Richard Fucking Stallman and can't stand GUIs, or more likely blind, because the chances of you being RFS is one in eight billion. If you are RFS, please send your resume to email@example.com, and I'll be glad to give you some menial jobs.
So you can get the app on any platform, meaning that hackers are likely to spread out and not focus on any one platform, thus giving the dual consequences of both not having any platform be particularily vulnerable, and if a platform is hacked, then it is trivial to move to another platform to compensate. It's flexible, so if you decide to turn and burn on the Windows botnet, you can always switch to Linux and still have it work, in addition to the mobile and web browser apps.
This also means it's next to impossible to lose your passwords, as you can just go online and get them from one of the apps. Unless you forget the algorithm password, in which case you're totally fucked.
2. Fill in the necessary information
You'll be asked for your full name and a "master password", which is the single password that you use to generate the rest of the passwords. This is pretty cool, and also frightening, so let me break it down. Are you frightened? Are we cool yet?
Name's never the same
The full name can actually be any name you want. It suggests your full name so that it is very easy for you to remember, somewhat hard to guess, and has a high degree of randomness that is very difficult to replicate, even if somebody has the exact same name as you. I must note though, that if you forget your name, you never had a chance.
Let's take the name Barack Hussein Obama, who said he would make a change but didn't even shut down Guantanamo Bay, has twenty characters in it, three of which are spaces. Let's estimate the entropy, the randomness of the characters, of an average name as 20^26+3^52, which is twenty letters to the power of twenty-six lowercase letters plus three upper-case letters. This makes 67 million with 33 zeroes on that, or 67,000,000,000,000,000,000,000,000,000,000,000,000,000. It's slightly more than that, because we're not even counting the position of the letters or diacritics or special characters.
So a brute-force attack against your name is going to fail, as dealing with 67*10^39 (you'll see powers a lot with encryption) means you will never guess it within your lifetime. If you don't know the name of the person who you're attacking, you'll never find out their passwords, assuming they actually did use their full name. And should they actually know your full name, they'll never be able to guess how you inputted it. For instance, whether or not you used your middle name, your title, all lowercase, and whether or not you spaced the words all add to a much higher degree of uncertainty in regards to an attack on you.
The algorith is designed such that even a single digit of false information means that it produces false passwords for everything, meaning that you have to input your full name the proper way each and every time for it to work. Naturally this makes hacking extraordinarily difficult, because there's no way to verify whether or not they've inputted your name the right way. This is a step up from telling somebody that they have the wrong information, because the lack of feedback makes cracking your passwords like shooting in the dark.
This also means that you have to remember how you put in your name, because if you forget the exact way it was entered, it puts all your passwords at risk. So remember it, eh?
The Master Password
Yes, it's named after itself. Even though your full name is impossible to guess and hard to input even if an attacker knows your name, it's still a weak thing to base your online infrastructure around. It's very easy to gleam your name and how you spell it from your ordinary goings-on online (note: never put any of your personal info online, unless you want to give up all of your data to companies who will stereotype you using it), so it's not secure at all. An attacker could type in variations of your name until they got a password that works, and then go on from there.
So clever as it is, it's not clever enough. You need another password, which adds in even more randomness to the combination, as well as providing a base for the algorithm to work its magic off. Like the full name, it has to be digit-perfect every time, otherwise all your passwords are messed up.
So the first step is to choose a UNIQUE password, one that nobody else knows, that's impossible to guess based off personal information, and can't be cracked. The ideal password is at least twenty digits long, has never been written down anywhere, has a lot of different symbols and letter casing, be easy enough to type, and one that has absolutely nothing to do with you. But still, it must be remembered, so choose a good password and remember it, damn it.
A sufficiently random password that's twenty digits long means that it takes the world's faster supercomputer over 100 centuries to crack the password, meaning that it could be decades into the future and nobody would be able to crack your password with conventional computers (those quantum computers sure are shady, though). A random 30-digit password means that nothing in the world can crack your password, though it can still be stolen if you accidentally reveal it or give it to an untrustworthy website. Remember: the best password in the world is useless if somebody else has it.
Also, make sure that nobody can derive your password from any other source. So if you use Master Password to create a Master Password password, it'll still be hard for them to guess it, but it will still technically exist somewhere else, thus making it far harder to discern the source of the leak in the event your password gets out. I realise it's hard to come up with a good password, but that's why it's worth it.
