Password Generator

baker

Wondering if you are planning on reworking your Password Generator?

I have read looking around that some people out there have cracked password generators to get the algorithm the generator spits out to help to harvest passwords from. Some say there are some password generators that create more secure passwords than others.

Anyways I don't select to allow characters to repeat. Which I guess is two of the same characters side by side.

But I would like a box to check or uncheck that would make it so no characters repeated at all in the passwords it generates if possible.

I've noticed a lot of having multiple same characters in a generated password.

I posted this because I had recently generated a somewhat short password, and it had four of the same numbers in the password, and two of the same number.

Now I can understand under certain circumstances that you may have to have a character repeat based on your settings and length of password. But I've noticed several times it repeating the same character when it didn't need to do that. Would be nice if you could force it to never repeat a character if possible unless it just had to.

Also, would it help with security if you could also select for it to put in special characters? i.e. characters that generally aren't on the keyboard? I guess if you were to even be able to use them, then it would depend on where you put the password if they would accept those characters or not.

RichardPayne

Anyways I don't select to allow characters to repeat. Which I guess is two of the same characters side by side.

Why? How does that help?

But I would like a box to check or uncheck that would make it so no characters repeated at all in the passwords it generates if possible.

That would actually reduce the complexity of your password by making it less random. Each character guess reduces the number of combinations available from the subsequent characters.

Also, would it help with security if you could also select for it to put in special characters? i.e. characters that generally aren't on the keyboard? I guess if you were to even be able to use them, then it would depend on where you put the password if they would accept those characters or not.

That sounds like a horrible can of bugs to me, although it would increase the search space.

@jpgoldberg any comments or corrections?

svondutch

Wondering if you are planning on reworking your Password Generator?

What is wrong with it?

Some say there are some password generators that create more secure passwords than others.

Some password generators are better than others, but they all are better than a human being :)

Also, would it help with security if you could also select for it to put in special characters?

No it wouldn't. As a matter of fact, the things you are trying to accomplish (including not allow characters to repeat) are weakening the entropy of your password.

baker

Okay, I had read you should UNcheck the "allow characters to repeat". But then searched more and read some on here saying you get a stronger password if you check it.

I had noticed characters repeating alot. And did a short password recently that came up with 4 numbers the same, and 2 numbers the same in the password it generated.

bkh

Also, would it help with security if you could also select for it to put in special characters?

No it wouldn't.

@svondutch, could you please elaborate? Why is it that increasing the cardinality of the alphabet does not increase security?

baker

I had assumed most password cracking software would stick mostly with regular numbers, characters, and normal keyboard letters. I would have assumed inputting non-normal characters like "Ö" for example would make a password more secure for brute force attacks and password cracking in general.

I think in the future they will have to start letting you use symbols and things in passwords to make things more complicated.

Other issue I forgot to mention. Is I'm not sure if the password strength checker used in 1Password might could use updating or reconfiguring? For example. Messing around putting in made up stuff I got a "Fantastic" rating in 1Password. Then I put the same thing in an online password strength checker, and would get "weak". So don't know what was right in that example if 1Password "Fantastic" was right, or if the online checker of "weak" was right. Now I tried several different ones, but noticed it usually showing up as "weak" or coming up as less-strong than 1Password's ranking.

Now I wouldn't recommend using an online password strength checker for security reasons. But I was messing with made up stuff I wouldn't ever be using, so thought I would do some testing.

MikeT

Hi @baker,

I would have assumed inputting non-normal characters like "Ö" for example would make a password more secure for brute force attacks and password cracking in general.

The first problem is that it would be extremely rare for a site or anything asking for the password to even accept the character, there is a reason why many of the sites (and apps) restrict the characters you can use. Keyboards across all platforms are not consistent with the way they write the Unicode characters, meaning what you enter on the Android device may not match what you type the same on a Windows computer. That would mean you'd be locked out on Windows as it won't take your password. It would also mean if you tell 1Password to insert some weird character not found on your keyboard, 1Password may not even be able to fill it in properly on any platforms.

The reason is that Unicode has support for writing the same character via multiple codes because the same character exists in different languages.

Yes, theoretically, it should slow down the cracking speed but practically, it doesn't work consistently across the broad and there's a good chance you'd be locked out.

I think in the future they will have to start letting you use symbols and things in passwords to make things more complicated.

