Create the strongest password and remember it. The new Yandex.Browser protects passwords with a master password

Create the strongest password and remember it. The new Yandex.Browser protects passwords with a master password
Create the strongest password and remember it. The new Yandex.Browser protects passwords with a master password
04.05.2020

Key rule Internet security calls for creating different passwords for different accounts. In this case, even after learning one password, attackers will not be able to access other profiles and sites. Remembering dozens of passwords is difficult, and trusting them to traditional paper is dangerous. Therefore, the ability to generate, protect and edit passwords directly in the browser using the Yandex Browser password manager is a real find for socially active people.

What is it and what is it for

The password manager is a feature built into the Internet browser that allows you to store passwords and logins from the most frequently visited sites. At the same time, personal login data is reliably protected from hacking by intruders or accidental possession by third parties. Special options allow you to manage the saved information and, if necessary, edit it.

Additional extension options automatically prompt the user to save the once entered password in the manager. The form is saved only after confirmation of this option by the account owner. Data from the manager is available on any device when account synchronization is enabled.

Where is it located and how to install it in Yandex Browser on a computer

  1. The password storage manager is available in the main menu of the browser: just click on the icon depicting three stripes and select the appropriate section in the drop-down list.

    To go to the password manager, you need to select the appropriate item in the browser menu

    2. The user needs to create a single master password to log into the system

    An additional measure is the generation of a spare password: in case the master password is forgotten.

Start-up procedure and subsequent use useful addition is simple:

  1. When you first enter the site where the user is already registered, the system will offer to save the password entered by him. When registering on a new Yandex site, you need to enter the password automatically generated by the system and remember it.
  2. When you select the “Password Manager” section of the main menu, a list of all saved logins with brief information about them - site and note.

    Scroll accounts available in password manager

  3. Clicking on any of them will open an editing window where you can change the password or set a note.

    To change the data, you need to click on the account

Connecting a password manager in the mobile version of Yandex Browser

IN mobile version The connection procedure is similar to the desktop version:

  1. Select "Password Manager" from the main menu.

    The choice of password manager is available in the menu of the mobile browser

  2. At the first start, create a master password or select another security option - a fingerprint scanner or a PIN code.

    If you are not sure that you will remember the master password, then turn on the option to reset it

    Choose one of the ways to unlock the system

  3. When logging into your account, save the old password or accept a new one generated by the system.

    When logging in, you can use the old password or use the one suggested by the system.

Can I recover my master password if I forgot?

To protect the information saved in the password manager, smartphones and tablets use graphic key or a fingerprint scanner, and for the desktop version - a master password. This is one of the additional algorithms for protecting user data.

If it so happened that the master password was lost by the user, and he does not remember it, then you can use the spare password to restore it. This is possible subject to a number of conditions:

  • the backup password was created at the same time as the master password;
  • the user remembers the key to the Yandex account;
  • an attempt to reset the master password is made on the device where it was previously successfully entered at least once.

How to disable

If you use third-party security key storage services or if you do not want to save access data to a site (for example, you allowed a friend to log into your account from your device), you can disable the password storage extension. To do this, you need to perform the following algorithm:

  1. Open the corresponding item in the main menu.
  2. Enter a master password.
  3. Open the "Settings" section.
  4. Activate the "Turn off password manager" option.

Thus, the password manager allows you to comply with one of the main conditions of Internet security: storing different logins and passwords from accounts in a place inaccessible to third parties. However, it is worth noting that similar functionality is available in other browsers, for example, in Opera, or is implemented using services such as RoboForm, KeePass and others.

Oddly enough, but only 1% of browser users use specialized extensions for storing passwords (LastPass, KeePass, 1Password, ...). The password security of all other users depends on the browser. Today we will tell readers of Habrahabr why our team abandoned the password protection architecture from the Chromium project and how we developed our own password manager, which is already being tested in beta. You will also learn how we solved the problem of resetting the master password without decrypting the passwords themselves.

