“Use a strong password” is advice that often appears online. This article is about how to create a strong password and remember it.

A password manager that can create strong passwords and remember them can help you with this. But even if you use a manager, you still need a master password for it.

Working with passwords - the easy way

There are so many websites out there these days, and you probably have accounts on many of them. Most likely, your passwords are either duplicated for each account or created according to a specific template. From a security point of view, this is extremely unsatisfactory, because the person who guesses the password for one of your accounts will also guess it for the others.

In this case, a password manager comes to the rescue - to store dozens of your passwords in one place, you only need to know one, the master password.

There are many managers out there, but Dashlane is probably the best. best choice for the average user. Dashlane has applications for almost all platforms, they integrate into any browser, and the manager is free to use basic functions. If you want to sync passwords between different devices, you need to upgrade to a premium account.

Password managers come with built-in features such as an overall security score, a password generator, and more. If you're serious about computer security, you should use strong passwords everywhere. Most easy way to do this is to use Dashlane.

Also on the list good managers passwords includes KeePass, available on all major platforms. The password database is encrypted with AES-256 with the possible use of multi-pass key conversion, which increases the program's resistance to direct attacks and makes it much more reliable than other software.

This is a great way to generate a sequence because it really guarantees that you will have a random combination of words. In addition, the formed phrase will be easy to remember.

Memorable password: a technique for generating

With the above criteria it's pretty easy to come up with a sequence. Just try typing something random, for example 3o(t&gSp&3hZ4#t9. This is a good password - 16 characters, includes the combination different types characters, and it is difficult to guess because the characters are not related to each other in any way. To create similar sequences, use password generators.

The only problem is how to remember such a password. Assuming you don't have a photographic memory, you would have to spend a fair amount of time learning this sequence. You need to come up with a password so that it is associated with some event or item. For example, it will be much easier to remember the sentence “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” and turn it into a password using the first letter of each word: TfhIeliw613FS.Rw$4pm. This is a strong password with 21 values.

Yes, a truly random sequence should include more numbers and special characters, but this one is also good. The best thing about it is that it is easy to remember.

Strong passwords and their protection from intruders are the basis of Internet security. New version Helps you create strong passwords and protects them with a master password. Even if the device falls into the wrong hands, your data will be safe.

New features

It is important to use unique passwords across different sites. If attackers steal one password, they will gain access to only one site. But creating and remembering dozens of passwords is difficult, and writing them down on paper is risky. Now Yandex.Browser solves this problem. He will come up with a unique password, save it securely and offer you to use it the next time you log into the site.

Saved passwords are available in the browser menu, in the new “Password Manager” section. They can be edited, sorted and annotated so you can easily find what you need. And if you don’t forget to turn on synchronization, your passwords will be available on all your devices with Yandex.Browser.

Safety

The new password manager is not only more convenient, but also safer. Now you can protect your passwords from prying eyes with a master password. It is not stored anywhere, so no one but you can decrypt the saved passwords. Even if an attacker finds out your Yandex password or steals your phone, he will not be able to access your passwords. On mobile devices Instead of a master password, you can use a fingerprint, pin code or gesture.

If you accidentally forget your master password, there is safe way reset it without losing data. Yandex Browser offers to create a spare key. It is stored in the Browser, but is encrypted. To reset the master password, you will need this key, the Yandex password, and the device on which the master password was entered at least once. Simply put, only you can do this, so the security of your passwords will not be compromised.

The new password manager is already available in Yandex.Browser for computers and devices on Android based and iOS. Turn on syncing and keep your passwords safe on any device.

Alexander Shikhov, 09/27/2018 (10/17/2018)

By trusting website passwords to Yandex.Browser, we make life easier. Once you enable synchronization, the secret fields will be filled in automatically on all devices (computer, laptop, phone). At the same time, there is a weak point in such a system. Anyone who launches Yandex.Browser on a computer after you automatically gains access to the saved passwords. How this can be avoided is in our article.

What is a master password in Yandex Browser

The master password is essentially the key to your personal database. It is needed to exclude the possibility of automatic filling of login and password fields on sites in social networks and postal services. Even if you leave your browser open, an attacker will not be able to take advantage of it. An external program will not be able to read the key database, since it is encrypted.

A master password will help ensure security if multiple users use the same computer. The browser allows you to quickly switch between different profiles. The account password is not requested.

How to set up a master password

Open the settings menu (the button with three horizontal stripes in the right corner of the browser window). Select the Password Manager section.

In the menu that appears, click Settings, Create master password.

You may be required to enter your account password Windows entries, under which you logged in to your PC. This helps eliminate the situation of accidental activation of the mode by another user who is logged into the browser under your name. , which is easy to remember, is described in one of our articles.

If you're not sure you'll remember code word permanently, select the Enable reset option. This way you can always disable or change it if necessary.

