The new Yandex Browser protects passwords using a master password. How we created a password manager with strong cryptography and a master password. Experience of the Yandex.Browser team

Alexander Shikhov, 09/27/2018 (10/17/2018)

By trusting website passwords to Yandex.Browser, we make life easier. Once you enable synchronization, the secret fields will be filled in automatically on all devices (computer, laptop, phone). At the same time, there is a weak point in such a system. Anyone who launches Yandex.Browser on a computer after you automatically gains access to the saved passwords. How this can be avoided is in our article.

What is a master password in Yandex Browser

The master password is essentially the key to your personal database. It is needed to exclude the possibility automatic filling login and password fields on sites, in in social networks and postal services. Even if you leave your browser open, an attacker will not be able to take advantage of it. An external program will not be able to read the key database, since it is encrypted.

A master password will help ensure security if multiple users use the same computer. The browser allows you to quickly switch between different profiles. The account password is not requested.

How to set up a master password

Open the settings menu (the button with three horizontal stripes in the right corner of the browser window). Select the Password Manager section.

In the menu that appears, click Settings, Create master password.

You may be required to enter your account password Windows entries, under which you logged in to your PC. This helps eliminate the situation of accidental activation of the mode by another user who is logged into the browser under your name. , which is easy to remember, is described in one of our articles.

If you are not sure that you will remember the code word forever, select the Enable reset option. This way you can always disable or change it if necessary.

After enabling Master Password mode, it starts working on all devices where you use Yandex Browser synchronization. When you try to use auto-fill of secret fields, the following request appears.

You determine the severity of the security policy and the frequency of requests in the settings.

It is worth noting that when using a browser on someone else's computer the best way To ensure data security, you can only log out of your account.

In this article we will tell you where passwords are located on your computer. If you have forgotten your account information (login/password), the instructions we provided will be useful when restoring access to your favorite sites. We'll look at finding saved passwords in Google Chrome And Mozilla Firefox, since they are installed on the lion's share of PCs. We will also describe the process of recovering a password for a Windows account.

How to view passwords in a browser. Guide to Finding and Protecting Saved Passwords

How to view saved passwords in Google Chrome

Each browser from the list of frequently used ones (Firefox, Chrome, Opera, Safari) has an option for storing and remembering data from accounts (for example, a master password in Opera, which protected logins and passwords). Now we will review Chrome, because most Internet users use it.

Step 1. Open Chrome. On the right, at the very end of the address bar, there is an icon of three dots. This is a button to open settings. Let's click on it.

Step 2. In the pop-up menu, select “Settings” - it’s at the very bottom.

Step 3. Scroll down the page until you find the word “Additional”. Click.

Step 4. This item reveals all the functionality of the browser settings. We need the “Passwords and Forms” block. Click on the line “Password Settings”.

Step 5. A table opens containing all the saved passwords for your accounts. What can you do here? For example, click on the peephole icon - your password will appear instead of dots. This function is extremely useful if you have forgotten the code for your account, but have no desire to go through a long recovery procedure.

Where are saved passwords in Opera?

Opera is considered a reliable browser that protects against viruses, blocks unwanted pop-ups and stores user passwords. Let's find out where exactly the codes for the sites are located.

Step 1. The master password in Opera is used to store account data. Open the “Menu” and go to “Settings”.

Step 2. In the sidebar on the left, select the security option.

Step 3. Scroll the page and click on the button shown in the screenshot.

Step 4. A window opens with all authorized services.

Where are saved passwords in Mozilla Firefox?

Firefox is the second most popular browser after Chrome. We'll tell you how to find website passwords in it.

Step 1. Open the settings. At the end of the address bar there is an icon of three stripes - click on it.

Step 2. In the left menu, select the “Protection” option. Next – “Saved logins”.

Step 3. Here you can see passwords for each specific site.

Video - How to view saved passwords in the browser?

