John the Ripper and 1Password

2»

Comments

  • MikeMcFarlaneMikeMcFarlane Junior Member
    edited August 2012
    jpgoldberg wrote:

    One thing to keep in mind is that cautious is good; panicked is bad. Panicked people tend to make poor security decisions, usually by focusing on the wrong threats.

    Cheers,

    -j


    [joke] But panic is so much fun! [/joke]

    That's why I asked the question and so valued the reasoned responses from yourself and others. And am just posting a new question to try and help me stay better informed so I don't panic.
  • Jeff,

    Thanks for answering my questions.

    Whilst I've been giving my brain a workout over security, I've finally done what I have been thinking about doing for some time now: tidied up my security with a strong master password, followed by changing my login passwords and beefing them up where needed.

    In all of it, the biggest hurdle was grasping the fact that my old, brilliantly devious and unique master password was not as trustworthy as it seemed to me. At a minimum it was of unknown and unknowable trustworthiness, since I have no way of telling how many other people's minds run along the same tracks as mine. It may have been unshakably strong but there's no way I could ever be sure of that. I have traded it in for a good diceware one, for the advantage of being able to put a precise number on its strength. Together with some (layman's) understanding of the various other components of 1Password I now have a reasonable (and somewhat measurable) sense how safe my secrets — such as they are — are.
  • Mat Honan has a follow up article that bittersweetly describes how 1Password was more of a hinderance than a help in the case of recovering from his hack: http://www.wired.com/gadgetlab/2012/08/mat-honan-data-recovery/
  • sddawsonsddawson Member
    I'm not sure that's a completely fair representation of the article. At the beginning, he does say:


    But I didn’t have it on any of our other systems. So now I couldn’t get to my keychain. And so I was stuck in a catch-22. My Dropbox password was itself a 1password-generated litany of nonsense. Without access to Dropbox, I couldn’t get my keychain. Without my keychain, I couldn’t get into Dropbox.



    But at the end he says:


    [font=Arial, Verdana, sans-serif]Dropbox and 1Password re-opened every door for me in a way that would have been impossible if I were just storing passwords locally via my browser.[/font]



    I do have some concerns with using Dropbox to sync the 1P keychain. But given the absolute need to have strong and unique passwords across so many sites, 1P is probably indispensable. And if Mat had been using local wifi syncing rather than Dropbox syncing, he would have lost access to all his 1P data. Maybe not if he'd been doing backups of his laptop though!

    I think the lessons here are:

    If you don't use Dropbox syncing, make sure you have adequate backups of your 1P data.

    If you use Dropbox syncing, you MUST know your Dropbox password. If it's a strong one you can't remember, then at least write it down somewhere, even if it's in your basement!

    There are so many lessons to be learnt form all the Agilebits blog posts and Mat's experience...
  • Indeed.

    My concern is if Agilebits start offering storage of your 1P keychain on iCloud. Imagine they already did and Dropbox support didn't exist. No doubt Mat would have used the iCloud storage, which presumably would have been difficult to provide a local backup copy for (not that Mat would have done anyway). Then he would have had no way to access his passwords...

    I'd like the convenience of iCloud storage of my 1P keychain so I would not have to install an additional third-party application on all of my devices (if I want cloud syncing). However, Mat's case shows you really are putting all your eggs in one basket in this configuration. Perhaps we should be using memorable passwords for all of our important accounts?
  • sddawsonsddawson Member
    I suppose that would just highlight the need to backup the keychain backups that 1P performs automatically!
  • khadkhad Social Choreographer

    Team Member
    edited August 2012
    iCloud data is stored locally on the drive. It's a bit hidden, but it is definitely stored locally:

    ~/Library/Mobile Documents
    


    Since nearly every backup solution will at least back up your Home folder (if not your entire drive) and the iCloud data is located in your Home folder...your iCloud data is backed up if you are backing up your Mac.

