Protect: password encryption
Hackers try to steal passwords in order to access your personal data or e-wallets. It is best to encrypt stored passwords, so even if hackers steal your passwords, they won't be able to use them.
Password encryption in Yandex Browser
The password vault is encrypted using the AES-256-GCM algorithm, which uses a key. The AES-256 algorithm is considered reliable: the Department of Homeland Security in the USA recommends using it to protect Top Secret data.
However, even the most complex encryption algorithm will not protect your passwords if a hacker finds the encryption key.The master password lets you use very powerful encryption for the key.
The key is encrypted using the master password. If you forget your master password, you can reset it using a recovery key.
The master password is not stored on devices, so it can't be stolen. You don't have to worry about:
- Your password storage being stolen from your computer
- Losing passwords if your computer is lost or stolen
- Synced data stored on Yandex servers (the encryption is set up so that even Yandex cannot decrypt your passwords).
This option is less reliable due to the following risks:
- Anyone who opens Yandex Browser on your computer can view your passwords in the password manager.
- Your encryption key is protected by your operating system, rather than a master password. If hackers get access to your computer, they can steal and decrypt your passwords.
- Yandex can access your passwords during syncing.
If you don't set a master password, Yandex Browser requests the password to your operating system account (if you have one) to access your passwords. This applies to the following actions:
Action |
System password entered correctly |
System password entered incorrectly |
Copy a password |
The password is copied to the clipboard |
The password isn't copied |
Change a password |
The password edit window opens |
The password stays unchanged |
Create a master password |
The window for creating a master password opens |
No master password is created |
This is an additional security measure to make sure that the computer is being used by its owner, not by a stranger. This function works in Yandex Browser for Windows and macOS.
To learn more about password encryption, see Password encryption in Yandex Browser.
Master password
A master password provides an additional level of security for your passwords. After you create a master password, the browser will request it during an attempt to open the password vault or enter a previously saved website password in a login form.
Instead of a huge number of passwords from websites, you will only have to remember one master password. Passwords from websites will also be more secure. Access to the vault is locked by the master password, which cannot be stolen, because it's not stored on devices.
Frequency of master password requests
If you forget your master password
Create a master password
-
Click → Passwords and personal data.
-
Click Settings.
-
Under Passwords and cards aren't encrypted, click Create master password.
-
If you use your account password on that computer, enter it in the system password dialog window.
-
Enter your master password, which should be at least 6 characters long. We recommend using passwords that are complex but easy to remember.
-
Then re-enter it to confirm.
-
In order to restore access to your password vault if you forget your master password, create a backup encryption key.
Now saving website passwords in Yandex Browser and accessing your password manager will require entering your master password. The master password isn't saved on the computer or the server. Only a key encrypted with it is saved.
Change a master password
-
Click → Passwords and personal data.
-
Enter your current master password.
-
Click Settings.
-
In the Passwords and cards are encrypted section, click Change master password.
-
In the window that opens, enter your current master password.
-
Enter your new master password, which should be at least 6 characters long. We recommend using passwords that are complex but easy to remember.
-
Then enter it again to confirm.
After that, the key encrypted with the master password is re-encrypted and transferred to your other devices during the next syncing. The master password isn't saved on the computer or the server.
Delete a master password
-
Click → Passwords and personal data.
-
Enter your current master password.
-
Click Settings.
-
In the Passwords and cards are encrypted section, click Delete master password.
-
In the window that opens, enter your master password to confirm.
After that, the browser will no longer request the master password to access passwords. During syncing, the master password will be deleted from other devices.
Frequency of master password requests
The browser requests your master password when you save new passwords, auto-insert passwords into a login form, or attempt to access your password vault. You can adjust the frequency of master password requests:
-
Click → Passwords and personal data.
-
Enter your current master password.
-
Click Settings.
-
In the Ask for master password to access saved passwords and bank cards field, select the desired frequency:
- After the browser is restarted.
- After the system has been logged out.
- Once an hour.
- Every 5 minutes.
The more frequently the browser requests your master password, the more secure your password vault is.
-
In the window that opens, enter your master password to confirm.
You can also disable master password requests. To do this, deselect the Ask master password to access saved passwords and bank cards option. After that, Yandex Browser will no longer request your master password to access your password vault. Additionally:
- Your master password is not deleted. It is recorded in the database in encrypted form. You encryption key is saved on your computer and protected by your operating system.
- Passwords saved earlier remain encrypted by the master password. When you save a new password or decrypt an old one, Yandex Browser uses your old master password without requesting it again.
- During syncing, all your passwords are encrypted and sent to your other devices. They'll be used for login forms on these devices. To decrypt them, you'll need to enter your master password.
- You have to disable master password requests on each of your devices manually. This enhances the security of your data: even if someone else gets access to one of your devices, they will not be able to use your passwords.
If you forget your master password
If you forget your master password and you have a recovery key:
- When you're asked to enter your master password, click I forgot my password.
- In the window that opens, select Reset master password. Click Continue.
- Enter your new master password, which should be at least 6 characters long. We recommend using passwords that are complex but easy to remember.
- Enter your new master password again to confirm. Click Continue.
- On your Yandex ID page, enter your Yandex password.
- After you do this, your master password will be updated and all passwords in your vault will be re-encrypted.
If you forgot your master password and don't have a backup encryption key, Yandex Browser will not be able to restore your passwords. It will no longer insert them into login forms, and you will not be able to view them in the manager. The only thing left will be to delete your passwords along with the encryption key. If you use a password for your computer account, you will need to enter it to confirm your access rights to delete your passwords.
Backup encryption key
The master password serves to make your passwords more secure, but what if you forget it? The browser has a convenient and reliable feature to reset the master password.
The master password is only needed to decrypt the private key, so if you keep a copy of the private key (a spare encryption key), you can extract it and encrypt it with a new master password.
Some password managers suggest that the user prints out the recovery key (in some cases, as a QR code). This approach isn't secure enough, because the printout could be stolen or lost. That's why we store the spare encryption key on your device and encrypt it with another additional key, which we store on the server. You can access the key on the server only after entering your Yandex ID password. It's very unlikely that a hacker could steal all three: the spare key from the device, the key from the server, and your Yandex ID password.
If you forget your master password, you can only restore your passwords if you have a recovery key. To create one, you will need to enable syncing.
To change your master password, you'll need a recovery key and a special file. It will be created automatically when you enter your master password for the first time and save it locally. That's why even Yandex can't decrypt your passwords.
To restore access, you must enter the password to your Yandex ID. The likelihood that a hacker could simultaneously steal the key from the server, the file from your device, and your Yandex ID password is very low.
To create a recovery key:
-
Click → Passwords and personal data.
-
Enter your current master password.
-
Open Settings.
-
In the Passwords and cards are encrypted section, click Enable master password reset.
-
Enter your current master password and click Continue.
-
In the window that opens, click Enable.
Note
If Yandex Browser syncing was disabled, a window will appear on the screen where you can enable it. Enter your Yandex ID username and password and click Enable syncing.
The browser will tell you that a recovery key was created.
To delete it, go to your password manager settings and click Disable option to reset master password.
<,span,class="button",>Contact support