How to find out entered passwords on a computer

Programs for searching entered codes in browsers are rarely used. We do not recommend using them because their developers are unknown. Using such programs, you can entrust your passwords and logins to third parties. How they will use them is an open question. Therefore, we recommend viewing passwords through the tools provided by the browser itself. However, one good program we can advise.

WebBrowserPassView, as the name logically suggests, is a utility for viewing passwords saved in browsers. An absolute plus of the application is that it works with multiple browsers. You don't have to rummage through the settings of Chrome or Firefox, everything is in one place. Using WebBrowserPassView, you will always know where your passwords are stored.

Download the utility from a reliable site.
Open the zipped file.
Double left click to open the file with the exe extension.
The utility does not require installation, it will open immediately main interface already with passwords from sites.
To get a detailed summary of passwords, double-click on a specific line.
A window will appear with a description of all password parameters. Let's look at the most important of them.

URL. The address of the site for which the password is saved;
WebBrowser. The browser in which the password is stored;
Password Strength. Password strength. For example, if it says Strong, then the password is strong and difficult to crack;
Created Time. The date the account password was created;
Modified Time. Date the original password was changed;
Filename. Extremely useful parameter. From it you can find out the location of the file (on your computer) in which all passwords are stored.

How to find out your Windows login password?

It happens that you forget the master password, which can only be for a computer account. To avoid losing important data, you must reset your password. How? Let's consider one of the methods.

Step 1. When you turn on/restart your PC, press the “F8” key.

Step 2. You are taking " Safe mode" You will boot into Windows, but with limited functionality. This download format was invented for troubleshooting and system testing. It is not suitable for normal daily work, but it will help solve our problem.

Step 3. Go to the “Control Panel”, look for user accounts (“Start” -> “Control Panel”).

Step 4. Then select the first parameter from the account settings block (see screenshot).

Step 5. Select your account.

Step 6. Click on the “Change your password” option.

Step 7 Set new code and save the changes. Now just restart your computer and that’s it – the problem is solved in just a few clicks.

The answer to a frequently asked question: “Is it safe to store logins/passwords in a browser?”

A frequently asked question about viewing passwords on a PC: is it safe to store logins/passwords in a browser? There are many factors here. If your computer account itself is password-protected, the risk of account “hijacking” is sharply reduced. In other cases, your data may be stolen. Simply go to your browser settings and view your saved passwords. Modern services like VKontakte, Facebook, Twitter, Steam support two-factor authentication, attaching a phone number. Even if an attacker copied your username and password, you can use the usual method of password recovery - through the phone linked to your account.

How to view someone else's correspondence using PuntoSwitcher?

PuntoSwitcher – extremely convenient program for those who deal with text. It analyzes the characters entered from the keyboard and translates the layout to the desired one. When you type text, looking at the keyboard, you may not notice that the layout has not been switched. You have to either enter the text again, or look for sites that change the damaged text to the correct one. But it’s easier to install PuntoSwitcher.

However, the program also has more interesting options. For example, you can read someone else's correspondence.

The only point is that you must have access to the PC of the user whose messages you want to know. Let's look at installing and configuring PuntoSwitcher step by step:

Step 1. Download the utility by following the link https://yandex.ru/soft/punto/ and install it.

Step 2. By default, the utility is minimized to tray. To configure PuntoSwitcher, right-click on its icon.

Step 3. In the menu, go to the “Advanced” line and check the “Keep a diary” option.

Step 4. Now all that remains is to “clean up the traces” so that the user does not suspect anything. The fact is that the program makes a characteristic sound when switching layouts. It shouldn't exist. In the settings go to " Sound effects» and turn them all off, if the checkbox is ticked, click. No checkmark means no sound.

Step 5. Open large-scale program settings.

Step 6. In the “General” tab, remove all items except autorun. We save the result.

Now, to view the text entered while running Windows, all you have to do is look in the PuntoSwitcher diary.

Is it possible to speed up password decryption in Ophcrack?

Ophcrack is one of the utilities designed for cracking passwords. To make searching for codes faster, you can add examples of common passwords entered by users to the database. Now let's put the utility into action. You can hack using Ophcrack Windows password.