After enabling Master Password mode, it starts working on all devices where you use Yandex Browser synchronization. When you try to use auto-fill of secret fields, the following request appears.

You determine the severity of the security policy and the frequency of requests in the settings.

It is worth noting that when using a browser on someone else's computer the best way To ensure data security, you can only log out of your account.

Oddly enough, only 1% of browser users use specialized extensions for storing passwords (LastPass, KeePass, 1Password, ...). The security of all other users' passwords depends on the browser. Today we will tell Habrahabr readers why our team abandoned the password protection architecture from the Chromium project and how we developed our own password manager, which is already being tested in beta. You'll also learn how we solved the problem of resetting the master password without decrypting the passwords themselves.

From a security point of view, it is recommended to use a unique password on each site. If attackers steal one password, they will gain access to only one site. The problem is that remembering tens strong passwords very difficult. Some people honestly come up with new passwords and write them down by hand in a notepad (and then lose them along with it), others use the same password on all sites. It's hard to say which of these options is worse. An in-browser password manager may be a solution for millions of average users, but its effectiveness depends on how simple and secure it is. And in these matters, the previous solution had gaps, which we will discuss below.

Why are we creating a new password manager?

In the current implementation of a password manager for Windows, inherited from Chromium, saved passwords are protected by the browser quite simply. They are encrypted using the operating system (for example, on Windows 7 the CryptProtectData function based on the AES algorithm is used), but are not stored in an isolated area, but simply in the profile folder. It would seem that this is not a problem, because the data is encrypted, but the decryption key is also stored in operating system. Any program on a computer can go to the browser profile folder, take the key, decrypt passwords locally, send them to a third-party server, and no one will notice.

And many users would like to prevent a random person who does not have special training, but who has short-term access to the browser (for example, a relative or work colleague), from being able to log in to important sites using saved passwords.

Both of these problems are solved by using a master password, which protects the data, but which is not stored anywhere. And this became our first requirement for the new architecture for storing passwords in Yandex.Browser. But not the only one.

No matter how secure a new password manager is, its popularity depends on how easy it is to use. Let us remind you that the same 1Password, KeePass and LastPass, even in total, are used by no more than a percentage of users (although we offer LastPass in our built-in add-on catalog). Or another example. This is how in the old implementation the Browser offers to save the password:

Experienced users will either agree, refuse, or do something about this notification. But in 80% of cases it is simply not noticed. Many users don't even know that you can save passwords in your browser.

We should also say something about functionality. Nowadays, even getting to the list of your passwords is not so easy. You need to open the menu, click on settings, go to additional settings, find the password management button there. And only then will a person have access to a primitive list of accounts that cannot be sorted by login, cannot be added with a text note, and cannot be edited. In addition, a password manager should help you come up with new passwords.

And one more thing. It was important for us that the new architecture complies with the Kerkhoffs principle, that is, that its reliability does not depend on attackers’ knowledge of the algorithms used. The cryptosystem must remain secure even if they know everything except the keys used.

Why didn't we take a ready-made solution?

There are products with open source code, which support a master password and advanced functionality. They could be integrated into the browser, but they were not suitable for us for a number of reasons.

KeePass comes to mind first. But its storage is encrypted entirely, and in our Browser synchronization works line by line. This means you must either ask for a master password at each synchronization, or encrypt the records separately. The second option is kinder to users. Moreover, for a mass product, it is important that the user knows about the ability to substitute the saved password before unlocking the database with the master password, so some of the information must remain unencrypted.

Specialized add-ons for working with passwords have the ability to reset the master password if the user has forgotten it. But for this you need to download, hide and not lose backup code or file. This is fine when it comes to advanced users, but it's difficult for everyone else. So we needed to come up with an alternative solution. Spoiler: in the end, we managed to find a solution in which the master password can be reset, but even Yandex will not be able to access the database. But more on that a little later.

And in any case, any third-party solution would have to be seriously modified in order to be natively integrated into the browser (rewritten in C++ and Java) and make it simple enough for users (completely replace the entire interface). As surprising as it may sound, writing a new architecture for storing and encrypting passwords is easier than doing everything else. Therefore, it is more logical not to try to combine two initially incompatible products into one, but to refine your own.

New architecture using master password

There is nothing unusual about storing the records themselves. We use the reliable and fast AES-256-GCM algorithm to encrypt passwords and notes; we do not encrypt addresses and logins for ease of use, but we sign them to protect against spoofing. The storage scheme in the same 1Password is arranged in a similar way.

The most interesting thing is the protection of the 256-bit encKey, which is necessary for decrypting passwords. This is a key point in password security. If an attacker finds out this key, he can easily hack the entire storage, regardless of the complexity of the encryption algorithm. Therefore, key protection is based on the following basic principles:

– Access to the encryption key is blocked by a master password, which is not stored anywhere.
– The encryption key should not be mathematically related to the master password.

