Password creation for secondary vault [Will be improved in the near future, no timeframes]

benfdcbenfdc Perspective Giving Member
edited June 2015 in Mac

This is revisiting an issue from a closed 2013 thread in the Mac Beta forum.

I just went to create a secondary vault for securely exchanging passwords with my wife. I was greeted with the following:

Let’s count the serious problems here (I do not count as serious problems grammar issues, or the fact that the “only password you have to remember” tag line makes no sense in the context of secondary vaults—you probably do not have to remember a secondary vault password, but even if you do it is not the only password you have to remember):

  1. There is no random password generator.
  2. There is no checkbox option to automatically store the master password for the new secondary vault as a password item in one’s primary vault.
  3. The advice on how to compose a master password is extremely poor.
  4. Kerckhoffs’s principle applies here: attackers can exploit the poor advice you are giving your users on how to compose master passwords.
  5. If a secondary vault is being created in order to share passwords, the user will have to share that vault’s master password, which could disclose to other people the user’s method for composing master passwords. If that method is as pathetically weak as “an easily remembered sentence,” a user following your advice will jeopardize the security of his or her primary vault.

I could go on at length, but the tl;dr version is already in the 2013 beta forum thread. In that thread, a plausible defense of the master password-composing advice in this vault creation box was offered: we don’t want to scare off new users with complicated ideas like diceware when they first encounter the app. While there is some merit to keeping vault creation simple in the first-use setting, this argument has no validity IMO in the context of creating a secondary vault. Fixing the secondary vault creation box to facilitate the generation and secure storage of a strong master password is worth doing for its own sake. As a bonus, It will probably yield lots of insights on how to improve things for first-time users as well.

The final status of that 2013 beta forum thread was “rest assured that we'll improve this in a future update.” I was very disappointed to discover this morning that the wait is not yet over. The continued absence of a random generator when creating a new vault—especially a new secondary vault—is just incomprehensible to me. And while I am on the subject of random generators, Agilebits has been advocating the use of randomly-selected words (diceware-style) in master passwords for many years—Jeff’s original “Toward Better Master Passwords” blog post dates from mid-2011. Your 1P/Mac customers have been waiting for a diceword generator for far too long.

Comments

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @benfdc,

    Thanks for writing this in, you're right that it is taking us too long to improve this. I've been asking for this as well and I'll nudge the team again about improving this sooner.

    you probably do not have to remember a secondary vault password, but even if you do it is not the only password you have to remember):

    Correct, the problem is that we're reusing the same prompt as the primary vault creator, so it's not currently contextualized to fit the secondary aspect of this.

    There is no random password generator.

    Absolutely, as a password app, it should show off the best feature, the generator. Also, it should be using dice-ware as you mentioned to be our best recommendation for vault passwords.

    There is no checkbox option to automatically store the master password for the new secondary vault as a password item in one’s primary vault.

    We're still trying to figure out the best way to handle the vault passwords. Once we figure it out, we'll update the vault creator to reflect this.

    If a secondary vault is being created in order to share passwords, the user will have to share that vault’s master password, which could disclose to other people the user’s method for composing master passwords. If that method is as pathetically weak as “an easily remembered sentence,” a user following your advice will jeopardize the security of his or her primary vault.

    You raise a very good point and Goldberg will agree as well. We'll have to change this and provide proper and updated guidelines.

    I wish I can give you a better timeline or even say it will happen sometime this year but we don't release details like this early. All I can do is promise you we are fully aware that we're not handling this timely and we do plan to fix that.

  • benfdcbenfdc Perspective Giving Member
    edited January 2015

    I appreciation the validation, @MikeT. Hoping for good news sooner rather than later.

    Regarding proper and updated guidelines, you have good ones in a number of places, but nothing (not even a reference link) where it counts—at vault creation time.

    On the “checkbox” point, I suppose that there are a number of UI options. What motivated my comment was that the “keep a written copy in a safe place” advice in the vault creation box strikes me as somewhat off in the context of secondary vaults. Is there something special about secondary vault passwords that would warrant this sort of treatment? I recognize that my secondary vault may be someone else’s primary vault, so that other person may want to keep a written copy of the master password somewhere for safekeeping. But for myself, I cannot imagine a better storage location than my primary vault.