    Interestingly, if you navigate to that folder in Finder, the window title even changes to "iCloud" with a cloud icon. Perhaps Apple is planning on exposing this more in Finder in the future.

    I've noted it elsewhere, but in my estimation the point of Mat's latest Wired article is simply: Backup. Backup. Backup. If you backup, you will have access to your 1Password data. And if you use 1Password to store strong, unique passwords for every website (that you could not possible remember yourself) you are far better off.

    I'm not sure how many Logins you have, but if you can remember hundreds of completely unique passwords in your head then more power to you. I prefer the security and convenience of ⌘\ in my browsers. :P
  • MikeMcFarlaneMikeMcFarlane Junior Member
    I just read this article on ArsTechnica that goes into a bit more detail on how passwords are cracked with modern systems and access to large amounts of real world data to fine tunes their brute force methods. At least [font=helvetica, arial, sans-serif]PBKDF2 will still help.[/font] There are some clever people out there!

    Why passwords have never been weaker—and crackers have never been stronger
  • JimAJimA Junior Member
    Reading your article, particularly about the fact that John the Ripper is exploiting information about the format of the 1password keychain, has me a little concerned about one of my personal practices.

    Despite having read many times your admonitions of not reusing passwords, I have done so many times. They are what I call "nuisance passwords" - username/password combinations for forum sites, recipe sites, etc. where I really don't care if someone guesses my password. Many of these sites just let me click "Remember me" and store a cookie on my computer and I don't ever have to log in again. So I have one or two of these nuisance passwords that I've used probably at 50 sites. And they are in my 1password keychain.

    What I am wondering is if this repetition of the same password, combined with an attacker's knowledge of the keychain format, will make it easier to crack my master password. If so, I guess I'd better get to changing or deleting those repetitive, nuisance passwords.
  • sddawsonsddawson Member
    @MikeMcFarlane - thanks so much for pointing to that article. I found it incredibly interesting. Of course, it's worrying too, but being informed is at least half the battle!

    @JimA - it would be nice for Agilebits to confirm, but I don't see that knowledge of any of your passwords in any way compromises the integrity of your 1P keychain. It can't be used to "work backwards" in any way. I'm certainly in the same boat as you. I recently spent at least 2 days going through my 900-odd keychain entries, and changing the password on many, many sites that were in any way related to anything financial or personal. I'm still left with a lot of sites that use pretty much the same password (I won't make that mistake again) - mostly forums etc. It would just take too long to change them all, and I don't deem them as being a risk in any way.
  • khadkhad Social Choreographer

    Team Member
    Thanks for the link, Mike! In case you missed it, we did a follow up blog post of our own on that great Ars Technica article:

    http://blog.agilebits.com/2012/08/22/on-ars-technicas-most-excellent-comprehensive-review-of-password-security/

    JimA, welcome to the forums! As sddawson mentioned, the issue in the case of reused per-site passwords doesn't necessarily directly impact anyone's ability to crack your 1Password master password, but if any one of those sites is breached or otherwise leaks your password, it could certainly be problematic if you have reused your master password on any of the sites. Additionally, knowledge of one of the passwords you have created yourself (as opposed to randomly generated) could give a cracker insight into the way you may have constructed your master password.

    Our advice has always been to use strong, uniquely generated passwords on every site. 1Password makes this pretty easy as you can search for known reused passwords (and even save them to a Smart Folder which will be updated live as you change them all until the Smart Folder is empty):

    http://blog.agilebits.com/2011/04/29/tips-how-to-find-duplicate-passwords/

    You can also sort by password strength which will allow you to update your weakest passwords first. It is a good way to highlight passwords that are too weak to have been possibly generated by 1Password.

    http://support.agilebits.com/kb/1password-39-for-mac-from-mac-app-store/how-to-sort-by-password-strength

    Most importantly, you'll want to make sure that your master password is strong, memorable, and never reused anywhere else. Here is the link again from the blog post with tips on creating a master password that is both strong and memorable:

    http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/

    I hope that helps. Please let us know if you have any other questions. :)
  • MikeMcFarlaneMikeMcFarlane Junior Member
    khad wrote:

    Thanks for the link, Mike! In case you missed it, we did a follow up blog post of our own on that great Ars Technica article:

    http://blog.agilebit...sword-security/




    Thanks Khad, I will have a read.
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    I love this question!

