Could there be a backdoor?

Niklas

Paraphrasing Bruce Schneier; the math is secure, but is the implementation flawed?

I am reasonably sure that 1P has not been compromised in any way, but it is a very valid question to ask whether the encryption code does not have any flaw that would allow those who know about the flaw to significantly reduce the time required to decrypt. Snowden revealed that that's generally the MO at NSA: To attack the flaws in the end points rather than than going directly for the encrypted content.

24 character password that's upper, lowercase, numeric and special characters

Thank's, that significantly reduced my search space! Now I can create a rule that always generates a string that is:

• 24 characters
• At least one upper case
• At least one lower case
• At least one number
• At least one non-alpha/number

You probably reduced your entropy by about 10 bits by revealing that :p

Uno_Lavoz

It doesn't matter if the underlying algorithms are weakened. If they are trying to crack an 1Password database, then they will never brute-force bit by bit. That is insanity as that's a VAST searchspace. They will instead vastly reduce their searchspace by only attacking printable characters and generating passwords from ASCII and attempting those. That's why it doesn't matter to us if certain crypto algorithms are somewhat weakened. And remember that weakened does not mean useless. The math is still extremely strong. You can only find shortcuts. You can't avoid doing the math.

Anyway, as for my password, I obviously gave random details to make a point, that's not my actual password length. It's longer than that.

• There are 26 uppercase letters (A-Z; even more if you add national characters, diacritics, etc)
• There are 26 lowercase characters
• There are 10 numbers
• There are 33 printable special characters (non-alphanumeric) in the ASCII set

Let's assume that my real password is 32 characters.

For each individual character in such a password there are 26+26+10+33 = 95 possible characters that could occupy that spot.

That means that there are 95 ^ 32 = 1.93711484458501 x 10^63 combinations.

Now let's do an example:

Let's say you have a direct CPU instruction that can generate a whole 32 character combination in one CPU cycle (such instructions don't actually exist in mainstream CPUs, but could be made with an FPGA or custom-built, and would be the most powerful way of generating a password). Also, you're not storing these combinations so there is virtually no memory access. Finally let's assume that your effective clock speed for these instructions is 2.0 petahertz (ten to the fifteenth cycles per second), which doesn't exist yet outside of the fastest supercomputers on the planet.

The number of 32 character combinations that fit the above rules is 95 to the 32nd power as shown above.

Let's make it even easier for the attacker and INSTEAD assure them that I ONLY use numerical characters in my 32-character password, rather than the full 95 possibilites: Only the 10 numbers from 0 to 9. So now they know that it's a 32-letter password consisting entirely of numbers (you can indeed visualize it as a number in this case, such as 98563950675485967354759264528635, which is 32 characters long and consists only of 10 possible digits per character).

That's an example 32-character password consisting ENTIRELY of numbers. This is an example to make it FAR easier for the NSA to crack the password with their supercomputer. Instead of 95 ^ 32 = 1.93711484458501 x 10^63 combinations, we have crippled the search space to a mere 10 ^ 32 = 1 x 10^32 combinations. This ought to be easy, right?!

So, 10 to the 32nd power is a much smaller lower bound on this value than the whole 95 to the 32nd power (the full possible character set I used). To compute JUST this smaller group of JUST a numerical 32-character password, you will need 10 to the 17th seconds (combinations / clock speed) on this theoretical supercomputer that has a magical (non-existent in today's computers) instruction for generating one whole 32-character password per clock cycle.

There's approximately 32 million seconds in a year, but for this example, we'll take 100 million seconds in a year to make the math easy (means that our math example is getting over 3x more work done per year than in reality). So that leaves us with 10 to the 17th seconds (time required to calculate all permutations of a 32-character NUMERIC-ONLY string) being divided by 10 to the 8th seconds (one of these 3x-longer-than-reality years). That means it will take more than 1 billion of these years for this computation to complete even with such an incredible supercomputer. If you do the math exactly with ALL 95 possibilities for each character and REAL years (a mere 32 million seconds per year rather than 100 million), you'll find that cracking my password takes longer than the estimated time we have left before our sun becomes a red giant (5 billion years).

The short version of all of the above: Stop being so paranoid.

khad

I am reasonably sure that 1P has not been compromised in any way, but it is a very valid question to ask whether the encryption code does not have any flaw that would allow those who know about the flaw to significantly reduce the time required to decrypt. Snowden revealed that that's generally the MO at NSA: To attack the flaws in the end points rather than than going directly for the encrypted content.

You probably want to read Jeff's posts #13 and #14 in the 1Password and the Crypto Wars discussion thread.

Niklas

@Uno_Lavoz
Excellent post, also an excellent side-step from the topic. Also, excellent ad-hominen in your finishing sentence.

@khad, I know, I even meant to quote those posts but thought that it might have been redundant. Thanks for filling in for anyone else interested!

Uno_Lavoz

@Niklas wrote:

@Uno_Lavoz Excellent post, also an excellent side-step from the topic. Also, excellent ad-hominen in your finishing sentence.

Uhh, what?

"An excellent side-step from the topic"?

You were the one that brought it up when you wrote the following about weakened crypto algorithms:

I am reasonably sure that 1P has not been compromised in any way, but it is a very valid question to ask whether the encryption code does not have any flaw that would allow those who know about the flaw to significantly reduce the time required to decrypt.

