New Yandex.Bruezer protects passwords using a master password. Where is and how to install in Yandex browser on a computer
Alexander Shikhov, 09/27/2018 (10/17/2018)
Trusting passwords from Yandex.Baurizer sites, we make life easier. It is necessary to enable synchronization, and on all devices (computer, laptop, telephone) secret fields will be filled automatically. At the same time, there is a weak place in such a system. The one who runs Yandex.Browser on the computer after you automatically gets access to the saved passwords. As this can be avoided - in our article.
What is a master password in Yandex.Browser
The master password is essentially the key to your personal database. It is needed to eliminate the ability to automatically fill the fields of login and password on sites, in social networks and postal services. Even if you leave the browser open, the attacker will not be able to use it. The external program to read the keys database will not be able, as it is encrypted.
Master password will help ensure security if several users use one computer. The browser allows you to quickly switch between different profiles. The password from the account is not requested.
How to configure a master password
Open the settings menu (button with three horizontal strips in the right corner of the browser window). Select the Password Manager section.
In the menu that appears, click Settings, create a master password.
You may need to enter the password from account Windows under which you entered the PC. It helps to exclude the situation with the accidental inclusion of the mode by another user, which logged in in the browser under your name. which is easily remembered, told in one of our articles.
If you are not sure to remember the code word forever, select the option Enable the ability to reset. So you can always turn off or change it if necessary.
After turning on the password wizard mode, it starts to work on all devices where you use Yandex.Bauser synchronization. When trying to use the auto-complete secret fields, such a request occurs.
The degree of stiffness of safety policies and frequency of requests you define in the setting.
It is worth noting that when using a browser on someone else's computer best way Ensuring data security remains output from your account.
Strangely enough, but only 1% of the browser users use specialized password storage extensions (Lastpass, Keepass, 1Password, ...). Security of passwords of all other users depends on the browser. Today we will tell you the readers of Habrahabra, why our team refused to protect password protection from the Chromium project and how she developed his own password manager, which is already tested in Bethe. You will also learn how we solved the problem of resetting a master password without deciphering the passwords themselves.
From the point of view of security, each site is recommended to use your unique password. If the attackers will steal one password, then only one site they will receive access. The problem is that to remember dozens of reliable passwords is very difficult. Someone honestly comes up with new passwords and records them with their hands in a notebook (and then loses with it with him), others - use the same password on all sites. It is difficult to say which of these options is worse. By solving the problem for millions of ordinary users, a password manager can be built into the browser, but its effectiveness depends on how simple it is reliable. And in these issues, the previous decision had gaps that we will tell below.
Why do we create a new password manager?
In the current implementation of the password manager for Windows inherited from Chromium, saved passwords protected by the browser simply. They are encrypted by the tools of the operating system (for example, on Windows 7, the CryptProtectData function based on the AES algorithm is used, but not stored in an isolated region, but simply in the profile folder. It would seem that there is no problem in this, because the data is encrypted, but the key to decryption is also kept in operating system. Any program on the computer can go to the browser profile folder, take the key, locally decrypt passwords, send them to a third-party server, and no one will notice.
And many more users would like a random person who does not have special training, but received short-term access to the browser (for example, a relative or colleague for work), could not log in at important sites using saved passwords.
Both of these problems are solved using a master password, which are protected by data, but which is not stored anywhere. And this has become our first requirement for the new password storage architecture in Yandex.Browser. But not the only one.
No matter how safe password manager would have been, its popularity depends on how easy it is to use. Recall that the same 1Password, KeePass and LastPass even in the amount use no more than a percentage of users (although LastPass we offer in our embedded add-on directory). Or another example. So in the old implementation, the browser proposes to save the password:
Experienced users or agree, or refuse, or do at least something with this notice. But in 80% of cases it is simply not noticed. Many users do not even know that passwords can be saved in the browser.
Separately, it is worth saying about functionality. Now even getting to the list of your passwords is not so simple. You need to open the menu, click on the settings, go to additional settings, Find the password control button there. And only then a person will gain access to a primitive list of accounts that cannot be sorted by login, you cannot add a text note, it is also impossible to edit. In addition, the password manager should help invent new passwords.
And one more thing. It was important for us that the new architecture corresponds to the principle of Kerkgoffs, that is, that its reliability does not depend on the knowledge of intruders about the algorithms used. The cryptosystem should remain safe even if they know everything except the keys applied.
Why didn't we take a ready-made solution?
There are open source products that support the Master Password and Extended Functionality. They could be integrated into the browser, but they did not come to us for a number of reasons.
First of all, KEEPASS comes to mind. But its storage is encrypted entirely, and in our browser, the synchronization works in line. So, it is necessary to either ask the master password with each synchronization, or encrypt the records separately. The second option is kinder to users. Moreover, it is important for the mass product that the user knows about the ability to substitute the saved password before unlocking the database master password, so some of the information should remain unencrypted.