Step 1. Download the utility from the developer’s website http://Ophcrakcsourceforge.net.

Step 2. We burn the downloaded image to disk. The UltraIso program will do.

If you want to know in more detail, you can read an article about it on our portal.

Step 3. Reboot the PC. Go to BIOS (key “F2”).

Step 4. In the “Boot” tab, set the priority to “CD” so that the computer boots from it, and not from the hard drive (as usual). Save the settings (key “F10”).

Step 5. Reboot the computer again. The utility will open. Select the first item (as in the screenshot).

Step 6. Click on the desired account and press the “Crack” button in the menu at the top.

Step 7 The program will perform the hack and show the password in the last column of the table (see screenshot).

Video - How to find out the Windows xp, 7, 8, 10 password in a minute

“Use a strong password” is advice that often appears online. This article is about how to create a strong password and remember it.

A password manager that can create strong passwords and remember them can help you with this. But even if you use a manager, you still need a master password for it.

Working with passwords - the easy way

There are so many websites out there these days, and you probably have accounts on many of them. Most likely, your passwords are either duplicated for each account, or created according to a specific template. From a security point of view, this is extremely unsatisfactory, because the person who guesses the password for one of your accounts will also guess it for the others.

In this case, a password manager comes to the rescue - to store dozens of your passwords in one place, you only need to know one, the master password.

There are many managers out there, but Dashlane is probably the best. the best choice for the average user. Dashlane has applications for almost all platforms, they integrate into any browser, and the manager is free to use basic functions. If you want to synchronize passwords between various devices, you need to upgrade to a premium account.

Password managers come with built-in features such as an overall security score, a password generator, and more. If you're serious about computer security, you should use strong passwords everywhere. Most easy way to do this is to use Dashlane.

Also on the list good managers passwords includes KeePass, available on all major platforms. The password database is encrypted with AES-256 with the possible use of multi-pass key conversion, which increases the program's resistance to direct attacks and makes it much more reliable than other software.

This is a great way to generate a sequence because it really guarantees that you will get a random combination of words. In addition, the formed phrase will be easy to remember.

Memorable password: a technique for generating

With the above criteria it's pretty easy to come up with a sequence. Just try typing something random, for example 3o(t&gSp&3hZ4#t9. This is a good password - 16 characters, includes the combination different types characters, and it is difficult to guess because the characters are not connected in any way. To create similar sequences, use password generators.

The only problem is how to remember such a password. Assuming you don't have a photographic memory, you would have to spend a fair amount of time learning this sequence. You need to come up with a password so that it is associated with some event or item. For example, it will be much easier to remember the sentence “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” and turn it into a password using the first letter of each word: TfhIeliw613FS.Rw$4pm. This is a strong password with 21 values.

Yes, a truly random sequence should include more numbers and special characters, but this one is also not bad. The best thing about it is that it is easy to remember.

Oddly enough, only 1% of browser users use specialized extensions for storing passwords (LastPass, KeePass, 1Password, ...). The security of all other users' passwords depends on the browser. Today we will tell Habrahabr readers why our team abandoned the password protection architecture from the Chromium project and how we developed our own password manager, which is already being tested in beta. You'll also learn how we solved the problem of resetting the master password without decrypting the passwords themselves.

From a security point of view, it is recommended to use a unique password on each site. If attackers steal one password, they will gain access to only one site. The problem is that remembering dozens of strong passwords is very difficult. Some honestly come up with new passwords and write them down by hand in a notepad (and then lose them along with it), others use the same password on all sites. It's hard to say which of these options is worse. An in-browser password manager may be a solution for millions of average users, but its effectiveness depends on how simple and secure it is. And in these matters, the previous solution had gaps, which we will discuss below.

Why are we creating a new password manager?

