Passwords and PINs are the bane of modern day living. Passwords are sometimes forgotten and often they are hacked with disastrous consequences for the user. The Master Password app simplifies things. The user has to only remember one master password. Then site-specific random passwords are generated which the user does not have to remember. This makes for better security.
Passwords are ubiquitous. Most of the sites you visit on the Internet enforce the use of passwords in one way or the other. An average user has 25 online accounts that are password protected. Since password usage has increased dramatically, it has also created serious problems from the security point of view.
When the number of passwords increases, the quality and strength of the password get diluted. For a majority of users, keeping track of the passwords is a headache, so they end up using weak passwords or, even worse, they use the same password for all their online accounts.
These issues can be overcome with the Master Password app– a stateless password generator that creates strong and random passwords.
What is the problem?
The number of online accounts we use is doubling every five years but the security measures around these online accounts are getting flimsier. We can see that new vulnerabilities are being discovered every day, passwords are getting leaked and other security breaches are taking place, suggesting that we need to fortify our online accounts. This may seem a lot of work but it has also become necessary.
The following general practices related to passwords make using the password system almost pointless.
Using the same password: The use of the same password for various accounts is increasing. A survey estimates that 80 per cent of people use the same passwords for many accounts. They mainly do this because every time they have to create an online account, they also have to create a new password, which is a lot of work. Even when they set up a new password for every online account, there’s the risk of the user forgetting it. To avoid this, the same password is used for all the accounts. If a hacker gets hold of your password on any one of the accounts, then all other accounts are also compromised.
Password saving: Another common unsafe practice in vogue is the way we save passwords. People usually store the passwords in plain text, mostly on sticky notes or a notepad. Some even store their passwords on the browser, which makes it convenient for users but also puts their online accounts in serious jeopardy.
Randomness is one of the desired qualities in a password but yet, it is very difficult to produce. Each time you create a password, you typically use bits of data from your personal space to help in remembering the passwords. The problems arise when the number of accounts per user increases. Then the new password that is generated is once again from your personal data, which is hardly random.
So, for example, if you are creating an account for a social media service, you would provide the following details:
- First name
- Last name
- Date of birth
- Email ID
If you look closely at the above information, this is unique to you, the individual user, and when you create a username or in our case, a password, even that is based on the above data. If an account is set up with a unique password created from personal information, when a new password needs to be set up for another online service, the options are again limited to your basic personal information. So users end up making just a few modifications to the old password, such as adding sequential numbers to it or substituting special characters. This, however, provides very little protection because when only limited modifications are made to the old password, so that users can remember the new modified one, it trumps the randomness required to make passwords secure.
One could try to set up random passwords but they would hardly be random because in order to avoid the risk of forgetting the passwords, users again pick chunks of data which they remember well. Even if they succeed in creating truly random passwords, it would be difficult to keep track of all those random passwords unless you possess a photographic memory.
Password managers help create secure passwords and store them in an encrypted file but they too have their limitations, such as:
- Password managers store the passwords in an encrypted file; so if that file is accidentally deleted or corrupted for some unknown reason, there is no way to access those passwords.
- If password managers are simultaneously used in a cell phone and a personal computer, the devices may need to be synced so that the information gets updated regularly.
- If a completely new device that doesn’t have the password manager app is used, accessing the passwords may not be possible.
- Occasionally, the user may need to use the Internet to sync the passwords between various devices.
- Some password managers encourage users to store their passwords in the cloud, which is not controlled by the users, who then run the risk of handing over sensitive information to some business entity that has unlimited access.
The Master Password app
The Master Password app is not a password manager, yet it has a striking resemblance to one. It is a stateless password generator app that produces random and secure passwords for your use.
Master Password uses the following details to create passwords:
- Your name
- Master password
- Site name
When you open the Master Password app, it will look like what is shown in Figure 1.
Name: The name is the first thing you need to enter in order to generate passwords. It is recommended that you use your full name, i.e., your first name, middle name and last name because an intruder will then have to know all the parts of your name to derive your passwords.
Master password: This is the only part which you have to remember. This is also one of the integral parts in the Master Password app. So it is important you set a strong and secure password for this part.
Although we are all aware of the best practices for creating passwords, the following recommendations will add more security to your passwords.
- Try not to include too much personal information that has already been made public.