If you really are stuck, get a song you know, take a single lyric, misspell all the words (to make a dictionary attack harder), and add in like four random symbols that you can remember in between every word. That's easy enough to remember, but still random enough to make it hellish for somebody to try to guess. It's not technically derived from anything, because you made the lyrics unique. The only downside is that a sufficiently advanced dictionary algorithm (the type you buy from forensics experts for hundreds of dollars) can reduce the time to crack a password by several years (even though it will still take until the heat death of the universe to crack), but they'll still have no idea if they have the right name/password combination.
So commit your password and your full name to memory, type it in enough times that it becomes second nature for you to use, and make sure you never, ever forget it or mistype it. Because if either of those things happen, well, you know what happens. Bad things.
3. Getting down to business
Alright, you're in the app. You chose how you're going to type in your first name, you chose a unique password that's impossible to guess, and you remembered how you're going to type both of these pieces of information. So here's what you have to do to verify that you did it right:
What you gotta do, in the field where it asks for a site, is to just type in "test". Make note of the random digits on the screen, in your head. Now exit out of the app and re-type your information. If it's the same set of random digits, you inputted the right name and password. Now exit out and retype it once, or twice, or three times more. Keep testing until you are absolutely certain that you can input the right name and password every single time, without copy and pasting them (note: don't write down your login creditentials anywhere, even in an encrypted file, as this means hackers and cops can eventually steal them and take control of your Master Passwords).
Okay, now that you're certain of what your information for Master Password is, you can finally start using it. You're on your way to having uncrackable passwords in an uncrackable, idiot-proof vault. A vault that nobody can hack, because your passwords don't exist, and a vault that's available with you anywhere you are. It's a fantastic feeling to be free, isn't it?
There's a text box that asks you to put in a website title, which should be the bare domain name, for instance e621.net and not www.e621.net (tip: it's porn). Of course you can change this if you really want to, but the bare domain name is the easiest to remember and unless you type it in wrong or the website goes full retard and changes its domain name, in which case just put in the old domain name or change your password to reflect the new one.
To prepare for the unlikely event that a cracker gets all your Master Password information correct (or they extract it from you, fuck that comic is overused), you may think it's a good idea to get clever with the site names instead of following the recommended advice. Whatever you can think of is likely to already be tried by a cracker, meaning you do little more than delay their infiltration by a few minutes. It's far more likely that you'll simply forget the site name and then lose your password, which I suppose it better than having it hacked, but is a bit inconvenient.
Usernames and Safety Council
The field can be anything you want, even though the domain name is the simplest. This is useful, because it means if you want to generate a username for your account, you can put in something like firstname.lastname@example.org or e621.net username or e621.net Name. This also means you have an anonymous username, though keep in mind that a very sharp-eyed analysist is able to guess that you are using Master Password. This isn't an issue in itself, because there's nothing to hack into and reverse-engineering the algorithm is currently computationally impossible, but if you generate public usernames among many sites, an analysist might be able to weakly link the profiles together, thus reducing some of your anonyminity.
For instance, a law enforcement agency has tagged a certain blog account as a suspect for a crime. The username is consistent with that generated by Master Password. Based on this suspect's posts, we can discern four other website accounts that they use. The usernames for those accounts are also consistent with Master Password. If we find the suspect's location and find evidence of Master Password on their computer, then we have circumstantial evidence against them.
There's a few problems with this attack. A username isn't immediately obvious as generated from Master Password exclusively, especially compared to other password managers, and legitimate usernames can also look like that which comes from Master Password. Only a detailed look can discern whether or not a username is exclusive to Master Password, and so your username is pretty safe in a passive scan of a crowd of many other users. It's also important to note that every minute a cop wastes time looking at a username, it's another minute you have to further protect your online life.
Another method is that it only ties usernames together based on their use of Master Password and nothing else, unless you're a dumbass who posts personal information which links those accounts together (usernames, passwords, e-mails, profile pictures, names, metadata, et cetera), and so I can't help you there beyond making every single account a completely unique persona. Because Master Password is used by tens of thousands of people for a variety of reasons, it's very flimsy, circumstantial evidence, which can never be confirmed unless they get your exact full name, site name, and password.
Keep in mind that the "name" field isn't available on all platforms, so if you're on a platform without it, like Android, you'll need to go onto the web app to be able to generate names. Whatever you decide to do, don't reuse usernames on websites (unless you're an artist trying to get famous or something), as a simple Google search will link those accounts immediately, thus destroying most of your attempts at privacy by giving thugs easy access to your entire online identity. That's one of the reasons Master Password is so useful for usernames - it's completely random every time, you can't remember the usernames, and yet it's still easy to pop in and thus get a secure username.