From a security point of view, it is recommended that each site use its own unique password. If attackers steal one password, then only one site they will gain access to. The problem is that remembering dozens of strong passwords is very difficult. Someone honestly comes up with new passwords and writes them down with their hands in a notebook (and then loses them along with it), others use the same password on all sites. It is difficult to say which of these options is worse. A password manager built into the browser may be the solution for millions of regular users, but its effectiveness depends on how simple and secure it is. And in these matters, the previous solution had gaps, which we will discuss below.

Why are we creating a new password manager?

In the current implementation of the password manager for Windows, inherited from Chromium, saved passwords are protected by the browser quite simply. They are encrypted by means of the operating system (for example, on Windows 7, the CryptProtectData function is used, based on the AES algorithm), but they are not stored in an isolated area, but simply in the profile folder. It would seem that this is not a problem, because the data is encrypted, but the decryption key is also stored in operating system. Any program on the computer can go to the browser profile folder, take the key, decrypt the passwords locally, send them to a third-party server, and no one will notice.

And many users would also like to prevent a random person who does not have special training, but who received short-term access to the browser (for example, a relative or work colleague), could not log in to important sites using saved passwords.

Both of these problems are solved with the help of a master password, which is used to protect data, but which is not stored anywhere. And this became our first requirement for a new architecture for storing passwords in Yandex.Browser. But not the only one.

As secure as the new password manager is, its popularity depends on how easy it is to use. Recall that the same 1Password, KeePass and LastPass even in total use no more than a percentage of users (although we offer LastPass in our built-in catalog of add-ons). Or another example. This is how in the old implementation the Browser offers to save the password:

Experienced users will either agree, or refuse, or do at least something with this notification. But in 80% of cases it is simply not noticed. Many users do not even know that passwords can be saved in the browser.

Separately, it is worth mentioning the functionality. Now even getting to the list of your passwords is not so easy. You need to open the menu, click on the settings, go to additional settings, find the password management button there. And only then will a person get access to a primitive list of accounts that cannot be sorted by login, cannot add a text note, and cannot be edited either. In addition, a password manager should help you come up with new passwords.

And one more thing. For us, it was important that the new architecture comply with the Kerckhoffs principle, that is, that its reliability does not depend on the attackers' knowledge of the algorithms used. A cryptosystem must remain secure even when they know everything but the keys to be used.

Why didn't we take a ready-made solution?

There are products with open source code, which support a master password and extended functionality. They could be integrated into the browser, but they did not suit us for a number of reasons.

KeePass comes to mind first. But its storage is encrypted in its entirety, while in our Browser synchronization works line by line. This means that you must either ask for a master password with each synchronization, or encrypt the records separately. The second option is kinder to users. Moreover, for a mass product, it is important that the user knows about the possibility to substitute the saved password before unlocking the database with a master password, so some of the information must remain unencrypted.

Specialized add-ons for working with passwords have the ability to reset the master password if the user has forgotten it. But for this you need to download, hide and not lose the backup code or file. It's okay when we are talking about power users, but it's hard for everyone else. So we had to come up with an alternative solution. Spoiler: in the end, we managed to find a solution in which you can reset the master password, but even Yandex will not be able to access the database. But more on that later.

And in any case, any third-party solution would have to be seriously improved in order to natively integrate it into the browser (rewrite it in C ++ and Java) and make it simple enough for users (completely replace the entire interface). As surprising as it may sound, writing a new architecture for storing and encrypting passwords is easier than doing everything else. Therefore, it is more logical not to try to link two initially incompatible products into one, but to refine your own.

New architecture using a master password

There is nothing unusual about storing the records themselves. We use a reliable and fast AES-256-GCM algorithm to encrypt passwords and notes, addresses and logins are not encrypted for ease of use, but signed to protect against substitution. The storage scheme in the same 1Password is arranged in a similar way.

The most interesting thing is the protection of the 256-bit encKey, which is needed to decrypt passwords. This is the key to password security. If an attacker learns this key, he can easily crack the entire storage, regardless of the complexity of the encryption algorithm. Therefore, key protection is based on the following basic principles:

– Access to the encryption key is blocked by a master password that is not stored anywhere.
– The encryption key must not be mathematically related to the master password.