    Related point: I don't need a hint for the password for a secondary vault, because I am storing that password in my primary vault. Maybe the person I am sharing my vault with could use a hint, but a hint that I make up would not necessarily be a good hint for that other person. Not sure what a good solution might be, but I figure I might as well toss in my observation.

  • MeganMegan 1Password Alumni
    edited May 2015

    Hi @benfdc,

    Is there something special about secondary vault passwords that would warrant this sort of treatment? I recognize that my secondary vault may be someone else’s primary vault, so that other person may want to keep a written copy of the master password somewhere for safekeeping. But for myself, I cannot imagine a better storage location than my primary vault.

    You're right, for secondary vaults, the best place to store your passwords is likely in your primary vault. At least that's what I have been doing.

    Related point: I don't need a hint for the password for a secondary vault, because I am storing that password in my primary vault. Maybe the person I am sharing my vault with could use a hint, but a hint that I make up would not necessarily be a good hint for that other person. Not sure what a good solution might be, but I figure I might as well toss in my observation.

    You make a lot of good points. :) We'll take this into account when refining our vault design.

  • benfdcbenfdc Perspective Giving Member
    edited June 2015

    I wish I can give you a better timeline or even say it will happen sometime this year but we don't release details like this early. All I can do is promise you we are fully aware that we're not handling this timely and we do plan to fix that.

    Five months later …

    In the 2012 blog post that I linked to at the top of this thread, AgileBits (channeled by @jpgoldberg) writes:

    We design 1Password so that doing the easy thing is also doing the secure thing.

    You are falling down here, and it is hard for me to think of a worse place to fall down than during the creation of the master password for a 1Password vault.

  • MikeTMikeT Agile Samurai

    Team Member
    edited June 2015

    Hi @benfdc,

    As I mentioned before, we absolutely know this should be improved sooner and as your quoted me, we do not have any timeframes we can share with you on this.

    We have a lot of stuff that we need to work on first and a redesigned vault creator is still on our list, alas with no timeframe next to it. This means it may not even happen this year or next year but it'll be finished when we can get to it.

  • benfdcbenfdc Perspective Giving Member

    Thanks, Mike.

    Without being privy to business considerations, technical issues, or the insights that y’all gain from customer support, I am not in any position to judge the way that things are prioritized. All I can do is tell you how it looks from where I sit, and from where I sit it is hard to imagine that there is a weaker link in the 1Password security chain than master password creation.

  • MeganMegan 1Password Alumni

    Hi @benfdc,

    Thanks so much for providing your feedback here, and for taking us to task on issues that you feel are important. Just as you can't quite see how it looks from our side of the fence, it is so vital that we are reminded every now and again of how things look from our users' side of the fence.

    I'm sorry that we can't give you a more definite answer right now, but we really do appreciate you taking the time to check in on us. :)

  • benfdcbenfdc Perspective Giving Member

    Thanks, Megan.

  • brentybrenty

    Team Member

    No, thank you, Ben! This is certainly a hard problem. Ultimately, how this needs to be both presented and set up will vary from person to person, so it's difficult to settle on something that is both comprehensive enough to cover most common cases and concise enough as to not be overwhelming. This applies both to helping people understand how they might want to use their secondary vault, and also choose a strong but memorable Master Password — which, as you pointed out, also needs to take into account the vault's 'target audience'. Whew! :dizzy:

    Until we come up with something that strikes a good balance between these considerations, we're going to stick with keeping it simple. And while this is inadequate, we'd love to hear if you have specific recommendations on how we can improve this. :)

  • benfdcbenfdc Perspective Giving Member
    edited June 2015

    @brenty—

    Re-reading Jeff's posts in the old thread serves as a very good reminder of just how hard a problem this really is.

    That said, I have two thoughts on how to improve on the status quo.

    One is something that I said in the old thread:

    I would think that there is a body of research out there on the best password advice one can give an ordinary user with a reasonable expectation of success. And I would also expect that someone at AgileBits would know where to find that research, or at a minimum know whom to ask in order to be directed to it.

    Is this really virgin territory? Or is “think of an easy-to-remember sentence” considered to be state-of-the-art advice? IMO either is frightening if true.