Specialized add-ons for working with passwords have the ability to reset the master password, if the user has forgotten him. But for this you need to download, hide and not lose backup code or file. It's fine when we are talking About experienced users, but it is difficult for everyone else. Therefore, we needed to come up with an alternative solution. Spoiler: As a result, we managed to find a solution in which the master password can be reset, but even Yandex will not be able to access the database. But more on that later.
And another third-party decision in any case would have to seriously refine to integrate to the browser (rewrite on C ++ and Java) and make it simple enough for users (completely replace the entire interface). No matter how surprising it sounded, but write a new storage architecture and password encryption is easier than to do everything else. Therefore, it is more logical not to try to associate two initially incompatible products in one, but to finalize your own.
New architecture using a password master
There is nothing unusual in the storage of the records. We use a reliable and fast AES-256-GCM algorithm to encrypt passwords and notes, addresses and logins are not encrypted for ease of use, but we subscribe to protect against substitution. A similar way is the storage scheme in the same 1password.
The most interesting is the Protection of the 26-bit Enckey key, which is required to decipher passwords. This is the key point of password security. If the attacker recognizes this key, it will easily hacked all the repository regardless of the complexity of the encryption algorithm. Therefore, the key protection is based on the following basic principles:
- Access to the encryption key is blocked by a password master, which is not stored anywhere.
- The encryption key should not be mathematically connected to the master password.
In ordinary services and applications, the encryption key is obtained by hashing a master password to at least so slow down the attack by bust. But the mathematical dependence of the key from the master password still simplifies hacking, the speed of which in this case depends only on the reliability of hashing. The use of farms from sharpened on the hacking of ASIC processors is no longer uncommon. Therefore, in our case, the Enckey key is not derived from the master password and is generated by chance.
Next, the Enckey key is encrypted with the asymmetric RSA-OAEP algorithm. To do this, the browser creates a pair of keys: Open Pubkey and closed Privkey. Enckey key is protected using a public key, and it can be decrypted only with the help of closed.
You do not need to protect public Pubkey key, because it is not suitable for decryption, but with a closed Privkey story another. To protect it from theft, access to it is blocked according to the PKCS # 8 standard using the UnlockKey password phrase, which in turn is the result of a master password hash using the PBKDF2-HMAC-SHA256 function (100 thousand repetitions; with the addition of salt and the storage ID ). If the master password accidentally coincides with the longer password from any site, the addition of salt will hide this fact and complicate hacking. And thanks to multiple hashing, a long-term master password complexity of the unlockkey hacking is comparable to the enckering key hacking.
Enckey encrypted passwords, encrypted key Enckey, encrypted private key Privkey and public Pubkey key is stored in the browser profile and synchronized with other user devices.
To make it easier to figure it out throughout this, we give the password decryption scheme:
With such architecture using a master password there are a number of advantages:
- The 256-bit storage encryption key is generated randomly and has a high cryptic resistance compared to person invented passwords.
- When Brutfors Master Password, an attacker does not recognize the result, if it does not go throughout the chain (password-PBKDF2-RSA-AES). It is very long and very expensive.
- if the hash function is compromised, we can go to any time alternative option Housing with backward compatibility.
- If the attacker recognizes a master password, then it is possible to change it without a complex and risky decryption procedure of the entire storage, because the data encryption key is not associated with a password master, which means that not compromised.
- Encryption key is stored in encrypted form. Neither Yandex nor an attacker who kidnapped the password from Yandex will not be able to access synchronized passwords, because this requires a master password that is not stored anywhere.
But the option with the master password has one "disadvantage": the user may forget the master password. This is normal when it comes to specialized solutions that use experienced users who are well aware of the risk. But in the product with a multimillion audience, it is unacceptable. If we do not see the backup option, then many Yandex. Baurizer users will either refuse to use a master password, or "lose" one day all your passwords, and the browser will be to blame (you will be wonder, but it is Yandex who often turns out to be extremely in situations when Man forgot the password from the account). And invent the decision is not so simple.
How to reset master password without password disclosure?
In some products, this problem is solved by storing decrypted data (or even a master password) in the cloud. This option was not suitable for us, because the attacker can steal the password from Yandex, and with it and passwords from all sites. Therefore, we needed to come up with such a way to restore access to password storage, at which no one except the user could not do. Side password managers offer to create backup file.which user must independently store in a safe place. Good decisionBut ordinary users such backup keys will inevitably lose, so we are much easier.
Once again, remember the key dependency chain. Password storage is encrypted with a random Enckey key, which is not stored anywhere. This key is protected by the private key of PrivKey, which is also not stored explicitly and in turn is protected using a complex hash from the master password. When a person forgets the master password, it actually deprives the opportunity to decipher the privkey key. This means that as a backup option, you can store the PRIVKEY key duplicate. But where? And how to protect it?