In simple services and applications, the encryption key is obtained by hashing the master password in order to somehow slow down the brute-force attack. But the mathematical dependence of the key on the master password still simplifies hacking, the speed of which in this case depends only on the reliability of hashing. The use of farms from ASIC-processors sharpened for hacking is no longer a rarity. Therefore, in our case, the encKey key is not derived from the master password and is generated randomly.

The encKey is then encrypted using the asymmetric RSA-OAEP algorithm. To do this, the Browser creates a pair of keys: a public pubKey and a private privKey. The encKey is protected by the public key and can only be decrypted by the private key.

The public key pubKey does not need to be protected, because it is not suitable for decryption, but with a private privKey, the story is different. To protect it from theft, access to it is blocked according to the PKCS # 8 standard using the unlockKey passphrase, which in turn is the result of hashing the master password using the PBKDF2-HMAC-SHA256 function (100 thousand retries; with the addition of salt and storage id ). If the master password accidentally matches an already stolen password from a site, adding a salt will hide this fact and make it harder to hack. And thanks to multiple hashing of a sufficiently long master password, the laboriousness of cracking unlockKey is comparable to cracking the encKey key.

Encrypted passwords, encrypted key to them encKey, encrypted private key privKey and public key pubKeys are stored in the browser profile and synchronized with the user's other devices.

To make it easier to understand all this, here is a password decryption scheme:

This master password architecture has a number of advantages:

– The 256-bit storage encryption key is randomly generated and has a high cryptographic strength compared to human-made passwords.
– When brute-forcing the master password, the attacker will not know the result unless he goes through the entire chain (password-PBKDF2-RSA-AES). It is very long and very expensive.
– If the hashing function is compromised, we can switch to an alternative hashing option at any time while maintaining backwards compatibility.
– If an attacker finds out the master password, then it can be changed without the complicated and risky procedure of decrypting the entire vault, because the data encryption key is not associated with the master password, which means it is not compromised.
– The encryption key is stored in encrypted form. Neither Yandex nor the attacker who stole the password from Yandex will be able to access the synchronized passwords, since this requires a master password that is not stored anywhere.

But the master password option has one "disadvantage": the user can forget the master password. This is normal when it comes to specialized solutions that use advanced users well aware of the risk. But in a product with a multi-million audience, this is unacceptable. If we do not provide a backup option, then many Yandex.Browser users will either refuse to use the master password, or “lose” all their passwords one day, and the Browser will be to blame (you will be surprised, but it is Yandex that often turns out to be extreme in a situation where the person forgot the password from the account). And coming up with a solution is not so easy.

How to reset master password without exposing passwords?

Some products solve this problem by storing the decrypted data (or even the master password) in the cloud. This option was not suitable for us, because an attacker can steal the password from Yandex, and with it the passwords from all sites. Therefore, we had to come up with a way to restore access to the password vault, in which no one except the user himself could do it. Third-party password managers offer to create backup file, which the user must store in a safe place. Good decision but ordinary users such backup keys will inevitably be lost, so everything is much simpler with us.

Let's remember the key dependency chain again. The password vault is encrypted with a random key encKey that is not explicitly stored anywhere. This key is protected by the private key privKey, which is also not stored explicitly and is in turn protected by a complex hash from the master password. When a person forgets the master password, they are effectively unable to decrypt the privKey. This means that you can store a duplicate of the privKey as a fallback. But where? And how to protect it?

If you place the decrypted privKey in the cloud, then the password security will depend on the Yandex account. And that's exactly what we didn't want to do. If you store it explicitly locally, then all protection with a master password loses any meaning. There is no place where it would be safe to store this key explicitly. So it needs to be encrypted. To do this, the Browser creates a random 256-bit key that protects the duplicate privKey. Now the most interesting. This random key is sent to the Yandex.Passport cloud for storage. And the encrypted duplicate remains stored in the local Browser profile. It turns out that neither in the cloud nor on the computer there is a ready-made pair for decrypting passwords, and security does not suffer.