    JimA wrote:

    What I am wondering is if this repetition of the same password, combined with an attacker's knowledge of the keychain format, will make it easier to crack my master password.


    The short answer is "No". It gives the attacker absolutely no advantage in either cracking your Master Password nor in deciphering any other encrypted data.

    The long answer is also "No", but includes a lot of background.

    What you are describing is called "key recovery through a known plaintext attack". That is, if an attacker is given some ciphertext, does giving the attacker some of the plaintext give them any advantage in recovering the encryption key or in learning anything about the plaintext that they are not given.

    Using AES encryption in Cipher Block Chaining (CBC) mode (as we do) means that (unless there is something deeply wrong with AES) known plaintext attacks give the attacker no advantage.

    CBC mode ensures that the same data will not be encrypted the same way twice. So if an attacker knows that a particular part of your ciphertext corresponds to the plaintext "mysecretpassword" they can't go hunting for the same chunk of ciphertext to work that out.

    Note that when block ciphers (like AES) are used naively in what is called Electronic Code Book mode (ECB) then you will have the same blocks encrypt to the same ciphertext. This can be used to recover a lot of information. But we know better than to use ECB mode, despite what I may have said on April 1st.

    Now let's move on to key recovery. If an attacker knows some of the plaintext corresponding to some ciphertext does this give them any advantage in learning anything about the key? (Note that it has to be an advantage over simply trying every possible key, as they could pretty much do that already.) With systems like AES (unless there is some terrible gaping error deep in it) the answer is no. These are designed to not be vulnerable to such attacks. This is because cryptographers learn from history.

    Probably the most famous codebreaking activity in history is what happened with the German Enigma cipher. The relevant part here is that Enigma (which corresponds to a stream cipher instead of a block cipher) allowed for an attacker to gain significant advantage in recovering the key with known plaintext. With enough known plaintext, it was possible to eliminate the vast majority of keys, so that actually trying out the remaining keys was possible (though it required a lot of automation).

    It was a group of Polish mathematicians, led by Marian Rejewski, who worked that out in principle. Rejewski also worked out all of the wiring and design of the Enigma based solely captured plaintext and ciphertext. (So despite what some movies might tell you, physically capturing an Engima machine played no role in actually learning to break it.) There were massive improvements and refinements made by the cryptanalysts at Bletchley Park (most notably, Alan Turing), along enormous improvements on automating the search within the remaining keyspace.

    Anyway, Enigma allowed for key recovery from known plaintext. This is not a mistake that any cryptography would make today. Indeed, one of the differences between the Allies and the Germans in this is that people at Bletchley Park (the code breakers) advised the people involved in making codes. The Germans had a remarkably good team of code breakers as well. They tried to warn the German code makers of problems with Enigma, but their advice was not welcome.

    Now it is pretty much part of the cryptographers' creed that nobody should try to design a cipher until they have cut their teeth breaking some.

    OK. So that is probably a much longer answer than you wanted. But that is the danger you face when asking me a question about cryptography.

    Cheers,

    -j
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    Returning to the question of having a separate email account for password recovery, it is only something to consider if you are comfortable managing multiple email accounts.

    Having a separate email address (or domain) isn't enough. For this strategy to do any good, you would need to have a fully separate account with a fully separate password for that email account.

    This is why I don't particularly recommend that or follow it myself. It just seems like too much trouble for too little gain. I was just spelling out what I think Mat meant there. I'm certainly not advocating it.