If you put a decrypted privkey in the cloud, the security of passwords will depend on the Yandex account. And evenly, we did not want to allow. If you store it explicitly locally, then all protection with the master password loses any meaning. There is no such place where it would be possible to safely store this key explicitly. So it must be encrypted. For this, the browser creates a random 256-bit key to which Privkey duplicate protects. Now the most interesting. This random key is deposited in the Yandex.Paste cloud. And the encrypted duplicate remains stored in the local browser profile. It turns out that neither in the cloud, nor on the computer there is no finished pair to decrypt passwords, and security does not suffer.
With this option, reset the master password could only be where the PRIVKEY key is created. We wanted to add this feature and synchronized devices. Create a backup key on each device manually uncomfortable: it is possible to accidentally stay with the device on the hands on which they forgot to create a duplicate. You cannot send an encrypted duplicate to other devices using synchronization: the cloud is already kept the key to it, and in case of security purposes, they can not be found in one place. Therefore, the encrypted duplicate Privkey passes through another encryption layer. This time - using a hash from the master password. The master password is not stored in the cloud, so the "Matryoshka" obtained can already be safely synchronized. On other devices at the time of the first input of the master password, the additional encryption layer will be removed.
As a result, when the user will forget the master password, it will be enough to request a password reset through the browser and confirm his identity with the Password from Yandex.
The browser will ask the key from Yandex.Pasport, will decrypt them to duplicate the Privkey key, with its help it decrypts the key from the ENCKEY repository, and then will create new couple Pubkey and Privkey, the last of which will be protected by a new master password. The password repository is not decrypted, which reduces the risk of data loss. By the way, it is possible to change the Enckey and stir the data too: it is enough to disable and re-enable the master password in the settings.
It turns out that only the user himself can reset the master password only on that devicewhere he introduced it at least once. Of course, the backup key is not necessary if the user is confident. Even the master password can not be used, although we do not recommend to refuse it.
New architecture and master password are not the only changes in the new manager. As we have already told the above, ease of use and extended capabilities are not less important.
New password manager
First of all, we abandoned an imperceptible gray panel with a proposal to save the password. Now the user will see an offer next to the password field. Do not notice it is already difficult.
Yes, and the manager itself is no need to search in the settings: The button is available in the main menu. The list of saved accounts now supports sorting login, address and note. We also added editing records.
Tip: Notes are greatly suitable as an alternative to tags, because they support the search.
And another browser now helps to create unique passwords.
In the first beta version, we managed not all. In the future, we will support export and import passwords for compatibility with popular third-party solutions. We also have an idea to add settings to the password generator.
Mobile password manager
Of course, the new logic and support of the master password will appear not only on the computer, but also in the versions of Yandex.Bauser for Android and IOS. With a small adaptation. For example, you can use not only the master password, but also a fingerprint. We also banned software screenshots on a list of password list - you can not be afraid of malicious applications.
Today, a new password manager can be tried in
It takes only fifteen seconds for a user sitting at a computer to see a list of all passwords that you said in Firefox or Thunderbird and have saved them. The list is displayed clearly like a day. It can include Webmail and Forum Passwords or Server Password email. Using a master password is highly recommended, to prevent a list of passwords from such curious users. By installing a master password, the one who uses your profile will be prompted to enter a master password if you need access to your saved password. Although the master password in Firefox is a useful additionsecurity but he can soon become burdensome if you lost passwordwhich you entered in master Password. There is no possibility to simply view the file and copy your master Password, there is no point to add master Passwordwhich can be found in the file.
Password Master Reset
If you lose or forgot your master password or you want to disable this feature, you can reset the master password. Reset Master Passwordto remove all saved passwords . After reset, you will lose all saved data in the password manager, as this is a built-in security feature so that people do not just drop the master password, and to access your passwords.
- Firefox: Enter Chrome: //pippki/content/resetpassword.xul in the address bar (address string), click on the Enter key and the RESET button.
- Thunderbird: Select Tools -\u003e Error Console ยป," Insert expression: Opendialog ("chrome: //pippki/content/resetpassword.xul") and click on the Calculate button. A dialog box opens with the query, whether you want to reset your password.
- Mozilla Suite / Seamonkey: "Edit -\u003e Preferences -\u003e Privacy & Security -\u003e Master Passwords -\u003e Reset Password."
The only way that may bring the result would be a bust passwords. The success of the last method depends on the password that you chose during installation master Password.
BRUTE FORCE The bust is most likely crowned with success if master Password Consists of existing words, words or names. But will not be able to find passwordif the user has entered random password With letters and numbers.