It's interesting to note that you never see "secure username" as opposed to "secure password", even though a username is in the public arena, and so having one that you can't link to other accounts, or even your person, is very important for anonyminity. Imagine getting an account for a hurtcore site (child porn / torture shit, don't look it up unless you want the government on your ass), while having it as the same username as your Wikipedia, Google, DeviantART, Inkbunny, and e621.net accounts? That would be a disaster for you, easily profiling you and making it trivial to get your personal information out of any one of those websites. A unique username solves that problem by burning any bridges between you and your other online accounts. This was one of the things that led Dread Pirate Roberts to getting raided by the FBI.
I'm willing to bet that had DPR been smarter with his online identity, he would have never been busted at all. If a drug kingpin isn't smart enough to protect his privacy, then you should take the first step and do it yourself.
4. Choose your options
Alright, so you'll notice some drop down menus and other options. These need to be correct too, otherwise your password will be messed up. Let's go through them.
You'll see a number that you can increment to get a new password. Generally I don't like playing with this unless I have to, as it's just another number I have to fiddle with to get the right password. It's used so that if you nuke one account, you can set up an account on the same site without re-using the username and password. It's a backup, where you get 100 accounts to turn and burn before you have to start playing with the "site" field again.
You'll see a drop-down menu with some options for the password, like "long" or "maximum". You'll pretty much always want to turn this up to maximum, as this is the most secure option. Only use lower-tier options if the site has some arbitrary insecure password restrictions, or use the special name option to generate a username or other field where you can't use special symbols. I think "phrase" is used for bank personal questions, but if that's the case, just use the more secure maximum (unless you get more arbitrary restrictions).
Don't play with the "algorithm version" option, if you have it. Always keep it at 3, as this is the most recent version and any claims to the security of Master Password can't be verified with earlier versions. It's kept in there as a legacy so that people with very old Master Password information can access their passwords, in which case, update that shit to the most recent version!
5. Secure your metadata
There are some operational risks with using Master Password that can reveal that you are indeed using Master Password, including the above-mentioned username analysis, which can also happen with passwords if a cracker managers to steal the passwords ot a site's users, though isn't likely to occur at all, as criminals will just sell the leaks and run without trying to play CSI.
One of the risks is just having the application open in public, letting anybody who looks at your screen know that you're using the appliation. This isn't too big of a problem unless you're in a place with a lot of surveillance, as most people honestly won't give a shit, if they even know what you're doing at all. But still, keep it secret if you must use it in public, like a bank PIN.
Another is having the application installed to your mobile phone or computer or whatever, as this confirms a party's suspicions that you are using Master Password, which can be linked back to any usernames that you generated with Master Password. It won't reveal your passwords, as they still need your secret information, but it'll still provide some weak evidence for the cops that can be used to profile your identity, which can supplement a much more conclusive case if you make some critical mistakes in regards to your online persona. This also refers to a web browser bookmark, though I still recommend having it as typing in the URL is a massve pain every time. Just delete it if you think the heat's on (only after force-shutting off your phone and computer, of course).
If you have an appliation installed, you may have the option to save lists of websites in it. This is a horrible idea as it undermines the plausible deniabilty aspect of Master Password (eg you can't prove that a password exists until you input the right information). An attacker could put in any information and get all the websites you saved to your phone, and while they wouldn't have the right passwords or usernames, they would still know that you used Master Password for those websites, which can be traced back to you. Delete all the sites and manually input them each time, otherwise your browsing habits are insecure.
Talking about Master Password is a bad idea because that can be traced back to you, plausibly stating that you use Master Password, making it ever so slightly easier to profile you. This is hypocritical of me, but I have taken this risk in order to better protect you.
Master Password seems to me as an incredibly secure and useful password manager on all fronts. Beyond some minor issues which would only come up in an extreme stalker case (issues which can be mitigated or plausibly denied), it is the safest solution that I have seen thus far, being idiot-proof while being probabilistically impossible to hack into, except at the government torture level (use a VPN, dummy). It can be used to generate anonymous, disposable accounts, and is also designed to only be useful to you and you alone, as nobody else will find any use out of your Master Password, as only you know the necessary information to unlock your passwords.
I don't believe I need to say much more, beyond that it is an excellent idea and that it is absolutely worth it to switch from whatever you're currently using (if at all) to something which is inherantly secret and uncrackable. No companies to trust, and no vaults to break. It's all on you, and if you don't break, then your passwords are safe.
Learn that hidden knowledge at Froghand.
Today's page was updated on May 26, 2016!
The greatest secret is one that no-one knows.