    My other thought is that it ought to be possible to offer advanced users helpful tools (such as a random generator) without scaring off newbies. You can hide things but offer to reveal them. This is done, for example, with the standard password generator, where the recipe and options are hidden by default.

    —Ben F

  • brentybrenty

    Team Member

    Is this really virgin territory? Or is “think of an easy-to-remember sentence” considered to be state-of-the-art advice? IMO either is frightening if true.

    @benfdc: Point taken! Unfortunately it's what happens to work for a lot of people. A long sentence is always going to be harder to guess than the single-common-word passwords that most people choose.

    And I don't mean this as an insult to 1Password users or anyone else; but rather, we do see from the password dumps released from compromised sites our collective tendency as human beings is to use really, really bad passwords: short, simple, and easy to remember. If we can eliminate 'short', that helps a lot, as most folks simply aren't willing to give up 'simple' or 'easy to remember'.

    Can we do better? Absolutely! However, most password advice has an expiration date. Passwords which were infeasible to crack a few years ago are within reach, thanks to the ever-growing body of research in this area and steady march of technology itself.

    My other thought is that it ought to be possible to offer advanced users helpful tools (such as a random generator) without scaring off newbies. You can hide things but offer to reveal them. This is done, for example, with the standard password generator, where the recipe and options are hidden by default.

    Excellent point! But Unlike website passwords, which can be completely random and unmemorable, the Master Password has much more weight on its shoulders when it comes to the burden of being both infeasible to guess and memorable. For this reason, I'd be hesitant to whole-heartedly endorse hiding complexity in this case (as we do with the password generator) since complexity is so important in this case (with different a password for each site, a breach of one isn't the end of the world, for instance).

    And while the screenshot above appears rather damning, I think that it's important to remember that for novice users it's the password strength meter that is most beneficial (and we've made changes to this over the years to keep up with the research), as it provides instant positive (or negative) feedback, to let you know in real time that a little change can go a long way.

    Ultimately the more we push people to use more complex passwords, the more they will forget them, so we're just trading one problem affecting users for another. This is a sad state of affairs indeed, but unless we can come up with a solid solution to both problems I'm not sure that this is something where a 'toss it against the wall and see if it sticks' mentality is a good thing.

    Peripherally, I am personally fond of the 'password haystacks' concept, and while I think it is useful, I'm not certain that novice users would be inclined to take the time to understand it. :(

  • brentybrenty

    Team Member

    And I'll also add that those of us who are inclined to participate in discussions such as these probably don't even need password advice (and perhaps wouldn't take it anyway!), so it's really the novice users, who by definition won't be represented in this discussion, that we really need to consider most.

  • benfdcbenfdc Perspective Giving Member
    edited June 2015

    From Gibson’s Password Haystacks page:

    the attacker is totally blind to the way your passwords look

    That is, like, so 20th century. Today’s attackers know quite a bit about how most users’ passwords look, and they now know even more about how a typical 1P/Mac user’s master password looks (I haven’t created 1Password vaults on other platforms). If hashcat and John the Ripper have not tuned their 1Password OPVault cracking modules to screen for easy-to-remember sentences by now, it just shows that they stopped paying attention.

    And I'll also add that those of us who are inclined to participate in discussions such as these probably don't even need password advice (and perhaps wouldn't take it anyway!), so it's really the novice users, who by definition won't be represented in this discussion, that we really need to consider most.

    Yes. This thread, and the older one, are all about novice users. The ones who don't pore over the documentation on the website, who don't prowl the forums, who don’t read the blog, and therefore who are very unlikely to realize how weak their master passwords are.

  • brentybrenty

    Team Member

    the attacker is totally blind to the way your passwords look

    That is, like, so 20th century. Today’s attackers know quite a bit about how most users’ passwords look, and they now know even more about how a typical 1P/Mac user’s master password looks (I haven’t created 1Password vaults on other platforms).