    Cheers,

    -j
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    I've been asked a number of times about how the levels indicated in 1Password's password strength meter correspond to bits of entropy. The short answer is that they don't, and that any password strength meter (including ours) should be taken with a large grain of salt. I don't want to give you specific numbers for what counts as "weak" or "strong" or "fantastic", because we actually change those. That is we have, over the years, raised the bar for what counts as "strong". So some of my vagueness is because we want to remain agile about this. The strength meter is something that we tinker with from time to time.

    Now comes the long answer:

    Password strength meters (including ours) provide only a very rough guide. The fundamental problem with password strength meters is that they only have the password to work from. They don't know the system that was used to create the password. As we've stated many times, the strength of a password is a function of the system that generated it.

    An extreme example I used from http://blog.agilebits.com/2011/08/10/better-master-passwords-the-ge...


    The passwords F9GndpVkfB44VdvwfUgTxGH7A8t and rE67AjbDCUotaju9H49sMFgYszA each look like extremely strong passwords. Based on their lengths and the use of upper and lower case and digits, any password strength testing system would say that these are extremely strong passwords. But suppose that the system by which these were generated was the following: Flip a coin. If it comes up heads use F9GndpVkfB44VdvwfUgTxGH7A8t, and if it comes up tails use rE67AjbDCUotaju9H49sMFgYszA.

    That system produces only two outcomes. And even though the passwords look strong, passwords generated by that system are extremely weak.

    Some people at Dropbox have stated an open source project which aims to be smarter about all of this.

    https://github.com/lowe/zxcvbn

    I am delighted that people are giving the problem serious and thoughtful attention, but I am not optimistic about ultimate success in this project.

    Over at Openwall, the developers of John the Ripper have a password strength system (used for testing login passwords) called passwdqc.

    http://www.openwall.com/passwdqc/

    Again, these things are designed to give results very quickly, and so can't really go through the business of actually trying to crack the particular passwords.

    We've considered upgrading our password strength measure with one of these more sophisticated tools, but the slight gain in estimation that they would give isn't worth the computational cost. 1Password does not store password strengths, but has to recompute them on the fly each time your 1Password data is unlocked.
    So we are keeping on eye on those sorts of developments. We'd love for someone to "solve" the password strength meter problem. But until they do, you should take all reports of password strength from some meter with a substantial grain of salt.

    And another lesson is that when you ask what seems like a simple question about security, you almost never get a simple answer!

    Cheers,

    -j
  • jpgoldberg wrote:


    From what you describe, if you created your 1Password datafile a long time about, then you probably have one that is using 1000 PBKDF2 iterations. Note that you can get a much better security gain by making even a small improvement to your Master Password than you can by increasing the PBKDF2 iterations.

    Again, please not that going from 1,000 iterations to 10,000 iterations adds a relatively small degree of additional security.


    I created my keychain using an older version of 1Password and confirmed my export/import brought me up to 10,000 using the latest 3.8 build. If I migrate to 3.9 and let Lion's PBKDF2 function determine the number of iterations, is it possible I will still only get 10,000 or, even worse, could it be lower?

    I realize you said the change is only a small degree of functionality but I would upgrade to 3.9 and re-export/import even for only a small degree of improved security. However, it was not clear to me if 3.9 guaranteed >10,000 PBKDF2 iterations.

    Thanks

    Paul
  • khadkhad Social Choreographer

    Team Member
    edited August 2012
    As mentioned in our "Staying ahead with security" blog post and linked by Jeff earlier in the thread in the same post you quoted:

    1Password 3.9 employs a Lion-only feature that automatically calculates the optimal number of PBKDF2 iterations for use on your computer. The CCCalibratePBKDF function that is part of Apple’s new CommonCrypto framework will calculate how many PBKDF2 iterations are needed to force, say, a 500 millisecond delay on your machine. We then use this when creating the new data file. We do put an upper limit on these, because the files you create on your super powerful Mac Pro will still need to be used on other potentially less powerful devices that you sync your 1Password data file with.