I replied to that with the following paragraph:

It doesn't matter if the underlying algorithms are weakened. If they are trying to crack an 1Password database, then they will never brute-force bit by bit. That is insanity as that's a VAST searchspace. They will instead vastly reduce their searchspace by only attacking printable characters and generating passwords from ASCII and attempting those. That's why it doesn't matter to us if certain crypto algorithms are somewhat weakened. And remember that weakened does not mean useless. The math is still extremely strong. You can only find shortcuts. You can't avoid doing the math.

(Furthermore, Jeff did a great job explaining why the math behind AES ensures that it's extremely unlikely that it could ever be intentionally weakened. You do not have to fear using the AES algorithm. It's not backdoored.)

Nobody would take a 1Password database and attack the crypto directly by just brute forcing random bit-patterns. The attacker would have to be an idiot to try that.

The weakest point of any crypto is the plaintext password itself. It is far shorter than the derived bit-key and can often be found in dictionaries if people are that stupid.

Therefore I went on to show the value of a strong password, and how even with a vastly reduced searchspace (using ONLY numbers in the 32-character password), you STILL cannot crack my password BEFORE OUR SOLAR SYSTEM ENDS. ;) That demonstrates the value of a long and secure password that cannot be found in dictionaries or common password lists. You don't even have to use 32 characters (but feel free to do it, if you want to use a sentence of words, for instance). Just remember that every removal of 1 character halves the time required to crack a password. But it doesn't matter much. Even a "simple" 14 character password has this many possibilities:

95 ^ 14 = 4.8767497911553 x 10^27 possible combinations (when using a password of lower, upper, digits and special).

This 14-character example is in fact relatively close to the number of possibilities in my math example of the 32-character password consisting ENTIRELY of the numbers 0-9, which gave 10 ^ 32 = 1 x 10^32 combinations.

So, if you have a strong 14-character password using all character sets (lower, upper, digits and special) - guess what? Even though it may SEEM short, it's NOT. It TOO is secure enough to not be crackable before our solar system ends!

Pick a good password, folks!

Any password scheme fails the moment you pick a common password/dictionary word or write down your password somewhere.

I suggest picking random words and intermixing upper, lower, and special characters around and within those words in various patterns known only to you.

If you do that, then you're free to store your 1Password database on the NSA harddrives, and they would never be able to crack it no matter how much they try. (If you doubt me, re-read the supercomputer example in my previous post. Even with their imaginary best-possible scenario supercomputer, they would be unable to find the password before the solar system ends.)

Finally:

excellent ad-hominen in your finishing sentence.

Wrong. An ad hominem is when you attack a person's character instead of addressing their arguments.

I obliterated your arguments by showing the true facts of the math behind it all, and THEN ended with a 4-word REMARK that I am tired of people being so darn paranoid that I had to waste time typing all of that out. It was NOT an ad hominem. I addressed every point and then some. In fact I'll repeat it again: Stop being so paranoid.

It's so sad to see how many paranoid people there are, who just won't stop worrying even when AgileBits says time and time again that they are under Canadian law and under no incentive to ever spy on users (there are no laws requiring it, and it would go directly against their commercial interests and survival as a company). They even openly publish their spec, to the point that any one of us could write a 1Password clone that reads and writes the exact same database format. That is what I call transparency! Being open about what they do with our data is of utmost importance to them. Mistrusting their product leads to loss of sales. Their transparency is incredible and you'll be hard-pressed to find more upstanding guys.

When is enough enough? Relax, please.

Sacred_Brindle

I don't wish to stir the pot any, nor go to far off topic here.

@Uno, I truly hope that you do not believe that your password is beyond the realm of cracking. You make a very good point with regards to addressing the 1pass specific concern in light of all the recent (and surely forthcoming), revelations. With the proper awareness and precaution, we can lock our stuff down pretty well, and it sounds like you may perhaps even more so than most (myself included). However, I do hope that you are aware of the fact that, if you had something locked within your 1pass vault, that "they" (no need to bungee jump the rabbit hole here) truly wanted, it IS possible. Time, money and resources, simple as that. We (the public) have NO idea what computation power/resources exist off the supercomputing bragging list and the minds hand picked to run them. It is also not a stretch of the imagination (by any means), to not assume that there are plants (read as agent/op/etc...), at every possible level and within every industry known to man. While, obviously an extreme case scenario, I wouldn't be so bold as to say anything in is beyond reach before the end of our solar system. Well, unless you know more about the celestial activity than I do. :)
Be aware and always keep in mind the quote re: The only true info "leaked" from extremely confidential sources may very well be the very info that was placed into position to be leaked. Real secrets are not written down, made into FOIA searchable memos, stored on discs, let alone show up on graphical presentation slides for a contractor to walk out with.
I do agree with you on the relaxation though!
Cheers!
-b

Uno_Lavoz

@Sacred_Brindle Haha, so much conjecture and fear. Of course we don't know what kind of supercomputer "they" have. That is exactly why I did the math with a hypothetical computer that is way beyond the greatest supercomputers in the world.

I would be extremely surprised if the NSA had anything even remotely close to the incredible computing power that I used in the mathematical example.

The example assumes a hypothetical 2.0 petahertz computer with a direct on-chip instruction for generating any password in a SINGLE cycle, and without any need for RAM/disk access (which is something that massively slows down all cracking but is unavoidable in real-life computers).

Do you know how much a petahertz is? Two petahertz is two million gigahertz.

