To protect your privacy: email us with billing or account questions instead of posting here.

Increased security by using a Secret Key

jlanis
jlanis
Community Member

I currently am on the Standalone license, but am considering moving to a subscription plan. I have a question about the "Secret Key", and I'll phrase the question using the following hypothetical example:

Let's assume that my current master password is fairly strong (i.e, something like mVhe#YgZPv!z89, which as ~71 bits of entropy).

Now, let's assume that I move to a subscription plan with a Secret Key, and change my master password to something very basic, like 1234. As I understand it, the combination of Secret Key (128 bits of entropy) + 1234 (6 bits of entropy) means that the total # of entropy bits is actually better than before.

Therefore, in a scenario where your servers get hacked and database stolen, having a Secret Key in this example would actually make it more difficult for a hacker to obtain the passwords with a brute force attack. Is this assumption correct?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jlanis: No. Definitely don't do anything like that. While you're correct that the purpose of the Secret Key is to protect you from an attack against us, using a weak Master Password is not an acceptable option.

    Let's just say you did what you're describing. Maybe someone steals your encrypted data from our server. That data is probably still safe, but it would be trivial for them to try a pregenerated list of really bad passwords as they try to guess the Secret Key. Of course, they still have to guess both. But you're making a significant portion of that much easier for them. And, honestly, why would they go after the server at all? Since they would be able to get both the Secret Key and Master Password from you directly, it would be way better for them to just go to you, for example by stealing your device, or using a malware or a phishing scam to get what they need.

    Not to mention, anyone who gets a hold of one of your devices -- family, friends, coworkers, a stranger -- would only need to guess your Master Password in order to access your data. I can only imagine that something like "1234" would be one of the first things they'd try, just because it would be stupid not to.

    That said, there is a minimum of 10 characters for the Master Password of a 1Password account, so that makes some difference. But again, I'd encourage you to use a long, strong, unique Master Password -- the best you can manage -- since ultimately that will be the difference between someone unwanted accessing your data or not, as a practical matter.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • jlanis
    jlanis
    Community Member
    edited April 2019

    Let's just say you did what you're describing. Maybe someone steals your encrypted data from our server. That data is probably still safe, but it would be trivial for them to try a pregenerated list of really bad passwords as they try to guess the Secret Key. Of course, they still have to guess both. But you're making a significant portion of that much easier for them.

    @brenty You're implying that in this specific scenario, the secret key is less significant than the master password. Is that true - and if so, why? I'm assuming that virtually all master passwords used in the real world will not have the same level of entropy as the secret key. Hence, the secret key will virtually always be stronger than the master password, hence making the secret key the "significant portion", for this particular scenario (I am purposefully ignoring the other "local" scenarios you mentioned, as I understand the risks involved and the fact that the master password would play a more important role there).

    The reason I am phrasing the question in this specific way is to verify my assumption about how the secret key works is correct. :)

  • Lars
    Lars
    1Password Alumni
    edited April 2019

    @jlanis - in a 1password.com account, your Secret Key protects you if WE get hacked and your 1Password data is thereby stolen from the 1password.com servers. But it does literally nothing for you if YOU get hacked. If you leave your smartphone on a bus or in a cafe, or your laptop gets stolen at the airport or whatever, a thief will work directly on the local copy of your 1Password data, which is protected in that case ONLY by your Master Password, not your Secret Key (well, the Secret Key still is in play, but a copy of it exists on each device you run 1Password on, so the thief will already have it).

    You're welcome to say you're "purposefully ignoring the local scenario," but WE don't have that luxury. 1password.com accounts haven't been around too long (they debuted in December 2015), but in the time they have been around there have been ZERO instances of our servers being hacked and users' encrypted 1password.com data being leaked/stolen. How many losses/thefts of people's devices do you suppose have happened in that same time period? I don't know the exact answer, but even if you limit it to only those people who use 1Password, I'm 100% certain the number of lost or stolen devices since December 2015 is considerably higher than zero. The point here is: "low-tech" theft such as smashing a car window and grabbing a phone on the dash or a purse on the seat that has a phone in it is MUCH more commonplace in the real world than someone mounting a successful frontal assault on our well-defended servers.

    That's why our only responsible answer to your question can be: no, don't under any circumstances make your Master Password 1234 or anything else that's similarly easy to crack; it's terrible security practice, even if you believe you aren't likely to be the victim of "local" device loss or theft. Instead, follow our best practices for creating a strong Master Password.

    [As a side note, a four-digit password like that consists of ten thousand permutations if using only numerals. That number (10,000) can be brute-force picked in less than a second by any modern smartphone, let alone a fancy desktop rig with multiple GPUs tuned for password-cracking. In terms of security defenses against a local attack, you'd be as well off using an unprotected Excel spreadsheet for your passwords as you would be using 1Password with a four-character password consisting of only digits.]

  • gazu
    gazu
    Community Member

    I am purposefully ignoring the other "local" scenarios you mentioned, as I understand the risks involved and the fact that the master password would play a more important role there

    @jlanis Your understanding of how the secret key works is indeed correct.

    If you exclude local scenarios then the secret key alone is sufficient to protect your data.

    If you include local scenarios (which iOS defends better against than Android) then having a strong master password is important as it'll stop things like brute force attacks etc. As you're no doubt aware an attacker would still have to bypass your OS protections before they could even begin to start attempting to break into your 1Password data and enabling features like "Data Protection" (wipe after 10 incorrect password attempts in the OS) would thwart most attackers - unless somehow the data is forensically extracted.

  • Lars
    Lars
    1Password Alumni

    @gazu - I'm not going to offer comment on your reply, I'll just reiterate that it's a bad idea to intentionally lower your own security by reducing the strength of your Master Password, and it would be malpractice for us as a security company to recommend it under any circumstances I can think of off the top of my head.

  • gazu
    gazu
    Community Member

    I'm not going to offer comment on your reply, I'll just reiterate that it's a bad idea to intentionally lower your own security by reducing the strength of your Master Password...

    @Lars, the question posed by @jlanis was hypothetical to verify his/her understanding of how the secret key works. Nowhere did he suggest that he was going to change the master password to something insecure.

    I feel it's a shame he wasn't given a direct, honest answer - along the lines of 'yes, you're correct - but don't do it because it exposes you to other attacks'. That wouldn't constitute a 'recommendation' but it would've answered his question without skirting around the issue. ;)

    He wasn't asking whether he should change it to something short and he specifically addressed the reason behind his question:

    The reason I am phrasing the question in this specific way is to verify my assumption about how the secret key works is correct.

  • I'm not entirely sure of what, specifically, the question is at this point, if one remains. Could you please clarify?

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2019

    @gazu: I think you're right that I -- not Lars -- got a bit sidetracked by this statement:

    let's assume that I move to a subscription plan with a Secret Key, and change my master password to something very basic, like 1234

    But I do think I covered the rest as well. jlanis summated by saying,

    in a scenario where your servers get hacked and database stolen, having a Secret Key in this example would actually make it more difficult for a hacker to obtain the passwords with a brute force attack. Is this assumption correct?

    And my reply began with the following:

    you're correct that the purpose of the Secret Key is to protect you from an attack against us

    Happy to clarify though if jlanis has a question about my reply to them, or if you have a question about 1Password yourself. :)

This discussion has been closed.