Master password

Where is stored my master password?

Only in your brain. Yith Library doesn’t store the master passwords. It is very important that you don't forget it because in this situation you won't be able to read your passwords and as Yith Library doesn't store the master password, it won't help you to reset it

Does my master password ever leave my computer?

No. The master password is only used locally in your browser.

How do I set my master password?

The first time you add a password to Yith Library a master password will be asked, that’s when is set.

Can I change my master password?

Yes. In the web client, under the advanced options, there is a button to change your master password.


What algorithm do you use to cipher the passwords?

We use the Advanced Encryption Standard (AES) with the Stanford Javascript Crypto Library (SJCL) implementation.

I've been told that using Javascript for crypto is not safe. Is that true?

Yes and no. Using Javascript for sending a password encrypted over an insecure channel (such as HTTP) is not safe because the Javascript code that arrives to your browser can be tampered since it travels over an insecure channel. That's why using Javascript to replace the setup of a secure channel using TLS is a very bad idea. That's not what Yith Library does. All resources sent to your browser are sent over TLS because of this reason.

Having said that, any Javascript that runs in a browser is not the safest thing to run since nowadays browsers does not have a good sandbox and a malware installed in your computer could do nasty things. We hope to mitigate this probem using native browser crypto APIs such as the ones that are being standarised today.

What are the exact paremeters you use with AES?

We first use PBKDF2 (Password-Based Key Derivation Function 2) key derivation on the master password with 1000 iterations and a salt value. Then we use the AES algorithm in CCM (CTR mode with CBC MAC) mode with an initialization vector, a key size of 128 bits and a tag length of 64 bits.