    While it is theoretically possible to have the number of iterations calculated at a number lower than 10,000 you would likely have to find a very old and slow Mac on which the calibration was performed. I am not even sure if Lion would run on a machine that would calibrate lower than 10,000 iterations. A quick poll of the teams' 3.9 calibrations shows iterations roughly in the range of 20,000 to 40,000.
  • My apologies for the late reply, but I just found this topic and had a question.

    This thread seems to imply that changing your master password isn't necessary because it's not subject to brute force attacks. I read the blog post on John the Ripper on a single machine and it does seem that you have thought about the security implications of a cracker, but I'm not sure I think this is great advice in the era of cloud computing.

    Based on the crack of the 512bit DKIM key from Gmail (http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/), do you still think that the 1Password master password shouldn't be rotated at some interval, along with the accounts inside it? With the power of AWS/Azure/Google Cloud, couldn't someone that got a copy of my password file crack this in a reasonable/cost effective timeframe?

    I believe your encryption is strong, and it seems you've thought of possible attack vectors, but the computational power that any particular person could wield becomes larger, and cheaper every month.

    In line with that, have you tried working with a distributed cracker and a cloud service like AWS and seen what effect $100 might have on various encryption key lengths?

    Thanks in advance.
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    Hi way0outwest! Welcome to our forums!

    way0utwest wrote:

    This thread seems to imply that changing your master password isn't necessary because it's not subject to brute force attacks.


    I certainly am suggesting that it isn't necessary (or even useful) to change your Master Password if you've already got a good one. But my reasons are only tangentially related to the difficulty of a brute force attack.

    The first reason is that the threats against capture of a 1Password Master Password are very different than the threats against the kinds of passwords that should be changed. So even though there are cases where advice to change passwords regularly could make sense, that advice doesn't make sense with respect to a 1Password Master Password. (Difficulty of brute-forcing plays a minor role in this argument, but it isn't the core of it.)

    The second reason is that your 1Password Master Password is used for encryption instead of for authentication. Even after you change your Master Password, your old one will still be able to decrypt an old (backup) copy of your 1Password data. If someone has captured an old copy of your 1Password data, then they can still try to break in with the old Master Password. From there, they can extract keys that can even be used against your newer data.

    Again this is because your Master Password is actually used to decrypt data (transform the data into something meaningful) instead of being use to authenticate you (prove who you are to some server that can then decide to let you in or not). It is a subtle distinction, but encryption passwords and authentication passwords should be treated differently.


    Based on the crack of the 512bit DKIM key from Gmail ([url="http://www.wired.com...ity-widespread/"]http://www.wired.com...ity-widespread/[/url]), do you still think that the 1Password master password shouldn't be rotated at some interval, along with the accounts inside it?

    That was a really cool case, but it really is very different and illustrates a different point. First note that no password was cracked. Instead the private portion of an RSA public/private key pair was discovered. Someone was able to work backwards from the public key (roughly a 150 digit number) by factoring the public key into its prime factors. (I've skimped on some details.)

    Note that the requirements on key sizes different for different kinds of systems. For RSA keys, the recommended key size is now 2048 bits. For things like AES, 128-bits remains more than strong enough.

    But what is useful in this example is that nobody, not even the people at Google "know" the private key (the prime factors). Instead they will typically have a special file that contains an encrypted form of their private key, and then that file will be encrypted using a password. So they will have a key file, which is protected by a password.

    Now once someone has discovered what the private key is, it wouldn't do Google any good to change the password that they use to encrypt their copy of the private key. Google had to change their keys (and use stronger ones). They may, or may not have had to change their passwords. This distinction between changing passwords and changing keys is tricky. It's common in high security systems (including 1Password), but it isn't something most people are aware of.


    With the power of AWS/Azure/Google Cloud, couldn't someone that got a copy of my password file crack this in a reasonable/cost effective timeframe?