Most chips these days hover around 2 or 3 gigahertz due to physical limitations. Assuming 2 gigahertz cores, they would need one million CPU cores to hit 2 petahertz. And that's before we even get to the magical, non-existent instruction which could both generate and try out each password in ONE cycle per password (which includes salting and applying thousands of PBKDF#2 rounds, making it supremely unlikely that such an hardware-instruction could even be built, let alone done in ONE cycle).

Yet even using that hypothetical super-duper-computer (my new word because we need some word better than "super-computer" to describe the awesome power in my hypothetical example), "they" would be unable to crack a 32-character numerical (digits 0-9) password before the end of the solar system.

Now consider the fact that the NSA only has one thing - money. Despite what very crazy and paranoid people think, they don't have magical computer science researcher-dudes that can conjure quantum computers out of thin air. They are limited to building computers out of the exact same hardware that is publicly available.

Still not convinced that you're safe? Well, even if you doubled the power of the example supercomputer - or how about tripled it, quadrupled or even more - it still wouldn't make a difference.

In fact, you could make a super-super-duper-duper-computer that is a THOUSAND TIMES FASTER than MY hypothetical super-duper-computer, giving it an INSANE 2 000 petahertz, absolutely out of reach of ALL humans, and you would still not have a computer fast enough to crack a 32-character numerical password before you and every NSA official are long dead, the aliens have invaded, and we all worship Zorg.

If there was a way to upload data to the NSA, I would send them my 1Password database just to prove that we can ALL trust the math.

It is true that we can of course never keep secrets from being discovered in the future, but with the current and foreseeable computing technology, there's absolutely ZERO way for them to ever crack the password before we're all long-dead.

And before you begin worrying about "quantum computers," you should read up on them. It's a loaded, magical term feared by all and understood by none. They are pure science fiction; a non-existent bogeyman feared by an ignorant public. There's something called the D-Wave Two out now, and, well...

Independent researchers found that D-Wave's computers can solve some problems as much as 3,600 times faster than particular software packages running on digital computers. Other independent researchers found that different software packages running on a single core of a desktop computer can solve those same problems as fast or faster than D-Wave's computers (at least 12,000 times faster for Quadratic Assignment problems, and between 1 and 50 times faster for Quadratic Unconstrained Binary Optimization problems).

In 2007 Umesh Vazirani, a professor at UC Berkeley and one of the founders of quantum complexity theory, made the following criticism:

Their claimed speedup over classical algorithms appears to be based on a misunderstanding of a paper my colleagues van Dam, Mosca and I wrote on "The power of adiabatic quantum computing." That speed up unfortunately does not hold in the setting at hand, and therefore D-Wave's "quantum computer" even if it turns out to be a true quantum computer, and even if it can be scaled to thousands of qubits, would likely not be more powerful than a cell phone.

...That speed up unfortunately does not hold in the setting at hand, and therefore D-Wave's "quantum computer" even if it turns out to be a true quantum computer, and even if it can be scaled to thousands of qubits, would likely not be more powerful than a cell phone.

...even if it turns out to be a true quantum computer, and even if it can be scaled to thousands of qubits, would likely not be more powerful than a cell phone.

...would likely not be more powerful than a cell phone.

...not more powerful than a cell phone.

The bottom line on these feared "quantum computers" is that they aren't much more than a novel way of storing and manipulating bits, and that their processing power ranges from far better to far worse than a regular desktop computer, but that it's highly dependent on the task, and that they are far slower for most tasks. They can't take any form of "shortcuts into the future" or any crazy stuff like that. They're really just a new method of storing and manipulating data (bits), which is why they aren't faster than normal computers except for very specific tasks. Like one of the leading voices on the subject says: Even a TRUE quantum computer in all its space-bending glory would likely not be more poweful than a cell phone.

In fact, the reality gets worse for quantum computers:

MIT professor Scott Aaronson, self-described "Chief D-Wave Skeptic", originally said that D-Wave's demonstrations did not prove anything about the workings of the computer. He said that a useful quantum computer would require a huge breakthrough in physics, which has not been published or shared with the physics community. Aaronson in May 2011 updated his views, announcing that he was "retiring as Chief D-wave Skeptic" in 2011, and reporting his "skeptical but positive" views based on a visit to D-Wave in February 2012. Aaronson alleged one of the most important reasons for his new position on D-Wave was the article in Nature.

In May 16 2013 he resumed his skeptic post again. He now criticizes D-Wave for blowing results out of proportion on press releases that claim speedups of three orders of magnitude, while at the same time a recently published paper by scientists from ETH Zurich that had access to a 128 qubit D-Wave computer outperformed it by a factor of 15 by using regular desktop computers and applying classical Metaheuristics (particularly simulated annealing) to the problem that D-Wave's computer is specifically designed to solve.

Want to know the final death-knell? Quantum computers actually aren't accurate at all. They work on uncertainty, and achieve "accuracy" by performing a calculation many times. The average answer that turns up the most is assumed to probably be correct. That is great for some types of problems, but totally useless for cracking passwords (where total accuracy is needed).

It's fun to imagine "men in black" NSA types with unlimited military budgets, alien technology, quantum computers and magical black boxes that let them crack anything instantly at the press of a button. That's the narrative that the media sells. It's easy to get people scared that way and it sells newspapers.

Luckily that's not based in reality. The NSA is a standard, alphabet-soup agency full of bureaucracy and mediocre people, with a few smart minds here and there. They're limited to the exact same hardware that the general public uses. There's really nothing special about them whatsoever apart from their budget, which isn't even that great compared to all of the various companies around the world that have built supercomputers too.

