where is the Master Password hash stored on a Mac?
Comments
-
/Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/
sqlindex-shm ??
sqlindex-wal ??
I already know how to crack the user.plist hash but im looking for the location of the 1password hash.
I want to crack my master password, It has a full prase and I want to see what kind of dictionary/rules would be able to crack it in a reasinable time.0 -
Thank you for the clarification. Your Master Password or its hash are not stored alongside your 1Password data, so there is no way to get this information from your disk.
Note that a weak Master Password can be guessed regardless, so using a strong Master Password is definitely recommended.
0 -
so the current teams version of 1password that syncs my secure data online to my different devices decrypts my data with my master password using a hashless system?
can you point me to documentation on how this is done?0 -
0
-
wow, thanks!
ok now may i ask if you plan to use quantum safe encryption methods ??0 -
I'll quote from my colleague, @jpgoldberg, who explained the situation better than I could. Before I do, I think it is worth noting that quantum computing isn't currently a thing, and isn't something we anticipate seeing anytime soon.
A quantum computer that poses a threat to the 4096 bit groups we use for SRP would pose a bigger threat to everything that you use 1Password for even if you didn't use 1Password. A machine that could do that would be able to break the keys used in site certificates and in code signatures used for all of the software that you use.
Also the big message about quantum computing is "don't panic". There are some promising post-quantum algorithms out there, the trick is making them efficient enough for practical use and getting them well-studied with rock solid implementations. My personal favorite approach is super singular elliptic curve isogeny, but that is probably because it is the one I understand the best (though my understanding is limited) and because it is fun to say "supersingular elliptic curve isogeny."
Twenty years ago when Shor's algorithm was first published, nobody knew how fast or slow development of practical quantum computers would be. We all had guesses, but the development has been slower than almost everyone guessed. It has certainly moved at the slow end of what I'd imagined. Even if the pace picks up substantially (and recent press reports and developments do make make we think it has), we have time. We need to be working on practical post-quantum algorithms (and people have been doing so for 20 years), but I'm confident that the these will be in place long before any practical quantum computer becomes a threat.
In short: I don't know that there is a 'yes' or 'no' answer to your question. We'll continue to evaluate what threats our customers face and how we can best help them protect themselves from said threats.
Ben
0 -
A shorter answer than the entire 1Password Security Design document about why there is no password hash is as follows:
- Your Master Password, Secret Key (and some non-secret information such as salt, your email address) are used to derive a key (or two). Let's just talk about one of the derived keys and call it a Key Encryption Key.
- The KEK is the result of a password hashing algorithm, but unlike a password hash, it is never ever stored anywhere.
- Unlike verifying a password (in which the result of hashing a password is compared with something stored), the KEK is used as an encryption key,
- The KEK is used to encrypt another key, which in turn is used to encrypt a key that is used to encrypt a key that encrypts your data. (There are reasons for long chain of keys that don't matter here.)
In contrast, a "normal": password hash the software sees whether the stored and computed hashes match and if they do the software grants you access to something that it has the power to grant you access to. That is a fine model for many systems, but in those cases the operators of the system have access to your stuff and can grant themselves access to it. This is why those systems can let you back in even if you have forgotten your password. But with the way we do things, it is mathematically impossible to decrypt your data without your Master Password or Secret Key.
The good thing about this is that it means that neither we, nor anyone who compromises us, can decrypt your data. The bad news is that if you forget your Master Password or lose your Secret Key there is nothing we can do about. (We do support recovery mechanisms, but only designated individuals within your family or business can decrypt the keys needed to do that. Getting that and sharing to work is one of the several reasons for the long chain of keys.)
OK. Maybe I am incapable of explaining this briefly.
0 -
thank you guys for all of the great info, I have safely stored all of my high profile clients most sensitive data in 1password for many years.
I do want to challenge your dev team to maybe sign up for a cloud quantum machine, [link removed]
and begin to develop towards quantum resistance and quantum safe, because its happening already for some web protocols in our world.
leaders like you guys need to be ahead of this curve.
rigetti will most likely grant you access and they even gave my company $5,000.00 in usage credits to get started.
these guys (rigetti) are ahead with the only ssh access cloud 128qbits....keep being awesome!
Carey James
www.careyjames.com0