In the current implementation of a password manager for Windows, inherited from Chromium, saved passwords are protected by the browser quite simply. They are encrypted using the operating system (for example, the CryptProtectData function based on the AES algorithm is used on Windows 7), but are not stored in an isolated area, but simply in the profile folder. It would seem that this is not a problem, because the data is encrypted, but the decryption key is also stored in operating system. Any program on a computer can go to the browser profile folder, take the key, decrypt passwords locally, send them to a third-party server, and no one will notice.

And many users would like to prevent a random person who does not have special training, but who has short-term access to the browser (for example, a relative or work colleague), from being able to log in to important sites using saved passwords.

Both of these problems are solved by using a master password, which protects the data, but which is not stored anywhere. And this became our first requirement for the new architecture for storing passwords in Yandex.Browser. But not the only one.

No matter how secure a new password manager is, its popularity depends on how easy it is to use. Let us remind you that the same 1Password, KeePass and LastPass, even in total, are used by no more than a percentage of users (although we offer LastPass in our built-in add-on catalog). Or another example. This is how in the old implementation the Browser offers to save the password:

Experienced users will either agree, refuse, or do something about this notification. But in 80% of cases it is simply not noticed. Many users don't even know that you can save passwords in your browser.

We should also say something about functionality. Nowadays, even getting to the list of your passwords is not so easy. You need to open the menu, click on settings, go to additional settings, find the password management button there. And only then will a person have access to a primitive list of accounts that cannot be sorted by login, cannot be added with a text note, and cannot be edited. In addition, a password manager should help you come up with new passwords.

And one more thing. It was important for us that the new architecture complies with the Kerkhoffs principle, that is, that its reliability does not depend on attackers’ knowledge of the algorithms used. The cryptosystem must remain secure even if they know everything except the keys used.

Why didn't we take a ready-made solution?

There are products with open source code, which support a master password and advanced functionality. They could be integrated into the browser, but they were not suitable for us for a number of reasons.

KeePass comes to mind first. But its storage is encrypted entirely, and in our Browser synchronization works line by line. This means you must either ask for a master password at each synchronization, or encrypt the records separately. The second option is kinder to users. Moreover, for a mass product, it is important that the user knows about the ability to substitute the saved password before unlocking the database with the master password, so some of the information must remain unencrypted.

Specialized add-ons for working with passwords have the ability to reset the master password if the user has forgotten it. But to do this, you need to download, hide and not lose the backup code or file. This is fine when it comes to advanced users, but it's difficult for everyone else. So we needed to come up with an alternative solution. Spoiler: in the end, we managed to find a solution in which the master password can be reset, but even Yandex will not be able to access the database. But more on that later.

And in any case, any third-party solution would have to be seriously modified in order to be natively integrated into the browser (rewritten in C++ and Java) and make it simple enough for users (completely replace the entire interface). As surprising as it may sound, writing a new architecture for storing and encrypting passwords is easier than doing everything else. Therefore, it is more logical not to try to combine two initially incompatible products into one, but to refine your own.

New architecture using master password

There is nothing unusual about storing the records themselves. We use the reliable and fast AES-256-GCM algorithm to encrypt passwords and notes; we do not encrypt addresses and logins for ease of use, but we sign them to protect against spoofing. The storage scheme in the same 1Password is arranged in a similar way.

The most interesting thing is the protection of the 256-bit encKey, which is necessary for decrypting passwords. This is a key point in password security. If an attacker finds out this key, he can easily hack the entire storage, regardless of the complexity of the encryption algorithm. Therefore, key protection is based on the following basic principles:

– Access to the encryption key is blocked by a master password, which is not stored anywhere.
– The encryption key should not be mathematically related to the master password.

IN simple services and applications, the encryption key is obtained by hashing the master password in order to at least slow down a brute-force attack. But the mathematical dependence of the key on the master password still simplifies hacking, the speed of which in this case depends only on the reliability of hashing. The use of farms made from ASIC processors designed for hacking is no longer uncommon. Therefore, in our case, the encKey key is not derived from the master password and is generated randomly.