    This depends on the quality of your Master Password. As noted in the article, we take big steps to slow down what cloud clusters of CPUs and GPUs may do. You may also be interested in a more recent article:

    http://blog.agilebit...-and-1password/


    I believe your encryption is strong, and it seems you've thought of possible attack vectors, but the computational power that any particular person could wield becomes larger, and cheaper every month.

    You are absolutely correct, and we pay very close attention to these developments. But I think that the message is that we've already planned ahead for these kinds of things. That is why we don't worry so much at each new report of a speed up. We may not have anticipated the precise details, but the over all trend is something that we have designed for.

    Furthermore, changing your Master Password (unless your current one isn't sufficiently strong) doesn't address that kind of threat.

    In line with that, have you tried working with a distributed cracker and a cloud service like AWS and seen what effect $100 might have on various encryption key lengths?


    We've been exploring just that. Once things settle down we will pursue that with more energy. I should note that it is Master Password cracking not key length that is the concern. No humanely usable password is going to be nearly as strong as a 128-bit AES key. So we build our defenses against the threats.

    Anyway, it is great that you are concerned about these things and are paying attention. But in a world of different kinds of keys and different kinds of changes (predictable and otherwise) in the threat landscape, it can be easy to become concerned about about the wrong things.

    I hope that this helps.

    Cheers,

    -j
  • Hi

    I read the article on John the Ripper and the article on strong passwords which I found very interesting. My question is: John the Ripper has a feature called something like dictionary mode. Does this mean that if I set a password using four actual words, the dictionary mode will make it easier for John the Ripper to crack my password? Should I be using random letters which will of course be much harder to remember?
  • khadkhad Social Choreographer

    Team Member
    edited December 2012
    Welcome to the forums, Paul!

    Diceware is designed so that even if an attacker knows the system used to create the password it is still very strong. The strength comes from the exponential increase in possible word combinations. Any one word is incredibly weak and will likely be cracked nearly instantaneously. But as you increase the number of words the number of possible combinations doesn't increase linearly. It increases exponentially.

    That is why the increase from a three word Diceware password to a four word one takes much more than 25% longer to crack.

    JtR-1P-crack-times-750x305.png

    A simple example is flipping a coin. With one coin toss you have two options: heads or tails. With two tosses you have four possibilities: heads-heads, heads-tails, tails-heads, tails-tails. With just three tosses the possibilities increase to eight:
    • heads-heads-heads
    • heads-heads-tails
    • heads-tails-heads
    • heads-tails-tails
    • tails-tails-tails
    • tails-tails-heads
    • tails-heads-tails
    • tails-heads-heads

    Because the calculation for the number of possibilities is 2^n where n is the number of coin tosses.

    For Diceware passwords the difference is even more striking since the word list is much longer than "heads" and "tails". For more on the math behind Diceware passwords, I would encourage you to take a look at:

    Better Master Passwords: The geek edition

    Please do let me know if you have any other questions.

    Cheers,
  • Thanks. So if John the Ripper is going through a dictionary before checking other more random combinations, it won't be able to crack dice ware faster? Or have I misunderstood what "dictionary mode" is?
  • khadkhad Social Choreographer

    Team Member
    edited December 2012
    You are correct. Again, the idea is not to hide the system from an attacker but to have a system that — even if known to the attacker — is still strong. As mentioned in the aforelinked article:

    The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

    "The Diceware method is secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and knows the word list you used. The security of Diceware comes from the huge number of combinations that an attacker must search through even with that knowledge . The Diceware word list contains 7776 words, so if you pick a five-word passphrase, there are 7776^5 (7776*7776*7776*7776*7776) combinations. That is over 2^64 (2 to the 64 power or 26,000,000,000,000,000,000) possibilities. A six word Diceware passphrase confronts an attacker with 2^77 (2 * 10^23) combinations; seven words 2^90 (1.5 * 10^27)." (via Diceware Passphrase FAQ)
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    Hi Paul,

    The chart from the article assumes that John the Ripper is using the same diceware list that you used to create your Master Password. Although dictionary mode can't be used directly for attacking diceware passwords, but it is easy to construct a "diceware mode" for John the Ripper and hashcat and other password cracking systems. But the chart has already assumed that John the Ripper is using "diceware mode".