IN simple services and applications, the encryption key is obtained by hashing the master password in order to at least slow down a brute force attack. But the mathematical dependence of the key on the master password still simplifies hacking, the speed of which in this case depends only on the reliability of hashing. The use of farms made from ASIC processors designed for hacking is no longer uncommon. Therefore, in our case, the encKey key is not derived from the master password and is generated randomly.

Next, the encKey key is encrypted using the asymmetric RSA-OAEP algorithm. To do this, the Browser creates a pair of keys: a public pubKey and a private privKey. The encKey is protected using a public key, and can only be decrypted using a private key.

The public key pubKey does not need to be protected, because it is not suitable for decryption, but the story with the private privKey is different. To protect it from theft, access to it is blocked according to the PKCS#8 standard using the unlockKey passphrase, which in turn is the result of hashing the master password using the PBKDF2-HMAC-SHA256 function (100 thousand repetitions; adding salt and vault id ). If the master password accidentally matches an already stolen password from a website, adding salt will hide this fact and make it harder to crack. And thanks to repeated hashing of a sufficiently long master password, the complexity of cracking unlockKey is comparable to cracking the encKey key.

Encrypted passwords, their encrypted key encKey, encrypted private key privKey and public key pubKey is stored in the browser profile and synchronized with other user devices.

To make it easier to understand all this, here is a password decryption scheme:

This architecture using a master password has a number of advantages:

– The 256-bit storage encryption key is randomly generated and has high cryptographic strength compared to human-generated passwords.
– When brute-forcing the master password, the attacker will not know the result unless he goes through the entire chain (password-PBKDF2-RSA-AES). This is very long and very expensive.
– If the hashing function is compromised, we can switch to alternative option hashing while maintaining backward compatibility.
– If an attacker finds out the master password, then it can be changed without the complex and risky procedure of decrypting the entire storage, because the data encryption key is not associated with the master password, and therefore is not compromised.
– The encryption key is stored in encrypted form. Neither Yandex nor the attacker who stole the Yandex password will be able to access the synchronized passwords, since this requires a master password, which is not stored anywhere.

But the master password option has one “disadvantage”: the user may forget the master password. This is normal when it comes to specialized solutions used by experienced users who are well aware of the risks. But in a product with a multimillion-dollar audience, this is unacceptable. If we do not provide a backup option, then many Yandex.Browser users will either refuse to use a master password, or one day “lose” all their passwords, and the Browser will be to blame for this (you will be surprised, but it is Yandex that often turns out to be the last resort in a situation where the person forgot his account password). And coming up with a solution is not so easy.

How to reset the master password without revealing passwords?

Some products solve this problem by storing the decrypted data (or even the master password) in the cloud. This option was not suitable for us, because an attacker could steal the password for Yandex, and with it the passwords for all sites. Therefore, we needed to come up with a way to restore access to the password storage in which no one except the user himself could do it. Third-party password managers suggest creating backup file, which the user must independently store in a safe place. Good decision, But regular users such backup keys will inevitably be lost, so with us everything is much simpler.

Let's remember the key dependency chain once again. The password storage is encrypted using a random encKey, which is not explicitly stored anywhere. This key is protected using the private key privKey, which is also not stored explicitly and is in turn protected using a complex hash of the master password. When a person forgets the master password, he is effectively deprived of the ability to decrypt the privKey. This means that you can store a duplicate privKey as a backup. But where? And how to protect it?

If you place the decrypted privKey in the cloud, the security of the passwords will depend on your Yandex account. And that’s exactly what we didn’t want to allow. If you store it explicitly locally, then all protection with a master password loses any meaning. There is no place where you can safely store this key in explicit form. This means that it must be encrypted. To do this, the Browser creates a random 256-bit key that protects the duplicate privKey. Now comes the fun part. This random key is sent for storage to the Yandex.Passport cloud. And the encrypted duplicate remains stored in the local Browser profile. It turns out that neither in the cloud nor on the computer there is a ready-made pair for decrypting passwords, and security does not suffer.

With this option, it would be possible to reset the master password only where a duplicate privKey was created. We wanted to add this feature to synchronized devices. It is inconvenient to manually create a backup key on each device: you can accidentally end up with the device on which you forgot to create a duplicate. You cannot send an encrypted duplicate to other devices using synchronization: the key to it is already stored in the cloud, and for security reasons they cannot be found in one place. Therefore, the encrypted duplicate privKey goes through another layer of encryption. This time using a hash of the master password. The master password is not stored in the cloud, so the resulting “matryoshka” can be safely synchronized. On other devices, the first time you enter your master password, the additional layer of encryption will be removed.

As a result, when the user forgets the master password, he will only need to request a password reset through the browser and confirm his identity using the Yandex password.

