Master Password, the App that Never Stores Your Passwords
Master Password is a free password manager that does not store passwords on the devices it is run on or in the cloud. The password manager uses a different system when compared to traditional password management programs, such as Bitwarden or KeePass.
Instead of saving user generated passwords in an encrypted database, it computes strong unique passwords using a single master password and the user's name. Passwords do not get saved on the device or in the cloud, but the system that Master Password uses still supports usage on multiple devices without syncing.
Master Password for Android is a port of the iOS application of the same name. The original developer of Master Password published a revised version, called Spectre, in 2021 that is backwards compatible.
How Master Password works
Master Password computes all passwords on every start using the user's selected master password and name. The method offers several advantages over traditional password managers.
One advantage is that there is no encrypted password database that may fall into the wrong hands. Other password managers store passwords in an encrypted container, which may be copied by malicious actors.
Since there is no password database, there is no need for synchronization or a cloud connection. Users just need to install the application on their other devices and use the same master password and user combination to generate the same passwords for the services that they are using. All of this happens offline, an Internet connection is not required.
The password manager generates a key from the username and master password to generate passwords for services. The service name, e.g., amazon or ghacks, is used in the computation, and a unique password is generated based on the data.
The beauty of the solution is that the user has to remember just a single master password and username. Service names are relevant as well, and most users may want to use the name of a company or domain for that
Users get a few configuration options when a new service password is generated for the first time. They add a unique name for the service and may specify the complexity of the password. The default is set to maximum security, which generates 20 character passwords that consists of letters, numbers and special characters. Options to switch this to less secure passwords, a PIN or phrases are also provided.
Internet services may still get compromised and there is a chance that attackers may obtain user passwords. Master Password includes a site counter option, which allows users of the service to generate a new password for any of the stored services to replace the compromised one.
The application remembers the names of the services and, if added by the user, the login name. An attacker could, in theory, gain access to the app on the Android device if the right master password is entered during login. An ingenious feature of Master Password is that it accepts any other master password as well.
Master Password includes a number of convenience features. The app supports categories and notes, there is an option to import and export data, visualize password age, and to block the saving of the username that is used during sign-in.
Closing Words
Master Password uses a completely different approach to passwords. It does not store passwords but computes them using a single master password and username, and a custom name specified by the user for the service in question. The custom name is stored on the device, and import / export options allow users to transfer that data between devices or for backup purposes.
Now You: have you tried master password or a comparable app?
@Me
“idiotic” does not suit here. Agreed, for those few who have more than a few dozen passwords, it’s painful and for those very few with 1000+ passwords, it seems impossible. But that’s not the majority of people for sure. For the majority, it’s doable, not “idiotic”.
This kind of approach is idiotic, because it essentially requires you to change ALL your passwords.
Which is virtually impossible for anyone who has hundreds (if not thousands) of logins already.
I didn’t understand but it must be secure.
I’ve looked at Master Password and spectre.app before and I fail to understand its basic premise.
Also from the website: “Log in securely
From now on, just log in with your site’s Spectre password.
Share your site passwords with friends, if you like.
Under no circumstances tell anyone else your personal Spectre secret” source: https://spectre.app/ about six pages down.
Why would anyone give someone else one’s own password? What’s stopping someone from resetting the password and stealing an account?
Sounds like lovely security.
The website talks about two different passwords here. First, the Spectre password, which is the master password. Then about individual site passwords which were generated using the master password. These may be shared, but there is obviously no obligation, and most users won’t do it, exactly for the reason that you pointed out. Then again, some share their Netflix password or other passwords to share an account.
The biggest flaw that I see is when a site requires you to update your password every so often then this method does not work. I have a job that for some stupid reason requires us to give a new pwd every three months. So hashing the site address and the user name is a one off process/
You can create new passwords for specific sites using the site counter feature.
Yes, seen that but never got back to reply. So I suppose it does not matter if there is changes as all you have to do is go through the numbers again and eventually you will hit on the proper password.
For years I used this but at the time having multiple pwd changes did not work out well.
https://chriszarate.github.io/supergenpass/
@Martin. Assume one of the hundreds of websites you used is hacked. Standard procedure is to change your password for that site immediately. Do you change your master password and have to update hundreds of other sites? Do you rely on Master Password’s strength? Something else?
You use the site counter option to create a new password for that site only.
So, If I understood correctly, if one is already using another password manager, in which he has stored 50, 200, or 500+ sites/passwords ,
then migrating them to ‘master password’ or spectre is out of the question.
Since this app does not store anything, it requires me to visit all the sites I’ve been registered, and change my password to the new password that the app’s algorithm will generate.
And what about sites that force you to change your pwd every 2-3 months? how the algorithm will create a new, if the result is always based on the same parameters (say, userner+site+masterpassword).
Am I missing something?
There is the site counter option, a simple button to display a new password that you may use then for individual sites.
Does this program have (maybe through the export function?) a way to backup my settings/passwords so that I can restore the settings/program/passwords in case of an emergency?
Yes it supports import and export.