- Use a brand new password that hasn’t been used before.
- If you’re using phrases and quotes as your passwords, try to turn them into an acronym.
- Avoid using dictionary words, and even if you have to use them, modify their spelling but let their pronunciation remain intact.
- Use a mixed combination of numbers, symbols and alphabets in your password so that it can have the maximum length.
Please note, you must also remember whether you typed in your name and master password in upper or lower case, because if you accidentally change the case for a letter in either the username or the master password, you will get a different password.
Site name: In this field, you need to give the website name you are creating the password for (you are advised to always use the domain name). For example, if you are creating a password for Twitter, just enter ‘twitter.com’ so that you won’t forget the site name.
Aside from these basic ingredients, the Master Password app has other features that extend its functionalities.
Authentication type: Aside from passwords, some websites or services will require you to set up different types of authentication. For example, an ATM uses a PIN, not a password. So in order to facilitate various authentication needs, the Master Password app provides the following types of authentication.
- Short password
- Long password
- Maximum length
By default, ‘Long password’ will be chosen, but you can select what best suits your needs.
Password counter: If you want to generate a new password for your online account, all you need to do is increase the password counter (by default, the password counter value is set to 1). Now, to generate the new password, you just need to increase the counter to the value 2, and a brand new password will be displayed to you.
How does the Master Password app work?
Now that we have covered the basic concepts of the Master Password app, it is time to see it in action. As mentioned earlier, it is not a password manager so how does it generate a password? Let us take a sample user and see how the app generates a password.
Consider that our user is John Paul Jones and he’s about to set a password for Twitter, using the Master Password app.
- First, he opens the app and types his full name, John Paul Jones, in the name field.
- Next, he enters his master password.
- Finally, he enters the site’s name — twitter.com
After he’s finished, the generated password is shown below the name (Figure 3).
Note: The screenshots are taken from the Web version of the Master Password app, since in the Android app screenshots aren’t permitted.
To understand this app better, look at the above equation, which contains three input values and one result. As long as the input values are not changed, the result is always the same. The same result can be achieved by using the same inputs in various machines.
As long as your name, master password and site name remain the same, the resulting password will also be the same.
The advantages of the Master Password app
The Master Password app uses a simple but effective approach when it comes to generating passwords. The following features were designed into the app to strengthen its overall security.
No registration: Unlike most of the password managers, Master Password doesn’t require any sort of registration on the app or elsewhere. You just need to open the app and start using it.
No storage: The data you enter and the generated passwords are never stored in the device or anywhere else because all that this app does is process three pieces of data and produce the output in runtime. So it doesn’t require any sort of storage access.
No syncing or online access: When you want to use a password that was created on your phone or your office computer, you don’t need an Internet connection to sync the passwords between the devices. All you need is to enter the same values on the app in the computer and you will get the correct password.
Platform independent: Master Password is capable of running on multiple platforms, such as from the command line, as a mobile app and a Web version, so it really doesn’t matter if you have a new device that does not have the Master Password app on it. You can still use the app from one of the above platforms.
The disadvantages of the Master Password app
There’s no such thing as a foolproof system, and when it comes to privacy, the most secure system may still cause a lot of inconvenience to the user. Here are some of the hassles encountered when using this app.
Changing may involve a lot of work: When you change the master password in the app, you’re going to have to change all the accounts’ passwords, because your master password is one of the key ingredients in generating passwords. So if you’re introducing any changes in any one of the major components, all your passwords need to be changed too.
You cannot customise a password template: Sometimes you may want to set up a password using a particular template, because of a certain level of comfort you feel in using that template or because of certain password policies you have to abide by in order to use the service.
This has been discouraged in the Master Password app to reduce the burden on the user side, because in the event of any failure or any loss of data, you may not remember the password template you’ve set for a particular site. The situation may get worse if you use more than one customised password template for various sites.
Only one factor: The Master Password app strictly uses only one factor, that is, the master password. If intruders get to know the master password, it is only a matter of time before they access the passwords to your accounts because the rest of the details about you can be looked up on the Internet. It is, therefore, imperative that you give a strong master password and do not reveal it to others.
However, the disadvantages of the Master Password app do not overshadow all the good things that this app has to offer.
The author is deeply interested in Linux and he spends most of his leisure time
exploring open source.