I hope this final in-depth explanation puts your mind at ease? :-)

Uno_Lavoz

For posterity, here are all of the various ways of attacking your database, from easiest to hardest:

• Torturing you to give up your password. It's hilarious how many people talk about password strength and completely forget the human element. In a nerd's mind: "The NSA will never be able to crack my password." In the NSA's mind: "Send him to Guantanamo and break a few bones until he speaks." Crypto does not protect against such an adversary. It's a hilariously absurd example, though, since I can't picture anyone on this forum being an enemy of the state. Whenever there's a discussion like this, there's always just a lot of nerds talking about stuff that they really shouldn't be worrying about, since they will never be targeted.
• Freezing the RAM to extract the pure decryption keys from active memory. This one is super easy if they have physical access to the machine while it's running and 1Password is unlocked.
• Installing keyloggers on your machine remotely. The NSA and FBI have had tools to do this for the last decade, but they only unleash them in very targeted attacks, they seem to exclusively target Windows, and the installation method is of course still dependent on the existence of standard OS vulnerabilities on your machine. This means that you're safe if you are fully patched up (which most people were in the August 2013 Tor network attack, for example). The FBI/NSA's methods are no more advanced than regular viruses, and use the exact same techniques of infection. Just have the latest patches and a good antivirus, and don't visit extremist websites / networks (which is where they insert their exploits). Yet again a hilarious example, since I don't think we have a single terrorist on these forums.
• Attacking your password. If it's a simple dictionary word, you won't last long at all and will be cracked in the time it takes them to drink a cup of coffee. If it's a long password that isn't in a dictionary and isn't written down anywhere, they will never be able to crack it until both you and they are long dead and the solar system has gone up in flames.
• Attacking the cryptographic algorithms themselves via brute force. Nobody does this because it's pure stupidity, as explained earlier. It's literally the hardest thing you can do.
• Getting AgileBits to install a backdoor. Yes, thanks to this company being under Canadian jurisdiction, getting them to install a backdoor is actually harder than attacking the crypto itself. Why is it harder? Because it simply can't happen: AgileBits are under no legal obligation to install backdoors due to the wishes of some American agency, so there's no point in the NSA even asking. They can't take this avenue. Don't worry about it. By the same token, I would perhaps worry about American software, though - especially Microsoft operating systems, which have had a "NSA key" since the 90s (Google it). The same goes for your conversations on Skype, which is now owned by Microsoft.

I'll end this by once again reminding people: Choose a great password (for example: "123$$$Correct!Horse!Battery!Staple$$$123" is infinitely more secure than "correct horse battery staple" which is infinitely more secure than "horse") and completely stop worrying about men in black and aliens. In reality they are just boring, mediocre men in gray suits in a regular office building. They have no secret technology that could ever crack a proper, secure password. That is why I have continuously said that I would be happy to store my entire database directly on NSA's hard drives. They would never be able to get into it.

The only aspect about the NSA that we have to fear is the way these cretins are ignoring the constitution and our liberties and are snooping on all significant internet traffic as if they were our overlords.

I really like this quote, author unknown: "The terrorists want to take our freedom, so the government protects us from the terrorists by taking our freedom..."

And this one by Stephen Colbert: "If you're doing nothing wrong, you have nothing to hide from the giant surveillance apparatus the government's been hiding."

I'm one of the people that have nothing to hide, but I find it disgusting how they give themselves the right to take liberties with our liberties...

Uno_Lavoz

Here you go, everyone:

https://www.schneier.com/blog/archives/2013/10/nsa_harvesting.html

Like I said, the NSA cannot crack encryption. Their harvesting of email addresses failed completely whenever visitors to those email services (such as gmail) were using HTTPS. Gmail defaults to HTTPS, which meant that despite the popularity of that email service, they were only able to capture 33,697 email addresses (from the few unencrypted Gmail users) in a whole year of surveillance. In the same year, they captured 444,743 email addresses from Yahoo, since it is totally unencrypted by default.

(Good) Encryption stops the NSA.

I don't think there is much more I can say on the subject, but I hope I've helped give everyone peace of mind. There is zero to worry about as long as your password is strong.

Just make sure that your password isn't a simple word or common phrase (so that it survives dictionary attacks), and then use Password Haystacks (https://www.grc.com/haystack.htm) to determine if your properly-padded password will survive brute forcing as well. If you meet both of those requirements, you are free to store your 1Password database on the NSA's hard drives and they wouldn't be able to do a darn thing about it.

For example, the "123$$$Correct!Horse!Battery!Staple$$$123" is 40 characters long, and assuming a cracking-speed of 100 TRILLION (!!!) guesses PER SECOND, it would still take "41.30 million trillion trillion trillion trillion centuries to crack".

100 trillion guesses per second is 100,000,000,000,000 guesses per second (can also be expressed as "100 million million"). Far, far, faaaaaaar exceeding the power in examples I used in the earlier math. Yet even with such universe-bending, astronomical power, they are still powerless against your password.

Just pick a great password and relax.

Have fun, everyone!

PS: I see lots of people that have stopped trusting Dropbox with their 1Password databases. As I have adequately demonstrated, there is zero reason to avoid "cloud" services as long as the data is pre-encrypted client-side - as it is in 1P's case. It doesn't matter where you store your 1Password database as long as the master password is strong.

manny

I think it's important to ask questions like OP did, and I welcome this discussion.

