What is Master Password?
In 2010, I began work on an algorithm for addressing my own personal password needs.
Frustrated with the constant demand for passwords from every new website and unsatisfied with the existing proposals for how to address this need by the market, I had the benefit of being a software engineer and a background in security applications development.
The first few iterations of my personal solutions were simple, but it quickly became apparent that a complete and reliable solution that could adequately address the many security pitfalls was going to require deeper commitment. Having always been of the type to go back to the basic principles underlying the problem to address the issue from the root cause, this path eventually led me to develop the Master Password algorithm.
For the technical; my journey in a nutshell boiled down to:
- Generate random tokens by hashing
dd if=/dev/random bs=1024 count=1 | openssl md5), then save the token somewhere.
- Fry my disks by being clumsy, losing all saved passwords.
- Remove the reliance on storage by hashing the site name (eg.
openssl md5 <<< "$host")
- Seed the hash to escape rainbow tables (eg.
openssl md5 <<< "$host-$secret")
- Site password policies support using password templates (eg.
openssl sha256 <<< "$host-$secret" | passwordCipher)
- Introduce a KDF to counter brute-forcing the secret.
- Multi-layered protection by switching from simple hashing to message authentication.
- Testing, testing, consulting, coding, testing, seeking feedback, coding, testing.
Master Password first appeared in 2011 on iPhone, and has since garnered a large audience of users excited about no longer being dependent on the cloud, secure vaults, backups and personal storage systems for their secure online access controls.
Since then, I’ve brought Master Password solutions to all sorts of platforms. We now have applications for:
- iPhone and iPad
- Linux / BSD / *NIX
- Java desktop (including Windows)
- Web (offline / self-hosted)
The next evolution of Master Password is now called Spectre.
Spectre is a new platform based on the algorithm that underpins Master Password. It is a fully rewritten and modernized software suite that will replace the old and enable all future capabilities. Spectre aims to grow beyond just passwords and offer a fully decentralized self-owned solution for privacy-first online identity management.
Maintenance and development will now shift to Spectre and Master Password will no longer be actively maintained. We recommend that everyone shift their user profiles from their Master Password apps to the Spectre app. Both Master Password and Spectre have been coded specifically to make this migration as easy as possible for you:
- Install the Spectre app,
- Log in to your Master Password user,
- Master Password should detect the Spectre app and prompt you to migrate your user,
- Tap the message and enter your master password to export your user from Master Password into Spectre,
- Spectre should now open and your user should be imported and ready for use,
- Just sign in to your new Spectre user and find all of your old Master Password sites with all of their details intact.
With Spectre now available on iPhone and iPad, it will soon be coming to the other platforms. The goal is still to make Spectre available from any of your devices, so you can get to your passwords no matter what, where or why.
Spectre comes with more modern platform support, rewritten in a modern new development language for improved security and reliability, and integrates more tightly with the operating system (such as by offering password AutoFill).
Spectre, like Master Password, is open-source, authored entirely by myself, available for free, forever. It will also be financially supported by a new model for those who are interested in the improved systems integration and convenience features, which will allow me to focus my efforts into keeping this project alive and growing.
A quick list of additional capabilities in Spectre (at launch):
- Redesigned modern interface
- Personalizable user interface
- Incognito users
- Privacy improvements such as enhanced identifier decoupling and “Offline Mode”
- Login identicon for typo detection
- Explicit Universal Clipboard & Handoff support
- Explicit support for FaceID
- Password Auto-Fill from other applications and browsers
- Third-party application storage & file sharing
- Opening sites from within the app