Keyster's Core

A Keyster account essentially consists of a set of entries, one for each of your accounts. Each entry consists of several fields of metadata. The title, subtitle, and description are for your use — we recommend storing the website's name, your username, and important details in the respective fields. The other fields are parameters for password generation — the password's length, character set, and other items that we do not recommend modifying unless you are familiar with their use (see Hashing).

An important thing to remember is that you do not have to use Keyster for every trivial account you create. It is perfectly fine to use a memorized password for unimportant websites, but make sure it is not the master key.
Generating Passwords

Each entry also contains a randomly generated string of data, called a salt. When you enter your master key, it is combined with the salt and hashed. A hash is essentially an irreverisble function; that is, someone will not be able to determine a hash's input based on its output. The output of your hashed master key and salt will be used, along with the entry's specified length and character set, to generate a password. For hashing, Keyster uses the scrypt algorithm.

Because each entry has a different salt, you can use the same master key for every account and generate a different password. This provides two benefits:
  • Your account passwords will be much longer and more complex than anything you can remember in your head.
  • If one website is ever compromised, the attacker will have no way to log in to your other accounts. They also cannot derive any meaningful information from the password, such as the master key.
Your master key and generated passwords are never stored permanently; only salts are stored on your devices and Keyster's servers. Even if an attacker knows a password and its corresponding salt, they will not be able to derive the master key.
Scrypt is a hashing algorithm specifically designed to require a lot of computation. Taking 2 seconds to generate a password isn't majorly inconvenient for you, but it effectively prevents an attacker from bruteforcing your master key. Keyster allows users to set an entry's scrypt parameters to make it more computationally intensive and thereby harder to crack, but the default parameters will easily suffice.
Your Keyster account is associated with a phone number, which you will need for authentication whenever you log in on a new device. If you ever lose your phone or switch phone numbers, make sure that you are logged in on another device; on there, you can mass export your entries and import them into a new account.
Keyster allows you to delete entries and modify parameters unimportant to the password — the title, subtitle, and description. These changes will be stored for 30 days in your archive, where you can view and revert them. If anyone manages to get access to your account and tampers with your entries, the archive is a safeguard to that; make sure to periodically check it.

Keyster is an ongoing project developed by the following: Kevin Higgs, William Wang