MichaelDurio

This discussion has been instructive and detailed. Now, can we stop beating the dead horse? I think the agilebits personnel have other things to do, after all.

Just sayin'.

Sacred_Brindle

@Uno - "Fear" what an interesting choice to base an assumption on. What/who would anyone have to fear? Did the folks at the NSA grab a pic off my cam on my mac, while visiting a not safe for work site. Will my identity get stolen and used to cause me a headache of having to make endless calls to sort that out? Am I stealing windows source code, or burying Hoffa as we speak? :) No fear my friend. I simply do not live in a world of illusion or fantasy. I live in a world, where the country I live in has been in an illegal war for over 11 years. Where the basic rights that I knew growing up, are eroding in front of my eyes, yet the masses are worried about Kate's baby or Kim and the sisters. In Brazil they riot in the street, over sudden fare increases on public transportation, and we barely got a few hundred (maybe thousands) in the streets for the proof that most have always known - Big Brother is watching. Where containers of grain rot off the coast of a country of starving people due to a couple cents per pound dispute. We don't need to fear, what I fear is that perhaps you have not looked up from a book long enough to take a look around and see (and feel) the shift. No disrespect, just an observation. Back 2 topic...

You obviously know your technology, that is apparent. I'm not going to quote authors of articles disputing what you wrote, as I simply do not know enough about the technology or space, to even begin to have a debate based on the specifics of the science that you've learned. I will leave that for the rest of the folks on here who have a similar understanding or at least an interest in drilling down into the algorithms and theories of encryption, data protection and future technology. My only goal was to lift the veil a bit and have you peek under in hopes that you realize that life is often far far from what we believe it to be. As such, to make bold statements, one should have a footing so grounded..., well I'm not sure that ground exists. So I'll exit this one, as I see that you got that laser focus on exactly what you've learned or were told and that is exactly how it is. Not a bad thing, in fact, quite the asset for any fortune 50 employer if you so choose. A tip of the hat good sir. :)

Just remember when the Manhattan Project was considered not only impossible, but laughably so. Flying a drone airliner into the ground or shooting it down in 1962 to start a war, that was tin foil nut job material not Operation Northwoods. A lot of our beloved NASA technology/research, came from Nazi scientists who were "Paperclip"'d new identities for a free life in the US and around the world to continue their research. Such words may have landed you in jail back in the 40's-60's and beyond. People might even accuse you of being on drugs, "which some secret agent gave you" you desperately repeat over and over as you go "crazy" from one of the many now disclosed "testing" sites for Bluebird/Artichoke/MKUltra... All denied, deemed to far fetched and unbelievable, yet here we sit. So what may be huge leap in today's public perception, may in fact have already begun... But let's focus back on that TWTR IPO and enough of these silly little green men from mars bedtime stories...

Cheers!

Uno_Lavoz

@manny I think it's important to ask questions like OP did, and I welcome this discussion.

I absolutely agree. That's how to replace baseless "what if" speculation with discussion and facts.

@Sacred_Brindle "Fear" what an interesting choice to base an assumption on. What/who would anyone have to fear? Did the folks at the NSA grab a pic off my cam on my mac, while visiting a not safe for work site. Will my identity get stolen and used to cause me a headache of having to make endless calls to sort that out? Am I stealing windows source code, or burying Hoffa as we speak? No fear my friend. I simply do not live in a world of illusion or fantasy. I live in a world, where the country I live in has been in an illegal war for over 11 years. Where the basic rights that I knew growing up, are eroding in front of my eyes, yet the masses are worried about Kate's baby or Kim and the sisters. In Brazil they riot in the street, over sudden fare increases on public transportation, and we barely got a few hundred (maybe thousands) in the streets for the proof that most have always known - Big Brother is watching.

Well, the reason I called out the fear and conjecture in your original post, was these snippets about magical computers and infiltration everywhere: "I truly hope that you do not believe that your password is beyond the realm of cracking. I do hope that you are aware of the fact that, if you had something locked within your 1pass vault, that "they" (no need to bungee jump the rabbit hole here) truly wanted, it IS possible. Time, money and resources, simple as that. We (the public) have NO idea what computation power/resources exist off the supercomputing bragging list and the minds hand picked to run them. It is also not a stretch of the imagination (by any means), to not assume that there are plants (read as agent/op/etc...), at every possible level and within every industry known to man. Be aware and always keep in mind the quote re: The only true info "leaked" from extremely confidential sources may very well be the very info that was placed into position to be leaked. Real secrets are not written down, made into FOIA searchable memos, stored on discs, let alone show up on graphical presentation slides for a contractor to walk out with. I do agree with you on the relaxation though!"

This is a very common argument; "they're powerful and scary and wear black suits and we have zero insight and we simply don't know what they have." That's why I delved into it one last time to demonstrate the available computing-power reality - and that no matter what they have, it will not be enough. I'm not going to repeat it here, but the prior posts will demonstrate why they simply cannot have anything even remotely capable of cracking a good password. They rely on other methods such as torture, backdoors and viruses. The final death knell to their cracking-power theories (as if we even needed one after looking at the math showing that they can't do it) is shown in how they can't even crack the SSL certificates of Google in order to snoop on highly desired email traffic. They can't crack anything better than simple, short/common/dictionary-based passwords.

Now you went on with even crazier stuff, showing that you're one of those Alex Jones / Infowars guys that wants 9/11 truth, etc. I won't comment on any of that. I will only have "lazer focus" (as you put it) on the computing power and algorithm aspects. Because that is what this is about. We're not here to uncover 9/11. We're here to talk about 1Password. Did you stumble into the wrong forum?