Brute Force. Master Password in Firefox:
you can use software entitled Firemaster.to try to use the method of rough power to restore master Password.
* Firemaster using various methods Generates passwords "on the fly."
* Then it calculates the password hash with the well-known algorithm.
* This hash password is used to decrypt encrypted data for a known conventional text (for example, "check the password").
* Now, if you decrypt a string with a known text (for example, "checkbox"), then the generated password is a password master.
You can use the method of rough power if you are almostwe are sure that you used the word or phrase. Passwords such as "x23n52ff: tht0_ete% v5" will not be able to identify and install software Firemaster, you can download the following link Firemaster.
Most users use password memorization feature in the browser, so as not to enter login and passwords each time at often visited sites. But in this case, there is a danger that anyone who will take advantage of your browser can access your account. Protect your personal data in the browser Mozilla Firefox. will help master Password.
The master password serves for secure on various sites. It encrypts passwords in such a way that they are becoming much more difficult to extract from the browserEven if the attacker has physical access To your computer.
Besides, master Password Protects Access to Your Certificates. It is very useful if you, for example, use WebMoney wallet with authorization through a certificate. If someone gets access to your certificate, respectively, it will receive access to the wallet with all the money stored on it. The master password will not give it to happen.
How is the master password? When you run Mozilla Firefox and start a new session, the browser will need to enter a master password when you first attempt to access a secure master password. When you enter it, you will get access to all saved passwords and certificates. Thus, the master password is entered once per session.
How to install a password in browser Mozilla. Firefox? In the Tools menu, select Settings. In the settings window that opens, go to the Protection tab and check the box opposite the "Use Master Password" item. If you did not use it before, the Switter Wizard window will open with a proposal to install a master password.
The master password you invented you need to enter twice into the appropriate fields. The strip at the bottom will show you the level of the quality of the invented password (i.e., how safe is it). Recall that a secure password should not be simple combinations of numbers or letters (123456, QWERTY, etc.). One of better options - a combination of lowercase and capital letters, specialsimeters and numbers.
Be sure to remember or write down the master password. (just do not keep a password with a password next to the computer). If you forget it, you can no longer be able to access the information protected by them. When finished, click OK.
If you need change master password, Go to the Protection tab again in the browser settings, click the "Create Master Password ..." button, enter the old master password, then twice - new, and then click OK. To disable master passwordSimply remove the appropriate tick on the Protection tab.
What if you have forgotten the master password? Restore staffing Programs it is impossible, but there are several ways to reset the master password to install a new one. To do this, enter the following text to the browser address bar:
chrome: //pippki/content/resetpassword.xul
A warning will be displayed that after resetting the master password will also be lost passwords, closed keys, personal certificates And these forms. It is impossible to avoid this - this is a kind of "fee" for a forgotten master password. To reset the password, click the "Reset" button. After that you can install new password or stop using it.
There is another way delete Master PasswordBut he, again, will remove along with other saved passwords. To do this, you need to manually remove passwords from the folder of your profile in the browser.
In the Help menu, select "Information to solve problems". The About: Support page should open. In the Application Information Table, click the Open folder button. The folder will open profile Firefox., you need delete Singons.txt and Key.db files.
Master password is a convenient option that will help you protect your personal information. But it is very important to come up reliable password And at the same time do not forget it.
Reliable passwords and their protection against intruders - the basis of security on the Internet. A new version Helps create resistant passwords and protects them using a master password. Even if the device gets in other people's hands, your data will be safe.
New opportunities
It is important to use unique passwords on different sites. If the attackers will steal one password, then only one site they will receive access. But to create and memorize dozens of passwords is difficult, but to record them on paper - risky. Now Yandex.Browser solves this problem. He will come up with a unique password, will reliably save it and suggest using the next entry to the site.
Saved passwords are available in the browser menu, in the new section "Password Manager". They can be edited, sort and supply notes by which it will be easy to find what is needed. And if you do not forget to enable synchronization, passwords will be available on all your devices with Yandex.Browser.
Safety
The new password manager has become not only more convenient, but also safer. Now you can protect your passwords from curious eyes using a password master. It is not stored anywhere, so no one except you can decipher the saved passwords. Even if the attacker recognizes the password from Yandex or kidnap your phone, it will not be able to access passwords. On the mobile devices Instead of a master password, you can use a fingerprint, pin-code or gesture.
If you accidentally forget the master password, then there is safe method Reset it without loss of data. Yandex.Browser offers to create a spare key. It is stored in the browser, but encrypted. To reset the master password, this key will need, password from Yandex and the device on which the master password has been introduced at least once. Simply put, you can do it only, so the safety of your passwords will not suffer.
The new password manager is already available in Yandex.Browser for computers and devices on android database and iOS. Enable synchronization and store your security passwords on any device.