    If you use truly random stuff for your "words" to go beyond the diceware lis then John the Ripper will have an even harder time. However it is harder to do that than you might imagine. If you take a look at the the Toward Better Master Passwords article you will see that when people try to create what they think of as random passwords, their passwords are not nearly as random as they might believe. With Diceware, the level of randomness is guaranteed and the passwords are easy to remember (with a bit of practice) and are easy to type on most keyboards.

    I hope this helps,

    Cheers,

    -j
  • jhollingtonjhollington Junior Member
    jpgoldberg wrote:
    The second reason is that your 1Password Master Password is used for encryption instead of for authentication. Even after you change your Master Password, your old one will still be able to decrypt an old (backup) copy of your 1Password data. If someone has captured an old copy of your 1Password data, then they can still try to break in with the old Master Password. From there, they can extract keys that can even be used against your newer data.


    This presents an interesting question... Is there some means in 1Password to forcibly re-generate the entire key structure such that this wouldn't be possible even if an old Master Password and data file became compromised? I guess exporting everything and reimporting it into a brand new 1Password database would do the trick, but is there a simpler way to go about this?

    Obviously, were the Master Password ever compromised, passwords would need to be changed, but of course this doesn't do any good if the derived keys from the original file can be used to crack the newer data.
  • Penelope PitstopPenelope Pitstop Junior Member

    This presents an interesting question... Is there some means in 1Password to forcibly re-generate the entire key structure such that this wouldn't be possible even if an old Master Password and data file became compromised? I guess exporting everything and reimporting it into a brand new 1Password database would do the trick, but is there a simpler way to go about this?

    Obviously, were the Master Password ever compromised, passwords would need to be changed, but of course this doesn't do any good if the derived keys from the original file can be used to crack the newer data.
    Unless something changed, the export, new data file, import is the only way to do it.
  • jhollingtonjhollington Junior Member
    Yeah, that's my understanding as well, but was wondering if Jeff had something else up his sleeve :)
  • Penelope PitstopPenelope Pitstop Junior Member
    When I lost my phone, I spent a long time asking about this. Even though my master password was very strong at the time, I felt that 1PW was merely buying me time to systematically change all my passwords.

    Despite learning a lot more than I ever thought I would want to learn about encryption, I did the same again when I had a laptop stolen a year or so later. I'm sure the Agile guys thought I was bonkers but it gave me peace of mind.
  • jhollingtonjhollington Junior Member
    I did something similar when Dropbox "failed open" last year, since I was using that for sync. Despite having no evidence that my particular account was compromised, I immediately went through and changed every high-security password (which I've already pre-identified using a specific folder). An ounce of prevention is worth a pound of cure, as they say, and passwords can very easily be changed, especially when you're using 1Password.

    I became a bit less concerned, however, about re-encrypting my actual 1Password data store under those specific circumstances. However, I also rotate my critical passwords every 30 days anyway, and not necessarily on the same cycle, so that limits my exposure somewhat.

    Now that I think about it, however, I'm not entirely sure that the 1Password data file from your phone (in version 3.x) could have been used to compromise your actual 1Password data file in this manner, since in theory the encryption keys should be entirely different (Jeff?). I suppose the actual Master Password being stored in the iOS keychain is an additional vulnerability, but that's ironically harder to recover than the 1Password data file from the iPhone, as long as you're using a passcode on the device. Of course, if you have the Dropbox app on your device, that would provide a way to retrieve the actual 1Password database directly, since the Dropbox app remains authenticated to your Dropbox account, but without the Master Password they'd be back to brute-forcing it anyway.
This discussion has been closed.