However, I'm not going to disagree with you that there are very rich and powerful men out there who have stayed in power through generations of inheriting the "thrones" of businesses and politics, and have now built a vast, high-tech surveillance and spying network.

If the NSA revelations have done one good thing for the world, it's that people are no longer called conspiracy theorists when speaking of "Big Brother." The public finally understands that it was all true.

Edward Snowden did for Big Brother what Ron Paul did for the Federal Reserve.

As for why there's no rioting; well, there's no manufactured outrage in the media, so people remain calm. Remember back in the summer when this was just coming to light, and FOX news were inciting the Tea Party movement to impeach Obama for spying on them? FOX quickly realized that people were going crazy and that they were on the brink of manufacturing a very real demand for change, so they changed their media narrative and calmed people down again, thus ensuring that the Republicans voted the same as the Democrats - supporting continued surveillance.

Finally - the majority of Americans believe in a skydaddy who watches every move they make and every thought they have, and can punish them for eternity if they misbehave. Do you really think they care if a laughable, puny little government "spies a bit on the Internet to protect me from terr-urr-rusts". ;) If anything, well-behaving people can now feel even more superior about themselves for "having nothing to hide."

I just observe it all in amusement. Not really bothered by any of it.

Why does it all matter? Who cares? I don't. ;)

https://www.youtube.com/watch?v=mLEtb9N9oMA

https://www.youtube.com/watch?v=7W33HRc1A6c

Live in the present without fear or worries.

Take care of yourself and those you love. :)

...and trust the math behind why your password cannot be cracked before you and all of the NSA are long-dead. ;)

@MichaelDurio This discussion has been instructive and detailed. Now, can we stop beating the dead horse? I think the agilebits personnel have other things to do, after all.

>

Just sayin'.

I hope you enjoyed the read. Whatever happens next, my job is done here; I've demonstrated the incredibly difficult math behind it all, dispelled all of the common myths, and adequately showed why you have nothing to fear from NSA or from supercomputers or even quantum computers. The mythical "they" are still never going to crack a good password before the contents under that password no longer matters (because it will be billions of years later and you'll hopefully all be long-dead by then - unless you're Zombies, uh oh).

Isn't it wonderful to know that the math is completely on your side? ;)

I honestly don't think people are going to keep beating this dead horse now. If so, just point them to this discussion.

Take care, everyone.

manny

@Uno_Lavoz What relevance does George Carlin have to this thread? He was a misanthropic nihilist who gave up on the world, on humankind and on life. It seems to me that behind that was a deep depression which he tried to self-treat with alcoholism and a vicodin addiction. I sincerely hope you don't feel the same way he did.

Uno_Lavoz

@manny Did you read Sacred_Brindle's posts? He jumps from 9/11 truth to MK-Ultra mind-control, to CIA programs, to FBI, to NSA, to spies infiltrating every level of our society, and on and on and on. He's full of fear. So I told him: Look, the math is on your side and you can completely relax as far as password cracking goes. As for all of that other stuff - humanity is fucking itself with or without you, so why bother getting involved (and Carlin expresses this point well).

Don't let that stuff consume your life. Take care of yourself and those you love and make the world a better place by leading by example. Be great at something and inspire others to greatness.

Let those little, pathetic "elite" bastards run around at the top and try to control everything. They don't matter in the long run. Nobody is immortal. Not one human. Not even humanity as a whole. So why be concerned? Relax and have fun while it lasts. Time solves everything for you and shows you that it's completely futile to try to protect what will inevitably implode and be wiped out. Sure, things can be affected a tiny bit in the short-term. However, with enough perspective, you'll see that humanity cannot last forever. So who cares? I am not a nihilist. I don't feel defeated by any of this, because I don't start out from the faulty position of believing there is something that could ever be protected in the first place.

I feel humbled, knowing that humans are but a mere speck in the vastness of time and the universe. Most of all, I feel uplifted, knowing that the most beautiful moment we have is here and now.

The reason I got involved in the topic is that I'm in a position to answer all of the mathematical / probability concerns. I shouldn't have wasted my time answering off-topic conspiracy theory stuff. ;-)

benfdc

I have yet to read of anyone ever suffering an actual 1Password security breach or blaming it for a drained bank account.

My wife suffered an actual 1Password security breach. My wife has both 1Password HD and 1Password 4 on her iPad, and I have both 1Password Pro and 1Password 4 on my iPhone. We each decided to keep our keychains in the old 1Password apps on the other's devices. When I was trying to sync my keychain to 1Password HD, the program disclosed to me a phrase that I suspected might have been my wife's master password. I asked her, and it was.

She was not amused, and neither was I.

manny

@Uno_Lavoz I appreciate your insights into the mathematical aspects of these security concerns. :-)

@benfdc Whoa. I hope you reported this security leak to AgileBits so they can fix it... seems critical, when it leaks the master password... /cc @jpgoldberg

benfdc

@manny—

I agree that it is a critical problem. I don't know whether it can be fixed given that 1Password HD (which was also sold as part of the 1Password Pro bundle) is no longer available in the App Store. Even if the bug cannot be fixed, there may be steps that users of 1Password HD can take to protect themselves, but I’m not a coder myself and I have no idea whether this is so or what those steps might be.

