Original author(s) Written in Java, C, JavaScript | Development status Active | |
Initial release June 15, 2012; 4 years ago (2012-06-15) Stable release 2.3 / April 19, 2015; 21 months ago (2015-04-19) Operating system |
Master Password is an algorithm designed by Maarten Billemont for creating unique passwords in a reproducible manner. It differs from traditional password managers in that the passwords are not stored on disk or in the cloud, but are recreated every time by using information entered by the user; most importantly, their full name, a master password, and a unique name for the service the password is intended for.
Contents
By not storing the passwords anywhere, this approach tries to make it harder for attackers to steal or intercept them. It also removes the need for synchronization between devices, and backups of potential password databases.
Algorithm
The algorithm involves the following parameters:
Master key generation
The master key is a global 64-byte secret key generated from the user's secret master password and salted by their full name. The salt is used to avoid attacks based on rainbow tables. The scrypt algorithm, an intentionally slow key derivation function, is used for generating the master key to make a brute-force attack infeasible.
Template seed generation
The template seed is a site-specific secret in binary form, generated from the master key, the site name and the counter using the HMAC-SHA256 algorithm. It is later converted to a character string using the password templates.
Password generation
The binary template seed is then converted to one of six available password types. The default type is the Maximum Security Password, others can be selected if the service's password policy does not allow passwords of that format:
Implementations
Billemont also created multiple free software implementations of the Master Password algorithm, licensed under the GPLv3. These include apps for iPhone/iPad, Mac OS X, and Android, as well as a graphical desktop application written in Java, a command-line application written in C, and a web client written in JavaScript. The iOS implementation was first released in 2012.