Good master passwords

I read the article toward better master password but still question what is "better". Obviously it is important to remember your master password so there is a line on which you need to draw.
I have no idea how passwords get cracked, other then people using horrible passwords, like password or something personal. Assuming you are not using something like that is a combination of numbers, letters and/or characters so much better then a string of numbers, or a string of letters that have no repeating code? is there some sort of hierarchy one should look to?
Which is good, better, best. And none mean anything to me personally.
I think this is an important discussion being that your master password is the weak link.

372048781052010

Meandyouwedding2460

Wkpw2156$

54bluefilter?

Comments

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Welcome to the lions' den, @safety1!

    Your question is extremely reasonable. Is password X stronger than password Y? It seems clear enough, for example, that we can say that olByWo9yIFp8NfOxSprJXX is a stronger password than Password1. And so you would think that people who study passwords would feel comfortable answering your question.

    The fact of the matter is that people like me run and hide instead of attempting to give you the sort of answer you expect. I am not going to give you an answer of the sort that you expect. But instead of hiding, I will try to explain why I can't answer.

    When talking about password strength:

    1. In practice the strength of a password depends on the strategies that will be used to attack it.
    2. In theory the strength of a password depends on the system that generated it.

    By the way I am in a minority of people who think that we can even talk about the strength of a password "in theory". Many think that the notion of password strength is theoretically incoherent.

    The only real way to know which are stronger is to have all of them used (in the same format) during a password cracking competition, such as Core Logic's Crack Me If You Can, and see which ones get cracked first. Note that different teams in the competition may get different results of which they crack first, because different teams will be picking different strategies.

    I should note that I do (much to the ridicule of the password cracking community) offer up a theoretical definition of password strength which you can watch in this video of the talk. If you want to view the PDF slides for the talk, it is best to view in Single Page View. The definition is of no use in answer your question, as it would have to know (a) the very precise details of the system used to generate each password, and (b) the best cracking strategy for that system.

    I would so much love to be able to have actually provided a useful answer to your question. If I or anyone were capable of doing so, it would mean that we would be in a much better position when creating passwords.

    You might try them out in a variety of password strength meters. My guess is that you will get different results depending on the strength meter you use.

    Cheers,

    -j

  • In practice the strength of a password depends on the strategies that will be used to attack it.

    In theory the strength of a password depends on the system that generated it.

    Come on man you can do better for us pure lay people. In practice there are probably countless strategies.
    In theory, well no theory here, just some random passwords.
    We are not looking for the holy grail of rememberable passwords just some ideas, theory if you would.
    Is it just a random walk for the password cracker, and if so would it mean that on any random password the longer you make it the more time and effort it takes to crack? That would lead to an answer, make it as long as you can remember, if it is truly random. That might make passwords with actual words good, not better or best.

  • Is it just a random walk for the password cracker, and if so would it mean that on any random password the longer you make it the more time and effort it takes to crack?

    So long as the password is truly random then yes, that is true. This is why the diceware scheme insists on dice and not just the user picking random words from the list. As soon as human beings are introduced in the "random" selection process, you lose strength due to statistical flaws in human psychology.

  • primeprime
    edited February 2015

    The more I read about this, the more interesting I find all of this. I changed my master password 3 times (I re-encrypted my vault doing this too by doing this and I was amazed how I was able to remember my new master password.) I went from 10 characters (yes, I wasn't thinking) to 15, and now over 15 characters. I'm actually very proud of it and wish I could show all of you! Hahahaha! Acronyms help some people too, and might be a good way for you.
    "Making a long password that always make sence to you might be the best for you, but not others plus one is nine"
    Ends up being:
    maLptams2YmBtb4y,bno+1i9
    Would that idea work @jpgoldberg?

    Or how about words to a song? Just throwing out some ideas :)

    I was also told not to use things/words that can refelct who you are, so using something with Transformers in it is probably not a good idea for me.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    After I didn't answer @safety1's excellent question, I receive a fair scolding of

    Come on man you can do better for us pure lay people.

    "Toward Better Master Passwords" really is the best I can do in terms of Master Password advice.

    In practice there are probably countless strategies.

    What attackers do is adjust their strategies based on the information they have and the task they are faced with. For example and attacker would use different strategies when going after someone's 1Password Master Password then they would when going after a dump of password hashes from something like LinkdIn.

    There are lots of attack strategies. Generally crackers have "rule sets". These rule sets are patterns with some transformations. So for example, there is a rule set that looks for given names followed by 1, 2, or 4 digits. There are rule sets that go after phrases that can refer to birthdays and anniversaries followed by numbers that look like dates. Some of the transformations in these rule sets do things like replace 'e' with '3' or capitalize the first letter of a word. (Note that in both of your examples with capitalization, you capitalized the first letter only. This is very common practice.)

    Crackers have a repertoire of base "words" and rule sets. Where they often differ is in which rule sets they apply earlier and which later. Do they look for all digits before or after they look for things like `/^[A-Z][a-z]{2-6}[0-9]{1-4}[:symbol:]$/`` (Note that they do not write these as regular expressions, as that is not a useful description language for generating guesses. I just wrote that this way for familiarity.) The rules actual work in combination with each other to provide successive transformations.d

    One of the cooler things that are done if the crackers are going after a bunch of passwords from a single source is that they will tune which rules to use and priorities in using them based on what they already discover. There are some schemes for automating that.

    Now someone who has gone out of their way to obtain your 1Password data is probably going to target their strategy based on what they know about you in particular. Because 1Password makes heavy use of PBKDF2, an attacker will try to configure their rule set based on what they know about the target.

    So yes. There are lots of strategies, and this is why I can't really say which password is best among those unless I know what strategies the attacker will be taking.

    But let's see what the zxcvbn password strength meter says about yours.