The original 1Password apps for iOS—unlike the current 1Password 4 for iOS—stored the master password for the desktop keychain in order to allow the use of a simpler master password for 1P/iOS itself. This was understood to be a potential vulnerability, which is why the security architecture was changed in 1P4/iOS. I inadvertently stumbled into a way to exploit that vulnerability when I was trying to get my keychain onto my wife's iPad. I don't understand why the app should ever offer to disclose its stored desktop keychain master password to the user, but that is what happened.

This all happened on the evening of August 31, 2013, as I worked to get my keychain onto my wife’s iPad, and hers onto my iPhone, ahead of the September 1 Dropbox sync cutoff. I reported the leak here on September 1. Someone subsequently altered the title of my post, which I had put up as Master Password Exposed.

onepassword_user

I just observe it all in amusement. Not really bothered by any of it.

Hmmm, doth thou really?

-or-

Cool story bro.

Uno_Lavoz

@onepassword_user Did you know that it is anatomically impossible to lick your elbow... and that 75% of the people who hear that actually try to lick it?

@manny You're welcome. :) I am just glad to help ease people's minds and help them cross off a few things from their worry-lists.

jpgoldberg

This is a fascinating thread, and I'm sorry that I haven't been able to participate in the forums over the past few weeks.

@Uno_Lavoz has been making a point that I often make: Attackers will not go after the strongest part of a system. So there is a point at which discussion about the strongest part is "academic". We descend into questions about exactly how many billions of times the age of the universe it takes to crack something.

And again, I'd like to reiterate what so many have said in various ways: If you aren't asking questions about the trustworthiness of the security systems that you are using then you haven't been paying attention.

I'm guessing that we have a fairly broad consensus on those two things. But we do have differences in temperaments, and that leads to how we may approach various security issues.

One thing that I've noticed is that because the strongest part of a system is often the most salient, that is the part that people worry about the most. I find it fun to think about the strongest parts of the system (the cryptography). So there are many ways in which people can be drawn to that.

Sure there is no way anyone or anything is going crack a randomly generated password that is 23 mixed case characters long (approximately 129 bits), but it remains perfectly reasonable to ask how much weaker or stronger such a password might be in comparison to other things.

Cheers,

-j

–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com

benfdc

@Uno_Lavoz—

Did you know that 87% of all statistics are just made up on the spot? ;-)

Uno_Lavoz

@benfdc - Just admit that you just tried to lick your elbow. ;)

MrC

@Uno_Lavoz:

https://www.google.com/images?hl=en&q=lick elbow

Uno_Lavoz

@MrC Lies I tell you, liesss! Those people are clearly all photoshopped in a vast conspiracy by the aliens to make us believe that it's possible to lick our own elbows for their amusement. The act of attempting to lick our elbows is what powers their fleet of spaceships. The truth is out there.

Space-David Duchovny believes me and he cries for your ignorance... You poor, poor soul. :D

("Oh my god... David's bloated, floating space-head is larger than the moon!" - Anonymous Eyewitness Account.)

LosInvalidos

Security is and will always be a trade of between convenience and security. Most people will choose convenience. 1Password walks the line of providing convenience to security aware users.

For me, the important aspect is: who has access to my keyring file (encrypted or not). About encryption: algorithms may now be considered safe. But 20 years from now? I don't know. And no one who is honest does. So retaining control over my data is the most critical aspect (if you do care about privacy). If you don't, go out and sync your address book over the iCloud but then again, why are you reading this thread?

What I just wrote is real. Want an example: Cryptocat - a software offering secure chat. Well until they found out things were completely broken and all chats were decryptable. So from Summer 2013 on, Cryptocat can be considered safe - but all previous chats are borked! What happened? Well, they used their own crypto. Since 1P is not doing that, that is a plus point on their side.

Additionally to the question of wether 1P has a backdoor or not, there's the other question if it's possible that with some master key encryption can be reverted. AgileBits has a few arguments on their side, that might propose it's in their interest to not break things and that that is not the case.

I'm very grateful for the decision to allow users local sync (although I prefer USB over WIFI, because it's much harder to grad traffic from a USA cable then from a WIFI). Unlike Apple, who with 10.9 Mavericks kills local offline sync between OS X and iOS for address book, calendar and other data. That means they force users to use the iCloud for syncing the most private thing there is: your address book and calendar. I understand many people don't think this is protectable data. But just think how much man power, money and time was invested in countries like the infamous DDR or China to find out about the relationships between people. And nowadays we give that data to private companies for free. That is totally unacceptable. But since Apple is getting around 1k requests from US agencies per month I for one am not going down that road.

Back to 1P: It's in the nature of things, that the NSA has interest in breaking crypto. They have several thousand people working on that at the very moment. So while currently things might be save, be aware that as soon as you give data out of your hands, you loose control over that data - encrypted or not. Also is you use the iCloud be aware that your precious data will be stored on US soil. That implies US jurisdiction will apply. Even if AgileBits should ever feel the necessity to move it's jurisdiction because things get too hot, your data still lies in US jurisdiction. And the privacy laws in US, well let's say they are not the best you can get.

To conclude: Not saying AgileBits has bad intentions. But don't make the life of those three-letter-agencies easier than it could be (re-consider your cloud usage, may that be iCloud or Dropbox). Also you might want to give apple your feedback about killing local offline sync.

Uno_Lavoz

@LosInvalidos You just rehashed a bunch of prior concerns without reading the thread, the AgileBits blog (especially Jeff Goldberg's posts on his blog and here; most of which are linked from here), nor my posts that go over the mathematics of it all.

