“Master Password” is an alternative to password managers that do not store passwords

Master password Is another way to use a password. The method of Master Password is not “know a password and save all other passwords in a certain place”, but the way of managing passwords used by ordinary password managers, but “know a password and generate all other passwords”.

The master password is free and open source, it does not store any passwords, does not use cloud servers, and only requires you to remember a password. It is suitable for Android, iOS, desktop, console and network.
Instead of using a local or cloud storage password, the master password uses an encryption algorithm to calculate your password. The application uses the username, master password, site name, site counter, and site template values ​​to calculate the password for a given website. As a result, it can retrieve your password without storing it anywhere.
The advantages of using a master password instead of a traditional password manager include:

  • Your password will not be stored anywhere, so you do n’t have to trust any third party with your password (hence, you do n’t have to worry about certain services being used will be hacked or destroyed when needed).
  • Whether the device is damaged or stolen, you can use any device to find the password.
  • You don’t need to backup your password.
  • No need to keep passwords synchronized in easily accessible places.

But there are some disadvantages:

  • Since each password created using the “Master Password” is derived from your Master Password (and other passwords), if your Master Password is stolen or you want to change it for any reason, you will need to change it as well All website passwords. Therefore, use a strong password (although it should always be the case).
  • If you need to change the website password (for example, if a website is hacked and force you to change the password), you need to increase the “counter” value set by the website in the “master password” to generate a new password, and remember Every time you use the “master password” to calculate the password of the website, a new counter value is used. One way to solve this problem is to store the counter value (and any other specialities that some websites may use) somewhere.

Related: Bitwarden: The secure, open source password manager you are looking for
Master Password Wikipedia page Mentioned the algorithm used encryption, An intentionally slow key derivation function, used to generate a master key, making brute force attacks infeasible. The master key is a global 64-byte secret key generated from the user’s secret master password, and is marked by its full name.
The master key, site name and site counter are used to generate site-specific secrets / keys using the HMAC-SHA256 algorithm.
Read the master password FAQ More information about its security. It should also be noted that although Master Password cannot automatically fill in login credentials in a web browser, there are still third-party extensions that can do this. E.g MasterPassword-Firefox (Can also be used for chromium) Can automatically fill in your user name and password.

Use master password

Although the Master Password web app does not store anything, the Android app can only remember your name (I have n’t tried it yet, but I do n’t know iOS and Mac apps), and the desktop Java app can save the name you used to Some of the used websites to make them easier to use in the future. This is not required (you can check the “incognito” box to not save the user to disk), this is just to simplify the way to access the password.
The site name is saved at ~/.mpw.d. If you use multiple computers, you can use NextCloud, Dropbox and other services to sync it to use it on multiple computers. The password is not stored here or anywhere.
The Master Password desktop application uses Java, so to run it, you will need a JRE. You can use OpenJDK or Oracle Java. You can install OpenJDK 8 JRE in Debian, Ubuntu, Basic OS, Linux Mint, and other Linux distributions based on Debian or Ubuntu using the following commands:

sudo apt install openjdk-8-jre

You may also need to mark the downloaded masterpassword-gui.jar The file is executable. You can use the file manager or use the following command to do this (assuming you put the .jar file in the home directory):

chmod +x ~/masterpassword-gui.jar

To use the Master Password desktop (Java) application, double-click the .jar file to start it. Next, click + The icon on the left adds a new user to the master password. Enter the full name here (you need to remember!) And click OK:Add user with master password

You can choose to check Incognito If you do n’t want to save the user to disk, select the box.
On the next screen, you need to set a master password (just like the full name entered in the previous step, you need to make sure you do n’t forget):Master password

Now it’s time to generate / calculate the password for the website. Suppose you want to obtain the password of your Twitter account. Types of [email protected] (Use your actual Twitter username here) ... password for: Field and press Enter key:Master Password Add Website

I recommend using [email protected] (Replace yourusername If you have multiple accounts, please use the actual Twitter username). Even if you do n’t have multiple accounts now, you can create more accounts in the future so that you can distinguish accounts. You can also use twitter.com Only if it is determined that multiple accounts will not be created for that particular website.
It is recommended that each website use the same format. This way, it will be easier to remember the way you enter the site name. This is because when you want to use the “master password” to calculate the password, you need to enter the website in exactly the same way (unless you only use the “master password” desktop application with users who save to disk).
I suggest not to enter mobile.twitter.com, http://twitter.com, https://www.twitter.com Or some other variants, just stick to one format for this.
After adding a site, you can change its settings by clicking the first icon at the top right of the application window:Master password site settings

Here, you can change the algorithm, counter value, password type, login type, and enter the URL of the website. It is best to use the default values ​​whenever possible so that you do not forget the settings used when you need to calculate the password.
If you want to use a password, select the desired entry / website in “Master Password” and press Enter key. When you do this, the password is automatically copied to the clipboard, and the “Master Password” application window is minimized.
If you want to use an application that does not store the website name to calculate the password, for example Internet application For example, you need to enter the full name, website name, counter value (if you have changed it to the default value of 1) and the master password. Try it out-use the details you used in the desktop application, master password web application, and the calculated password should be the same.

Download master password

There is an official Master Password app for desktop (Java), macOS, Android, iOS, console and network. You will also find unofficial apps / extensions, such as Firefox browser Or Chrome / Chrome Browser, another Master password App for Android (and possibly others).
Master password application code is enabled GitLab, And more information.