    Password zxcvbn assessment in bits
    372048781052010 49.8
    Meandyouwedding2460 29.0
    Wkpw2156$ 45.8
    54bluefilter? 33.9

    It gave them all higher ratings that I would have, and it liked Wkpw2156$ much more than I do, but if you want a password strength meter,the zxcvbn one is among the best you will find.

  • edited February 2015

    @jpgoldberg @svondutch commented about changing the strength meter in 1P4fW:
    https://discussions.agilebits.com/discussion/36048/improved-password-strength-meter-in-4-1-0-538

    Password zxcvbn strength passwordmeter strength
    372048781052010 49.8 38
    Meandyouwedding2460 29.0 100
    Wkpw2156 45.8 76
    54bluefilter? 33.9 61

    It seems that @svondutch's choice of strength alogrithm is even more optimistic that zxcvbn, which is a little worrying when @jpgoldberg is criticizing zxcvbn for being too optimistic.

  • @RichardPayne I'm afraid there is no official weighting system. The strength meter in 1Password is neither perfect or foolproof, and should only be utilised as a loose guide.

    That being said, I have tuned the password meter in 1Password for Windows, bringing it closer to the zxcvbn results. To be included with 4.1.0.BETA-541 /cc @jpgoldberg

  • Ah ok, so its an algorithm based on passwordmeter rather than a verbatim copy.

  • so its an algorithm based on passwordmeter

    @RichardPayne Correct. It starts looking at character length. Then there are additions that make your password stronger, and deductions that make your password weaker.

  • jpgoldberg, Now thats what i'm talking about. That answer and all the followups are very helpful to everyone. You should probably lock this at the top of forum for all to read. I'll take credit. A realization that even a random password that models the form of words followed by something that although has no meaning but is in date form weakens it's strength.
    Finally, would it not make sense, since our 1P password is the golden goose, to have first a user ID then password to get into 1P? How much harder would that be to crack?

  • @safety1 from a security point of view, a username would be utterly irrelevant. It would be the same as adding some extra characters to your master password.

  • I'd have to agree with RichardPayne here. A username is about identifying an account which is different from a password for an account where you are authenticating that you are indeed that user. Here, the Master Password is the key for decrypting the encrypted files.

  • edited February 2015

    @Safety1 wrote:
    "That answer and all the followups are very helpful to everyone. You should probably lock this at the top of forum for all to read. I'll take credit. A realization that even a random password that models the form of words followed by something that although has no meaning but is in date form weakens it's strength. ..."

    @RichardPayne elsewhere replied to another comment:
    "It used to be, but that's really not the case any more. In my experience it is more an irrational fear of breaking something that stops people using software properly, combined with an unwillingness to learn new things. It's little surprise to me that this often correlates with age."

    As one at those at older end of Richard's scale, I had a lot of trouble getting started with 1P. After I got into it and had created multiple vaults, made new logins, had DropBox working, and had "improved" the passwords for various websites, I started realizing that my Master Password was actually my "weakest link". I'm now faced with the question of going back and doing it all over again with a "better" password.

    Back at the beginning, I could and did start over a number of times. But I was in the process of learning 1P, not thinking about the strength of my all-important Master Password.
    My regret with 1P is that there was not sufficient "education for newbies" about the need to understand the "permanence and significance" of the Master Password before going so far with development.

  • hawkmothhawkmoth
    edited February 2015

    @Lamplighter said,

    I'm now faced with the question of going back and doing it all over again with a "better" password.

    Actually, you don't have to start over again. You can change your master password without affecting the data you've already saved. There is a small issue of how the encryption keys interact, but even that can be handled without much trouble. I say this as an "older" user myself. At the very least, just go to the option to change your master password and establish an excellent one.

    I'm off to try to resurrect a post about also rencrypting your data when you change master passwords. I'll post back with a link when/if I find it.

    Edit: I'm back. I had the post bookmarked. You can read about setting a new master password and reencryptung the data here.

  • @Lamplighter master passwords are not permanent. You can change your master password from the Preferences window.

    That said, if you feel that a copy of vault with a weak master password may have fallen into the wrong hands then starting with a new vault might not be a bad plan, just to get fresh encryption keys. That isn't too hard to do though. Just export all of your data into a csv file and then re-import it into the new vault. Make sure you securely delete the csv after you're done with it.

    There's articles on Importing and Exporting data here:
    https://guides.agilebits.com/1password-windows/

    I couldn't anything on the Mac userguide so I've no idea if it's possible there.

  • MrCMrC Community Moderator

    Just export all of your data into a csv file

    Use 1PIF.

  • Why? What's the advantage?

  • MrCMrC Community Moderator

    CSV export is very limited; only Logins are exported on 1Password for Windows, and the export is lossy with respect to other data contained in the record.

  • @hawkmoth wrote:
    "Edit: I'm back. I had the post bookmarked. You can read about setting a new master password and reencryptung the data here."

    Your effort is truly appreciated. I started reading and morphed into skimming the various replies, and as one person commented: "I'm confused"

    Before going back and re-reading, maybe you can comment on one of my concerns...
    I am in a family network with my wife and daughters, using DropBox to synch my secondary vault (B) with my wife and my vault (C) with my daughters.
    These other family members "see" these vaults (B) and (C) respectively, as secondary vaults to their own primary vaults.

    Am I correct that changing my own Master Password will not affect the communications via DropBox with my other family members ?

  • Hi @Lamplighter,

    I'm glad that Hawkmoth has helped you out with that link. It is a bit of a complicated post, so if you do come out of it with any questions, we're here to help. :)

    Am I correct that changing my own Master Password will not affect the communications via DropBox with my other family members ?

    You are correct. Changing the Master Password on your primary vault will have no effect on the secondary vaults.

This discussion has been closed.