Only in your brain. Yith Library doesn’t store the master passwords. It is very important that you don't forget it because in this situation you won't be able to read your passwords and as Yith Library doesn't store the master password, it won't help you to reset it
No. The master password is only used locally in your browser.
The first time you add a password to Yith Library a master password will be asked, that’s when is set.
Yes. In the web client, under the advanced options, there is a button to change your master password.
We use the Advanced Encryption Standard (AES) with the Stanford Javascript Crypto Library (SJCL) implementation.
Yes and no. Using Javascript for sending a password encrypted over an insecure channel (such as HTTP) is not safe because the Javascript code that arrives to your browser can be tampered since it travels over an insecure channel. That's why using Javascript to replace the setup of a secure channel using TLS is a very bad idea. That's not what Yith Library does. All resources sent to your browser are sent over TLS because of this reason.
Having said that, any Javascript that runs in a browser is not the safest thing to run since nowadays browsers does not have a good sandbox and a malware installed in your computer could do nasty things. We hope to mitigate this probem using native browser crypto APIs such as the ones that are being standarised today.
We first use PBKDF2 (Password-Based Key Derivation Function 2) key derivation on the master password with 1000 iterations and a salt value. Then we use the AES algorithm in CCM (CTR mode with CBC MAC) mode with an initialization vector, a key size of 128 bits and a tag length of 64 bits.