Protect: password encryption

Users rarely save passwords in the browser, for fear that they can be stolen by hackers or seen by someone else who is at the computer. The Yandex Browser encryption scheme protects user passwords from both of these risks.

  1. Password encryption in the browser
  2. Master password
  3. Recovery key

Password encryption in the browser

Passwords are encrypted using the AES-256-GCM algorithm. AES is considered to be reliable, it is the first and only publicly accessible cipher approved by the National Security Agency (NSA) for top secret information.

The security of the encryption key is of primary concern for password protection. If an attacker discovers this key, it's easy to hack the entire password database, regardless of how sophisticated the encryption algorithm is. Master password let you to protect the encryption key. Even if malware can steal the encryption key, it can't use it, because access to the key is locked by the master password.

Encryption key is encrypted with a master password . The master password is known only to you. It is not saved on the computer, so it can't be stolen from it. If you forget the master password, you can reset it with a recovery key.

Encryption with a master password gives you the following benefits:

  • An outsider who gets access to the computer will not be able to use the passwords.
  • Loss or theft of the password database does not mean that all the passwords must be changed immediately.
  • No one, including Yandex, can access your passwords during synchronization.
  • The passwords in the database are better protected. Even if malware can steal the encryption key, it can't use it, because access to the key is locked by the master password.

See also Password encryption in Yandex Browser.

Master password

A master password provides an additional level of security for your passwords. After you create a master password, the browser will request it during an attempt to save the password on the website, enter the password into a login form or open password storage.

Instead of a huge number of passwords from websites, you will only have to remember one master password. Passwords from websites will also be more secure. Access to storage is blocked by the master password, which cannot be stolen, since it's stored only in your memory.

Create a master password

Note. After you create a master password it is best to update Yandex Browser on all of your devices so that password sync works correctly.
  1. Click   → Password manager.
  2. Go to the Settings.
  3. Click the link Create master password.
  4. If you have a Windows user password enter it to start creating master password.
  5. Enter the master password containing at least 6 symbols. We recommend using passwords that are complex but easy to remember.
  6. Re-enter it to confirm.
  7. Create a recovery key to restore your access to passwords storage if you forget the master password.

Change a master password

  1. Click   → Password manager.
  2. Enter the current master password.
  3. Go to the Settings.
  4. Click the link Change master password.
  5. Enter the current master password.
  6. Enter the new master password containing at least 6 symbols. We recommend using passwords that are complex but easy to remember.
  7. Re-enter it to confirm.

Delete a master password

  1. Click   → Password manager.
  2. Enter the current master password.
  3. Go to the Settings.
  4. Click the link Delete master password.
  5. Enter the master password to confirm.

The master password will then be deleted from the computer. At the next sync it will also be deleted from all other synced devices.

Resetting a forgotten master password

If you forget the master password and you have created a recovery key:

  1. In the dialog box for entering master-password click the button I forgot my password.
  2. In the dialog box that opens, choose Reset master password.
  3. Enter the new master password containing at least 6 symbols. We recommend using passwords that are complex but easy to remember.
  4. Re-enter it to confirm.
  5. Confirm your identity by entering the password from the Yandex account.
  6. The master password will be updated and all the passwords in the storage will be encrypted with the new master password.

If you forget the master password and you haven't created the recovery key, browser will not be able to decrypt your passwords. You will have to delete them from the storage.

Time to block storage

You can change the time after which the browser blocks access to password storage and requests a master password during an attempt to access it:

  1. Click   → Password manager.
  2. Enter the current master password.
  3. Go to the Settings.
  4. Enable the option Master password required to access saved passwords and choose the required time: after the browser is restarted, after the system has been logged out, once an hour or every 5 minutes.
  5. Enter the master password to confirm.

Recovery key

If you forget the master password, you can restore access to your passwords only if you have previously created a recovery key. For its creation syncing in the browser should be switched on.

To reset the master password you need a recovery key and a special file. The last is created when you enter the master password at the first time and never synced. So even Yandex cannot decrypt your passwords.

While resetting the master password you have to enter the password from your Yandex account. It's unlikely that a third party will be able to get the file from your device and the password from your account simultaneously.

To create a recovery key:

  1. Click   → Password manager.
  2. Enter the current master password.
  3. Go to the Settings.
  4. Click the link Enable option to reset master password.
  5. Enter the master password to confirm.
  6. Click the button Enable. If browser syncing is disabled at the moment, enter your Yandex username and password and click the Enable syncing button.

To delete the restore key click the link Disable option to reset master password.