Protect: password encryption

Hackers try to steal passwords in order to access your personal data or e-wallets. If your passwords are encrypted, hackers can't use them even if they steal the entire password database. The better your password encryption, the more securely you can surf the internet.

  1. Password encryption in the browser
  2. Master password
  3. Backup encryption key

Password encryption in the browser

The password vault is encrypted using the AES-256-GCM algorithm, which uses a key. The AES-256 algorithm is considered reliable: the Department of Homeland Security in the USA recommends using it to protect Top Secret data.

However, even the most complex encryption algorithm will not protect your passwords if a hacker finds the encryption key. The master password lets you use very powerful encryption for the key.

The key is encrypted using the master password. If you forget your master password, you can reset it using a recovery key.

The master password is only stored in your memory and can't be stolen. With a master password, you don't have to worry about the following:
  • Your password vault being stolen from your computer
  • Losing your passwords if your computer is lost or stolen
  • Your password vault being saved on Yandex servers (the encryption is set up so that even Yandex can not decrypt your passwords).

For more information about password encryption, see the Password encryption in Yandex.Browser document.

Master password

Your master password is used in the multi-step process of encrypting your passwords in the browser and also blocks access to your password manager. If you don't create a master password, then anyone who opens Yandex.Browser on your computer can easily view your passwords.

Create

Note. If you have syncing enabled, then refresh your Yandex.Browser immediately after you create your master password on all the devices you will use it on. Otherwise, your browser may not sync your passwords.
  1. Click   → Password manager.
  2. In the tab that opens, go to the Settings.
  3. Tap Create master password.
  4. If you use your account password on that computer, enter it in the system password dialog window.
  5. Enter your master password, which should be at least 6 characters long. We recommend using passwords that are complex but easy to remember.
  6. Then re-enter it to confirm.
  7. In order to restore access to your password vault if you forget your master password, create a recovery key.

Then you can save your password for sites in your browser and your password manager will only be accessible if you enter your master password.

Change

  1. Click   → Password manager.
  2. Enter your current master password.
  3. In the tab that opens, go to the Settings.
  4. Click Change master password.
  5. In the dialog box that opens, enter your current master password.
  6. Enter your new master password, which should be at least 6 characters long. We recommend using passwords that are complex but easy to remember.
  7. Then enter it again to confirm.

Delete

  1. Click   → Password manager.
  2. Enter your current master password.
  3. In the tab that opens, go to the Settings.
  4. Click Delete master password.
  5. In the dialog box, enter your master password to confirm.

Reset

If you forget your master password and you have a recovery key:

  1. In the form where you enter your master password, click I forgot my password.
  2. In the dialog box that appears, set the switch to Change master password. Click Continue.
  3. Enter your new master password, which should be at least 6 characters long. We recommend using passwords that are complex but easy to remember.
  4. Enter your new master password again to confirm. Click Continue.
  5. On your Yandex.Passport page, enter your Yandex password.
  6. After you do this, your master password will be updated and all passwords in your vault will be re-encrypted.

If you forget your master password and don't have an encryption key, the browser will not be able to restore your passwords. It will stop entering them into authorization forms and you will not be able to view them in the manager. The only thing you can do then is delete your passwords.

Frequency of master password requests

The browser requests your master password when you save new passwords, automatically insert passwords into an authorization form, or attempt to access your password vault. You can set how often your browser requests your master password:

  1. Click   → Password manager.
  2. Enter your current master password.
  3. In the tab that opens, go to the Settings.
  4. In the Request master password to access passwords field, select a frequency: after relaunching the browser, after restarting your computer, or once every hour or five minutes. The more frequently the browser requests your master password, the more secure your password vault is.
  5. In the dialog box, enter your master password to confirm.

You can also disable master password requests. Just disable the Request master password to access passwords option. As a result, the browser will stop requesting your master password when you want to access your password vault. Additionally:

  • Your master password is not deleted; it is recorded in the database in encrypted form. You encryption key is saved on your computer and protected by your operating system.
  • Passwords saved earlier remain encrypted by the master password. When you save a new password or unencrypt an old one, the browser uses your old master password without requesting it from the user.
  • During syncing, all your passwords are encrypted and sent to your other devices. On your other devices, these passwords will be inserted into authorization forms and you will need to enter your master password to unencrypt them.
  • You have to disable master password requests on each of your devices manually. This is to protect you so that, for example, passwords on a device that a third-party has access to can not be accessed without your knowledge.

Backup encryption key

If you forget your master password, you can only restore your passwords if you have a recovery key. To create one, you will need to enable syncing.

To change your master password, you will not only need a recovery key, but also a special file. It will be created automatically when you enter your master password for the first time and save it locally. That's why even Yandex can't decrypt your passwords.

To restore access, you must enter the password to your Yandex account. The likelihood that a hacker could simultaneously steal the key from the server, the file from your device, and your Yandex account password is very low.

To create a recovery key:

  1. Click   → Password manager.
  2. Enter your current master password.
  3. In the tab to the left of your password list, click on the Settings link.
  4. Click Enable option to reset master password.
  5. Enter your current master password and click Continue.
  6. Click Enable in the dialog window that opens.
    Note. If browser syncing was disabled, a dialog box will appear on the screen suggesting that you enable it. Enter the username and password to your Yandex account and click Enable syncing.

The browser will tell you that a recovery key was created.

To delete a recovery key, go to your password manager settings and click Disable option to reset master password.