Sesame doesn’t use a server, and doesn’t store your existing passwords, which begs the question: how does this all work?
It Begins With a Number
Sesame uses the industry-standard “Sodium” cryptographic library to generate a 72-bit random number, which is then encoded as a sequence of simple words. This becomes your passphrase. It is shown to you so that you can memorise it, and we recommend that you write it down, put it in a sealed envelope and store that somewhere safe (preferably in an actual safe), just in case you need it again.
We then use your passphrase to deterministically generate a unique password for each service that you use. For example, to generate your Facebook password, we hash a string that includes the Facebook URL, your username and a nonce, using the Argon2id algorithm, with a secret generated from your passphrase.
No Server Required
This means that Sesame does not require a back-end server. Your list of accounts and usernames stays on your device, where it is encrypted and stored securely. And Sesame does not even store your passwords, because we don’t allow you to choose your own passwords at all; instead, Sesame generates each of your passwords each time you view them. This means that if you use Sesame on a new device then you’ll get the same passwords, provided you use the same passphrase and enter the same accounts and usernames.
It’s a simple solution to the two big problems that we’ve identified after speaking with friends and family about how they manage their passwords:
- Regular people tend to choose really weak passwords and re-use the same password for different purposes.
- They also proceed to write all their passwords down somewhere and keep that list easy to hand.
Simple to Remember and Easy to Type
Another problem that we’ve noticed is that really strong passwords are often hard to remember and hard to enter if you need to type them in. Sesame fixes this by generating strong passwords that are easy to remember and simple to type in, by preferring passwords that are just a sequence of lowercase words.
This is not always possible, however, due to arcane password rules that many services enforce, such as the need to include punctuation and numbers. Sesame does its best to generate passwords that fulfil these criteria by making sure that they include the minimum set of characters needed to be compliant while still keeping each password memorable and typeable!
We hope you enjoy using Sesame yourself, or setting it up for a less technical friend or family member.