The browser will request a key from Yandex.Passport, use it to decrypt the duplicate key privKey, use it to decrypt the key to the encKey storage, and then create a new pair of pubKey and privKey, the latter of which will be protected by a new master password. The password storage is not decrypted, which reduces the risk of data loss. By the way, you can also forcibly change the encKey and re-encrypt the data: just disable and re-enable the master password in the settings.

It turns out that only the user himself can reset the master password and only on that device, where he introduced it at least once. Of course, it is not necessary to create a backup key if the user is confident. You don’t even have to use a master password, although we don’t recommend giving it up.

The new architecture and master password are not the only changes in the new manager. As we said above, ease of use and advanced features are no less important.

New password manager

First of all, we've done away with the discreet gray bar that prompts you to save your password. The user will now see a prompt next to the password field. It's hard not to notice this.

And now you don’t have to look for the manager itself in the settings: the button is available in the main menu. The list of saved accounts now supports sorting by login, address and note. We have also added post editing.

Tip: Notes are a great alternative to tags because they are searchable.

And the Browser now helps you create unique passwords.

In the first beta version, we didn’t manage to do everything. In the future, we will support exporting and importing passwords for compatibility with popular third-party solutions. We also have an idea to add settings to the password generator.

Mobile password manager

Of course, new logic and support for the master password will appear not only on the computer, but also in the versions of Yandex Browser for Android and iOS. With a little adaptation. For example, you can use not only a master password, but also a fingerprint. We also prohibited programmatically taking screenshots on the page with a list of passwords - you don’t have to be afraid of malicious applications.

Today you can try the new password manager in

A key rule of Internet security calls for creating different passwords for different accounts. In this case, even if they learn one password, attackers will not be able to gain access to other profiles and sites. Remembering dozens of passwords is difficult, and trusting them to traditional paper is dangerous. Therefore, the ability to generate, protect and edit passwords directly in the browser using the Yandex Browser password manager is a real godsend for socially active people.

What is it and what is it for?

A password manager is a function built into the Internet browser that allows you to store passwords and logins for the most frequently visited sites. At the same time, personal login information is reliably protected from hacking by intruders or accidental possession by third parties. Special options allow you to manage saved information and, if necessary, edit it.

Additional features of the extension automatically prompt the user to save the once entered password in the manager. The form is saved only after confirmation of this option by the account owner. Data from the manager is available on any device when account synchronization is enabled.

Where is it located and how to install it in Yandex Browser on a computer

1. The password storage manager is available in the main menu of the browser: just click on the icon depicting three bars and select the appropriate section from the drop-down list.

   To go to the password manager, you need to select the appropriate item in the browser menu

The user needs to create a single master password to log in to the system

An additional measure is to generate a backup password: in case the master password is forgotten.

The procedure for launching and then using this useful add-on is simple:

1. When you first log into a site where the user is already registered, the system will prompt you to save the password you entered. When registering on a new Yandex website, you need to enter a password automatically generated by the system and remember it.
2. When you select the “Password Manager” section of the main menu, a list of all saved logins will open with brief information about them - website and note.

   Scroll accounts available in password manager

3. Clicking on any of them will open an editing window where you can change the password or set a note.

   To change the data, you need to click on the account

Connecting a password manager in the mobile version of Yandex Browser

IN mobile version The connection procedure is similar to the desktop version:

1. In the main menu, select “Password Manager”.

   Selecting a password manager is available in the mobile browser menu

2. When you first start, create a master password or select another security option - a fingerprint scanner or PIN code.

   If you are not sure that you will remember the master password, then enable the option to reset it

   Select one of the unlocking methods in the system

3. When logging into your account, save the old password or accept the new one generated by the system.

   When logging in, you can use your old password or use the one suggested by the system

Is it possible to recover the master password if I forgot?

To protect information stored in a password manager on smartphones and tablets, use graphic key or a fingerprint scanner, and for the desktop version - a master password. This is one of the additional algorithms for protecting user data.

If it happens that the user has lost the master password and does not remember it, then you can use the backup password to recover it. This is possible subject to a number of conditions:

• the backup password was created at the same time as the master password;
• the user remembers the key to his Yandex account;
• An attempt to reset the master password is made on the device where it was previously successfully entered at least once.

How to disable

When using third-party services for storing security keys or if you do not want to save access data to a certain site (for example, you allowed a friend to log into their account from your device), the password storage extension can be disabled. To do this you will need to perform the following algorithm:

1. Open the corresponding item in the main menu.
2. Enter the master password.
3. Open the “Settings” section.
4. Activate the “Turn off password manager” option.

Thus, a password manager allows you to comply with one of the main conditions of Internet security: storing different logins and passwords for accounts in a place inaccessible to third parties. However, it is worth noting that similar functionality is available in other browsers, for example, in Opera, or is implemented when using services such as RoboForm, KeePass and others.