Guess I’m still missing the brilliance of the program:
“With that said, Spectre [MasterPassword] does provide its own password export file, which will hold every bit of information the app contains. This export file is in an open format, so that it is legible both to yourself and to anyone looking to programmatically parse it for import purposes. Since Spectre is fully open-source, we have also publicly documented our export format.”
https://chat.spectre.app/d/116-export-formats
Where am I ahead by using the program? Where’s the strength if there is an export file that is legible to the world–assuming most users will, at some point, want to export an emergency backup file that will be stored somewhere.
“There is unfortunately no universally recognized standard format, and I have no control or oversight over how other password managers can import password information. As such, I can’t provide a convenient mechanism to move your passwords into another manager.”
So . . . one is stuck with MasterPassword or Spectre.
“The next evolution of Master Password is now called Spectre.”
https://spectre.app/blog/2021-10-31-spectre-ios-launch/
People are having problems: looks like brilliance gone awry:
https://chat.spectre.app/d/84-how-to-import-passwords-from-master-password/4
At least let readers know what may or may not happen; I wouldn’t drop my current PWM any time soon.
Am I mistaken or has this been around for a while but not that well known? Now superseded by https://spectre.app/blog/2021-10-31-spectre-ios-launch
Palemoon with Adguard and uBlock Origin installed now displays Softonic cookie overlay and it is stupid…
This is the only desktop browser that allows me to read and post comments… Yes I can use Yandex browser on android but I find it much easier to type on the desktop…
The same thing happens with Firefox, and only started today. I have PopUpOFF extension installed, and that eliminates it. Reading the overlay, I suspect it may only happen when 3rd party cookies are blocked, but I’ve know intention of experimenting to see if that’s accurate.
Your comment surprises me. I can read and post with Firefox (I never checked with Waterfox), why do you say you can only do so with Pale Moon? If you have a bias against Firefox, see if Pale Moon has a similar extension.
Old concept :)
https://passwordmaker.org/passwordmaker.html is here for decades now. Same principle, opensource.
Security through Obscurity
Know the algorithm = crack the password.
The author could sell the algorithm to others.
Also, you need to know the user’s master password.
This is not true. The algorithms for cryptography are public knowledge. Including the one used by the app in this article.
security by obscurity (in the sense of homebrew super(tm) safe crypto algoritm) .. at least m first as
sociation.
o. It is not practical if it doesn’t handle all devices a user is likely to own.
Lots of websites don’t allow password managers to place information in the user and password form fields, and websites are always changing their password requirements and/or their login form fields. So I don’t think this idea is going to be very workable. If the user doesn’t have access to see a password and type it into a field, they are going to fail to login to a lot of sites.
Maybe I just don’t understand how this thing works.
@Andy Prough:
“[W]ebsites are always changing their password requirements . . . .”
As the kids say, “This.” For example, while some sites insist that you include, for example, at least one of a limited set of symbols or punctuation marks (e.g., !, #, @) in your password, other sites may ban at least one of those symbols/punctuation marks anywhere in the password, ban them as the initial character, or even ban symbols and punctuation marks *entirely*. Unless Master Password keeps up with every site’s ever-changing requirements, as well as their demands that users change their password after a breach, how are you supposed to program that into Master Password? Does Master Password’s “Site Counter” feature fully address those problems? And even so, if you have different instances of Master Password on different devices, or if you’re a guest on someone else’s device, how does that work? I’m extremely skeptical of storing passwords on the cloud (and I don’t do it), but I see problems as well as advantages with Master Password.
The way this and similar apps work are by not storing the user’s passwords at all.
The user’s password for a particular site is deterministically generated by the algorithm, using 3 pieces of variable information. The site, the username and the user’s personal master password.
Using those 3 pieces of information the app will generate your password for the site. It will be the same password generated every time.
Essentially it’s a deterministic password generator. As long as nobody knows your personal master password they can’t generate your password and log on as you.
The advantages are with it being ‘stateless’. There’s no encrypted database to move and sync between devices or online service storing all your encrypted passwords. You can go to the app’s website and fill in the ‘site’, ‘user’, ‘master password’ fields and it will generate your correct password. It’s incredibly portable as there’s nothing to move.
A disadvantage is you can’t store any other information, like in a typical password database. All you can do is generate passwords.
The passwords are displayed in the app and they may be copied to the clipboard. See the screenshot in the article.
>”The passwords are displayed in the app and they may be copied to the clipboard. See the screenshot in the article.”
Ah, I understand now.
Just looking at it I see all kinds of other problems, such as that it’s going to be driving users to write down answers to security questions in plain text files and to get their 2FA digits from hackable sources like SMS.
If this were incorporated as one part of a more full-fledged manager, then it might be a security improvement.
Quoting your answer I observe also that you have to anyway store encrypted usernmes as an interested criminal could point to the key-generation system instead of the encryption system of a pw manager like bitwarden. Once he get it, he could access an unencrypted list of usernames and use the key-generation system.
The usernames do not help much if the master password is not known. They may reveal the sites an account has been created on, but that is it.