Next, the encKey key is encrypted using the asymmetric RSA-OAEP algorithm. To do this, the Browser creates a pair of keys: a public pubKey and a private privKey. The encKey is protected using a public key and can only be decrypted using a private key.

There is no need to protect the pubKey public key, because it is not suitable for decryption, but the private privKey is a different story. To protect it from theft, access to it is blocked according to the PKCS#8 standard using the unlockKey passphrase, which in turn is the result of hashing the master password using the PBKDF2-HMAC-SHA256 function (100 thousand repetitions; adding salt and vault id ). If the master password accidentally matches an already stolen password from a website, adding salt will hide this fact and make it harder to crack. And thanks to repeated hashing of a sufficiently long master password, the complexity of cracking unlockKey is comparable to cracking the encKey key.

Encrypted passwords, their encrypted key encKey, encrypted private key privKey and public key pubKey is stored in the browser profile and synchronized with other user devices.

To make it easier to understand all this, here is a password decryption scheme:

This architecture using a master password has a number of advantages:

– The 256-bit storage encryption key is randomly generated and has high cryptographic strength compared to human-generated passwords.
– When brute-forcing the master password, the attacker will not know the result unless he goes through the entire chain (password-PBKDF2-RSA-AES). This is very long and very expensive.
– If the hashing function is compromised, we can switch to an alternative hashing option at any time while maintaining backward compatibility.
– If an attacker finds out the master password, then it can be changed without the complex and risky procedure of decrypting the entire storage, because the data encryption key is not associated with the master password, and therefore is not compromised.
– The encryption key is stored in encrypted form. Neither Yandex nor the attacker who stole the Yandex password will be able to access the synchronized passwords, since this requires a master password, which is not stored anywhere.

But the master password option has one “disadvantage”: the user may forget the master password. It's okay when it comes to specialized solutions, which are used by experienced users who are well aware of the risks. But in a product with a multimillion-dollar audience, this is unacceptable. If we do not provide a backup option, then many Yandex.Browser users will either refuse to use a master password, or one day “lose” all their passwords, and the Browser will be to blame for this (you will be surprised, but Yandex is often the last resort in a situation where the person forgot his account password). And coming up with a solution is not so easy.

How to reset the master password without revealing passwords?

Some products solve this problem by storing the decrypted data (or even the master password) in the cloud. This option was not suitable for us, because an attacker could steal the password for Yandex, and with it the passwords for all sites. Therefore, we needed to come up with a way to restore access to the password storage in which no one except the user himself could do it. Third-party password managers suggest creating backup file, which the user must independently store in a safe place. Good decision, but ordinary users will inevitably lose such backup keys, so with us everything is much simpler.

Let's remember the key dependency chain once again. The password storage is encrypted using a random encKey, which is not explicitly stored anywhere. This key is protected with private key privKey, which is also not stored explicitly and is in turn protected using a complex hash of the master password. When a person forgets the master password, he is effectively deprived of the ability to decrypt the privKey. This means that you can store a duplicate privKey as a backup. But where? And how to protect it?

If you place the decrypted privKey in the cloud, the security of the passwords will depend on your Yandex account. And that’s exactly what we didn’t want to allow. If you store it explicitly locally, then all protection with a master password loses any meaning. There is no place where you can safely store this key in explicit form. This means that it must be encrypted. To do this, the Browser creates a random 256-bit key that protects the duplicate privKey. Now comes the fun part. This random key is sent for storage to the Yandex.Passport cloud. And the encrypted duplicate remains stored in the local Browser profile. It turns out that neither in the cloud nor on the computer there is a ready-made pair for decrypting passwords, and security does not suffer.

With this option, it would be possible to reset the master password only where a duplicate privKey was created. We wanted to add this feature to synchronized devices. Create backup key On each device, manually is inconvenient: you can accidentally end up with the device on which you forgot to create a duplicate. You cannot send an encrypted duplicate to other devices using synchronization: the key to it is already stored in the cloud, and for security reasons they cannot be found in one place. Therefore, the encrypted duplicate privKey goes through another layer of encryption. This time using a hash of the master password. The master password is not stored in the cloud, so the resulting “matryoshka” can already be safely synchronized. On other devices, the first time you enter your master password, the additional layer of encryption will be removed.