You clearly just came here to get your thoughts out without bothering to check any facts. I hope it felt good to revive a thread that is already dead and done.

If you need a structured summary with pretty pictures, I point you to http://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/. If you want further in-depth reading, I suggest reading every post in this thread from start to bottom.

The executive summary is this:

• Bruteforcing AES256 (which you advocate) would take millions of times longer than the age of the universe. No computing advances will change that fact before you are long-dead. You are mortal, right? If you are, then stop worrying about AES crypto strength.
• Agencies attack the plaintext passwords (weak passwords, such as dictionary words and short passwords), but for all good passwords they must instead rely on coercion, backdoors and trojans (especially keyloggers) to get your secrets. They never attack strong crypto (such as AES) or complex passwords directly, since there's no way they would find the password before our solar system ends. The math is on your side. It doesn't matter how powerful their machines are - cryptography is a mathematical problem and they can't avoid doing the math.
• Most people also seem to forget that they don't care whatsoever about breaking into Joe Schmoe's 1Password database. They choose their targets very carefully - with a focus on terrorists. This whole discussion is academical and quite laughable, since as far as I know there are no terrorists using 1Password. =))
• Although if terrorists were using it, 1Password would keep them completely cryptographically safe (AES-256). Their personal password strength, on the other hand, is another issue entirely. The crypto is not the weak link here. Your security begins and ends with your password strength. Please choose good passwords.

There you go. Please don't keep beating a dead horse.

LosInvalidos

@Uno_Lavoz seems you have some sort of view into unknown territory. I for one, do not know, what the future will bring.

Also I'm not gonna let you tell me where to post and where not. Thanks.

You say: "They never attack the crypto directly" - Well then I really wonder, why the NSA has literally thousands of people working on just that. Just for the fun of it? 35 thousand people working on breaking crypto, reports Wired and you say "they never attack crypto". I don't even know where to start...

Also you might want to read Bruce Schneiers blog entry "The NSA Is Breaking Most Encryption on the Internet".

That also shall be my last post in this thread, since I'm incredibly tired of arguing with people like you. May the reader decide for himself...

PS: Thanks for calling me ignorant.

Uno_Lavoz

Uhm... Not only haven't you read anything on these forums, AgileBits' blog posts, or the net at large. You clearly haven't even been reading Bruce Schneier's posts. Amusingly enough, you haven't even read the exact post you are linking to (or if you did, then you didn't understand it). His "The NSA is breaking most encryption on the internet" headline is referring to internet encryption: HTTPS (SSL/TLS), in this case RC4, which is completely different from AES.

In fact, when it comes to the web, RC4 is just one of several different SSL/TLS algorithms that are available for negotiation between web browsers and webservers, and has been considered one of the weakest for years, long before we even knew about the NSA. Unfortunately, lots of cheap webservers are configured to use that weak algorithm (RC4) since it requires very little CPU use per visitor (which is also why it is so easy to crack) and is enabled by default. However, the biggest reason for its continued use is the mid-2011 "BEAST" attack, where a very serious design-flaw in the first version of SSL/TLS 1.0 meant that the encryption keys for super strong cryptos suddenly became predictable and easy to crack as long as you could inject known-plaintext into an encrypted datastream. BEAST is a browser-based attack that utilizes browser bugs and plugin-exploits to do exactly that, which in turn means that an attacker can capture your encrypted datastream, compare it to the known-plaintext that they injected, and figure out what encryption key was used. That BEAST attack affects all variants of SSL/TLS except for the newer TLS 1.1 protocol. Unfortunately, lots of old browsers and outdated servers don't support TLS 1.1 - so the only workaround against the BEAST attack was to disable strong algorithms such as AES-CBC on the web and instead re-enable the weak RC4, which wasn't affected by the BEAST plaintext attack. The only thing that this recent NSA RC4 news has done for the world is to show the world that we need to speed up adoption of TLS 1.1 so that we can go back to the ultra-strong AES-CBC.

Mathematically speaking, RC4 is terrible. But that has absolutely zero to do with AES. That would be like me saying "My front door has no lock (RC4), therefore all other front doors (including AES) are unsafe."

Don't you see how annoying it is when yet another ignorant person comes in and doesn't even bother to read up on the subject before having things to say about it? This thread is full of information where you could have educated yourself. Instead, you had to revive a dead thread and just waste time repeating the very things that had been discussed to death prior to your arrival. That attitude is not only ignorant; it's arrogant. It's an attitude that says that you know best and don't need to read up on the facts before posting. It wastes everyone's time.

As for the incredible, supercomputer-resistant strength of AES (which is what 1Password uses and what this discussion is about):

@LosInvalidos "seems you have some sort of view into unknown territory. I for one, do not know, what the future will bring."

It's only unknown territory to you. You've taken an ignorant point of view and now you're defending it. Again, all of the math has been gone over in-depth in this thread, Jeff Goldberg's blog and forum posts, and my posts. You are welcome to read them.

manny

@Uno_Lavoz @LosInvalidos Come on guys, let's stay classy and not call each other names. I think everyone involved in this discussion has the right agenda; we want to make sure 1Password doesn't have security flaws, by means of openly discussing the theory instead of blindly trusting.

By the same token, have you read this article? http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
Could a rootkit malware get access to 1Password data, for example by logging the keystrokes or reading temporarily unencrypted data in the RAM?
@jpgoldberg