With this option, it would be possible to reset the master password only where the duplicate privKey was created. We wanted to add this feature to synced devices as well. Creating a backup key on each device manually is inconvenient: you can accidentally end up with the device on hand, on which you forgot to create a duplicate. You cannot send an encrypted duplicate to other devices using synchronization: the key to it is already stored in the cloud, and for security reasons they cannot meet in the same place. Therefore, the encrypted duplicate privKey goes through yet another layer of encryption. This time, using the hash of the master password. The master password is not stored in the cloud, so the resulting "matryoshka" can already be safely synchronized. On other devices, the first time you enter your master password, the extra layer of encryption will be removed.

As a result, when the user forgets the master password, it will be enough for him to request a password reset through the browser and confirm his identity using the password from Yandex.

The browser will request the key from Yandex.Passport, decrypt the duplicate privKey with it, use it to decrypt the key from the encKey storage, and then create a new pair of pubKey and privKey, the last of which will be protected by a new master password. The password store is not decrypted, which reduces the risk of data loss. By the way, you can also change the encKey forcibly and re-encrypt the data: just disable and re-enable the master password in the settings.

It turns out that only the user himself can reset the master password and only on that device where he entered it at least once. Of course, it is not necessary to create a backup key if the user is confident. Even the master password can be omitted, although we do not recommend giving it up.

The new architecture and master password are not the only changes in the new manager. As we said above, ease of use and advanced features are just as important.

New password manager

First of all, we abandoned the inconspicuous gray bar with a suggestion to save the password. The user will now see a suggestion next to the password field. It's hard not to notice this.

And now the manager itself does not need to be searched in the settings: the button is available in the main menu. The list of saved accounts now supports sorting by login, address and note. We've also added post editing.

Hint: Notes are great alternatives to tags because they are searchable.

And the Browser now helps you create unique passwords.

In the first beta version, we did not manage to do everything. In the future, we will support the export and import of passwords for compatibility with popular third-party solutions. We also have an idea to add settings to the password generator.

Mobile password manager

Of course, the new logic and support for the master password will appear not only on the computer, but also in the versions of Yandex.Browser for Android and iOS. With a little adaptation. For example, you can use not only a master password, but also a fingerprint. We also banned programmatically taking screenshots on the page with a list of passwords - you can not be afraid of malicious applications.

Today you can try the new password manager in

It only takes fifteen seconds for the user sitting at the computer to see a list of all the passwords you have entered in Firefox or Thunderbird and saved them. The list is displayed as clear as day. It may include webmail and forum passwords or server password Email. Using a master password is highly recommended, to prevent browsing the list of passwords from such prying users. By setting a master password, anyone using your profile will be prompted to enter a master password if they need access to your saved password. While Firefox's master password is a welcome addition security, but it can soon become burdensome if you lose password, which you entered in master password. There is no way to just view the file and copy your master password, there is no point to add master password, which can be found in the file.

Reset Master Password

If you have lost or forgotten your Master Password or you wish to disable this feature, you can reset your Master Password. Reset master password to delete all saved passwords . After the reset, you will lose all saved data in the password manager, as this is a built-in security feature so that people do not just reset the master password, but to gain access to your passwords.

  • Firefox: Enter chrome://pippki/content/resetpassword.xul in the address bar (address bar), press the "Enter" key and the "Reset" button.
  • Thunderbird: select Tools -> Error Console", » insert the expression: openDialog("chrome://pippki/content/resetpassword.xul") and click on the calculate button. A dialog box will open asking if you want to reset your password.
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password".

The only way that can bring results would be to enumerate passwords. The success of the last method depends on the password you chose during installation. master password.
Brute Force busting is more likely to succeed if master password consists of existing words, words or names. But can't be found password if the user entered a random password with letters and numbers.
Brute force Master password in Firefox:
you can use software entitled firemaster to try and use the brute force method to recover master password.
*FireMaster uses various methods to generate passwords on the fly.
*It then calculates the hash of the password using a known algorithm.
*This password hash is used to decrypt the encrypted data to known plain text (eg "verify password").
*Now, if you decrypt a string with known text (for example, "password checkbox"), then the generated password is the master password.
You can use the brute force method if you are almost sure you used the word or phrase. Passwords such as "X23n52fF: tht0_ete% v5" will not be able to reveal. Download and install the software FireMaster, you can follow the following link FireMaster.