As a result, when the user forgets the master password, he will only need to request a password reset through the browser and confirm his identity using the Yandex password.

The browser will request a key from Yandex.Passport, use it to decrypt the duplicate key privKey, use it to decrypt the key to the encKey storage, and then create a new pair of pubKey and privKey, the latter of which will be protected by a new master password. The password storage is not decrypted, which reduces the risk of data loss. By the way, you can also forcibly change the encKey and re-encrypt the data: just disable and re-enable the master password in the settings.

It turns out that only the user himself can reset the master password and only on that device, where he introduced it at least once. Of course, it is not necessary to create a backup key if the user is confident. You don’t even have to use a master password, although we don’t recommend giving it up.

The new architecture and master password are not the only changes in the new manager. As we said above, ease of use and advanced features are no less important.

New password manager

First of all, we've done away with the discreet gray bar that prompts you to save your password. The user will now see a prompt next to the password field. It's hard not to notice this.

And now you don’t have to look for the manager itself in the settings: the button is available in the main menu. The list of saved accounts now supports sorting by login, address and note. We have also added post editing.

Tip: Notes are a great alternative to tags because they are searchable.

And the Browser now helps you create unique passwords.

In the first beta version, we didn’t manage to do everything. In the future, we will support exporting and importing passwords for compatibility with popular third-party solutions. We also have an idea to add settings to the password generator.

Mobile password manager

Of course, new logic and support for the master password will appear not only on the computer, but also in the versions of Yandex Browser for Android and iOS. With a little adaptation. For example, you can use not only a master password, but also a fingerprint. We also prohibited programmatically taking screenshots on the page with a list of passwords - you don’t have to be afraid of malicious applications.

Today you can try the new password manager in

It takes only fifteen seconds for a user sitting at a computer to see a list of all the passwords you have said in Firefox or Thunderbird and saved them. The list appears clear as day. This may include webmail and forum passwords or server password Email. Using a master password is highly recommended to prevent browsing the list of passwords from such nosy users. By setting a master password, anyone using your profile will be prompted to enter the master password if they need access to your saved password. Although the master password in Firefox is a useful addition security, but it can soon become burdensome if you lose password, which you entered in master password. There is no way to simply view the file and copy your master password,there is no point to add master password, which can be found in the file.

Reset Master Password

If you have lost or forgotten your Master Password or you want to disable this feature, you can reset your Master Password. Reset master password to delete all saved passwords . After resetting, you will lose all saved data in the password manager, as this is a built-in security feature to prevent people from just resetting the master password, but to gain access to your passwords.

Firefox: Enter chrome://pippki/content/resetpassword.xul in the address bar (address bar), press the "Enter" key and the "Reset" button.
Thunderbird: select Tools -> Error Console", » insert the expression: openDialog("chrome://pippki/content/resetpassword.xul") and click on the calculate button. A dialog box will open asking if you want to reset your password.
Mozilla Suite/SeaMonkey: “Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password.”

The only way that could bring results would be brute force passwords. Success last method depends on the password you chose during installation master password.
Brute Force brute force is most likely to succeed if master password consists of existing words, words or names. But it won't be possible to find password, if the user entered a random one password with letters and numbers.
Brute Force Master Password in Firefox:
you can use software entitled FireMaster to try to use a brute force method to recover master password.
*FireMaster using various methods generates passwords on the fly.
*It then calculates the password hash using a known algorithm.
*This password hash is used to decrypt encrypted data for known plain text (eg "check password").
*Now, if you decrypt a string with known text (for example, "password checkbox"), then the generated password is the master password.
You can use the brute force method if you are almost are sure that you used the word or phrase. Passwords such as “X23n52fF: tht0_ete% v5” will not be able to be detected. Download and install the software FireMaster, you can use the following link FireMaster.