    @benfdc: I think the idea behind password haystacks is that we can make passwords that don't conform to the way most passwords look, but that might be derailing the topic. Sorry about that! :dizzy:

    At the very least, it could be beneficial to rewrite the current dialog and add some additional information, so I've been experimenting with some ideas in that vein. But while I'm not sure that goes far enough, I don't have any idea what a real solution would look like. In fact, the more I think about it, the more I suspect that there isn't one, since — as you mentioned — any concrete advice we give just provides a target for crackers to focus on. :angry:

  • benfdcbenfdc Perspective Giving Member
    edited July 2015

    @jpgoldberg blogged in 2012:

    [P]eople are actually terrible at constructing “random” passwords no matter how clever they think their scheme is.

    and, later in that same post:

    [T]he only strong password is one that is randomly generated. But what do you do about setting your 1Password Master Password? You need to remember it, but it also should be strong (and thus randomly generated).

    So we can stipulate that one element of an optimal solution is giving users, at the time of vault creation, either a tool to generate memorable randomness or clear instructions on how to do it themselves. Or both. The other element of an optimal solution is doing it in a way that does not scare off new users. We can also stipulate that excelling at both of these is somewhere between difficult and impossible. My second-best solution would be to offer to add some randomness up front and give the user three options: "OK"; "No"; and "Remind Me Later," with an "Are you sure?" pop-up if the user selects No. This scheme is something that I am sure you have encountered in many other contexts.

    There is a serious ethical question IMO whether users should be encouraged to store extremely valuable and sensitive personal information in a 1Password vault if one knows to a moral certainty that many of them will have poorly-secured vaults. One way to address this would be to have a second pop-up window, following either a "Remind me later" or "No / Are you sure? / Yes," cautioning users that they may wish to defer adding sensitive information to their vault until they strengthen their master password by adding some randomness. Might that scare some people off? Yes. Is it the right thing to do anyway? I don't have an easy answer to that.

  • brentybrenty

    Team Member

    So we can stipulate that one element of an optimal solution is giving users, at the time of vault creation, either a tool to generate memorable randomness or clear instructions on how to do it themselves. Or both.

    @benfdc: Agreed. I feel like the direction we can start in is with documentation (both existing and new) that helps to better address this.

    The problem with 1Password simply having a password generated by default or AgileBits giving concrete recommendations about Master Password composition (as opposed to general advice) is that anyone has access to this information, either within the app itself or on our website.

    So if we add a Diceware (✕5) generator to the new vault dialog, most of the users will just end up with a 5-word Diceware phrase, and this reduces the space that a cracker would have to search in order to brute force the Master Password. Similarly, if we tell people "this is how you should make your Master Password", many will follow this advice. And it would be good advice, right up until cracking tools are updated to account for this, reducing the effective entropy of our most vulnerable customers' Master Password. They simply want to use 1Password without having to do a lot of research about how to make a strong password; after all, that's what they got 1Password for in the first place! But all of this makes even "randomness" less useful.

    There is a serious ethical question IMO whether users should be encouraged to store extremely valuable and sensitive personal information in a 1Password vault if one knows to a moral certainty that many of them will have poorly-secured vaults.

    Ultimately, we're less worried about scaring off users than we are giving the bad guys a concrete target. I don't believe that we encourage anyone to store anything in particular in 1Password. It's a tool, after all. And I think we may have to agree to disagree about the "ethical" question, as AgileBits simply cannot make people choose good Master Passwords.

    This probably isn't the best analogy, but I feel like this would be similar to saying that it is unethical for automotive companies to include safety features in cars because they may be used incorrectly — or not at all. But the truth is that seatbelts save lives; and a 1Password vault secured using the Master Password "1234" is still encrypted and therefore more secure than having login information stored in plaintext where anyone who walks by your office desk can sneak a peek. Will a terrible Master Password stop a determined hacker? Absolutely not! But I believe that 1Password is about increasing people's security, rather than perfecting it (since perfect security is only possible if the data is accessible to no one, ever).

    So in practice this means helping a power user increase their security by giving them both the tools and information they need to make informed decisions and act to keep their data secure. These people are the ones reading the knowledgebase and on the forums asking the hard questions. An intermediate user might gain a new understanding of basic security principles and relish generating and saving new unique passwords for every site they already frequent. And finally, a novice user can learn how to push all the right buttons to save their new logins with a unique password and secure them all in their vault, but they are less likely to do any research or go back and update all their pre-existing logins for websites.

    1Password can raise the bar for everyone's security, but people are unique when it comes to their baseline security and tech-savvy.

This discussion has been closed.