Most users use the remember passwords feature in the browser so as not to enter logins and passwords every time on frequently visited sites. But in this case, there is a danger that anyone who uses your browser can gain access to your account. Protect your personal data in the browser Mozilla Firefox will help master password.

The master password serves to keep you safe on various websites. It encrypts passwords in such a way that it becomes much more difficult to extract them from the browser, even if the attacker has physical access to your computer.

Besides, a master password protects access to your certificates. This is very useful if, for example, you use a WebMoney wallet with authorization through a certificate. If someone gets access to your certificate, accordingly, he will get access to the wallet with all the money stored on it. The master password will prevent this from happening.

How does the master password work? When you launch Mozilla Firefox and start a new session, the browser will require you to enter a master password the first time you try to access information protected by a master password. When you enter it, you will have access to all saved passwords and certificates. Thus, the master password is entered once per session.

How to set a master password in Mozilla browser Firefox? From the Tools menu, select Options. In the settings window that opens, go to the Security tab and check the box next to "Use a master password". If you have not used it before, a change-master password window will open asking you to set a master password.

The master password you have created must be entered twice in the appropriate fields. The bar at the bottom will show you the quality level of your password (i.e., how secure it is). Recall that a secure password should not be a simple combination of numbers or letters (123456, qwerty, etc.). One of the best options- a combination of lowercase and uppercase letters, special characters and numbers.

Be sure to remember or write down the master password(just do not keep a piece of paper with a password next to the computer). If you forget it, you will no longer be able to access the information protected by it. When finished, click OK.

If you require change master password, then again go to the Protection tab in the browser settings, click the "Change master password ..." button, enter the old master password, then the new one twice, and then click OK. To disable master password, just uncheck the appropriate checkbox on the Protection tab.

What to do if you forgot your master password? Restore regular means program cannot use it, but there are several ways to reset the master password in order to set a new one. To do this, enter the following text in the address bar of your browser:

chrome://pippki/content/resetpassword.xul

A warning will appear stating that after resetting the master password, saved passwords will also be lost, private keys, personal certificates and form data. This cannot be avoided - this is a kind of "payment" for a forgotten master password. To reset your password, click the "Reset" button. After that you can install New Password or stop using it.

There is another way remove master password, but it, again, will be deleted along with other saved passwords. To do this, you need to manually remove passwords from your profile folder in the browser.

From the Help menu, select Troubleshooting Information. The about:support page should open. In the Application Details table, click the Open Application Folder button. Your Firefox profile folder will open, you need to delete singons.txt and key.db files.

A master password is a handy option that will help you protect your personal information. But it is very important to think strong password and don't forget it.

Strong passwords and their protection from intruders are the basis of Internet security. A new version helps you create strong passwords and protects them with a master password. Even if the device falls into the wrong hands, your data will be safe.

New opportunities

It is important to use unique passwords on different sites. If attackers steal one password, then only one site they will gain access to. But creating and remembering dozens of passwords is difficult, and writing them down on paper is risky. Now Yandex.Browser solves this problem. He will come up with a unique password, save it securely and offer to use it the next time you enter the site.

Saved passwords are available in the browser menu, in the new "Password Manager" section. They can be edited, sorted and annotated to make it easy to find what you need. And if you don't forget to turn on synchronization, then passwords will be available on all your devices with Yandex.Browser.

Safety

The new password manager has become not only more convenient, but also safer. Now you can protect your passwords from prying eyes with a master password. It is not stored anywhere, so no one but you can decrypt the saved passwords. Even if an attacker learns the Yandex password or steals your phone, he will not be able to access the passwords. On mobile devices You can use your fingerprint, pin, or gesture instead of a master password.

If you accidentally forget your master password, there is safe way reset it without losing data. Yandex.Browser offers to create a spare key. It is stored in the Browser, but encrypted. To reset the master password, you will need this key, the Yandex password, and the device on which the master password was entered at least once. Simply put, only you can do this, so the security of your passwords will not be affected.

The new password manager is already available in Yandex.Browser for computers and devices based on Android and iOS. Turn on sync and keep your passwords safe on any device.