Not likely until every single platform will match exactly every character you use. However, there are some work being done via the Unicode standard body here: http://www.unicode.org/reports/tr15/

You can find out more here: https://en.wikipedia.org/wiki/Unicode_equivalence

Other issue I forgot to mention. Is I'm not sure if the password strength checker used in 1Password might could use updating or reconfiguring

It does need an update, we're looking into updating our strength algorithm every once in a while as computers are getting faster and faster each year.

Jeff Goldberg (@jpgoldberg), our security guru, is still researching for a better algorithm and the latest he was looking at was this one: https://github.com/dropbox/zxcvbn. He mentioned in the blog post here: https://blog.agilebits.com/2015/02/13/when-is-a-password-leak-not-a-password-leak/

I'll ping him to see if there's any progress on that.

khad

One thing to keep in mind is that even a 23-character randomly generated password consisting of only letters and numbers is already an uncrackable 128 bits of entropy. For some idea of the enormity of 128 bits, see our blog post "Guess why we’re moving to 256-bit AES keys". Despite the title, there is much about 128 bits.

As @MikeT mentioned, the problem with trying to increase the character set is that you will run into problems on certain platforms or websites. It's much better to just make the password longer than to mess with characters that may not even work (and may get you locked out of your account temporarily because of it). I've already run into that with "regular" symbols. Extended ASCII and Unicode wouldn't make that any better. :)

As for the password strength indicator, take a look at our support article:

How does the password strength indicator determine the strength of a password?

It's relatively straightforward to calculate the strength of a password from the generator. Other passwords require a bit more voodoo.

jpgoldberg

Hi @baker!

These are all interesting questions, and they help illustrate how counter-intuitive some of the aspects of randomness and password strength are.

As @RichardPayne correctly pointed out. allowing characters to repeat creates stronger passwords. Consider a password comprised only of digits (I'm using this smaller set of characters just to make it easier to describe). If you insisted on "no" repeats at all, then consider the six digit password "543807". There are only four possibilities for the next digit (1, 2, 6, 9). Suppose then we add "2" and get "5438072". Then there are only three possibilities for the 8th digit. For a 10 digit password with the no repeat restriction, there are 3628800 possible passwords. But if we allow repeats, a 10 digit password will have 10,000,000,000 possibilities. In terms of bits, that is 21 bits versus 36 bits (an enormous difference).

Quite simply any limitation you place on generated passwords will reduce the strength. This also holds true of a restriction like "well, it doesn't look random to a human". People are notoriously bad at judging randomness. Or to put it another way, we are extremely good at spotting patterns, even when those patterns aren't real. Indeed, the reason why a string with no or few repeated characters "looks more random" is because of something that cognitive psychologists have identified as instance of the Representativeness Bias leading to the Gambler's Fallacy.

So following from this it makes sense that putting non-US-ASCII characters in passwords would make them stronger. After all, the restriction to US ASCII does limit the possible range of generated passwords. But as @MikeT pointed out, there are lots of systems that won't deal with such passwords.
You may not know it, but we exclude the character < from the set of symbols used in the Strong Password Generator on iOS and Mac because there is some shopping cart software that will silently truncate a password at <. So we are conservative about what characters we will use in the 1Password Generator.

As @Khad pointed out, the simple thing to do is to use a longer password. I need to correct what he said, and make the point even more strongly.

One thing to keep in mind is that even a 23-character randomly generated password consisting of only letters and numbers is already an uncrackable 128 bits of entropy.

Khad wrote "letters and numbers", but actually we reach that strength with letters alone.

[math]\log_2 52^{23} \approx 131[/math]

svondutch

could you please elaborate? Why is it that increasing the cardinality of the alphabet does not increase security?

@bkh I was under the impression @baker is trying to put in special characters.

While increasing the cardinality of the alphabet does make your password stronger, hand-picking special characters does not. Humans are terrible at picking random words (or characters).

baker

Thanks for the info. One problem I ran into is password limits. i.e. severe length limits and/or no special characters allowed.

So you can't get a "Fantastic" rating no matter what you do in some of those instances. Assuming 1Password's password rating is accurate. Luckily the sites I've used with the most restrictive password limits also use a non-disclosed username for log-in.

I'm guessing maybe getting to use a made up non-disclosed username for log-in ID, instead of a public e-mail address, will give more security given the password limits imposed on those sites.

I do think it's good to stay ahead of the game. As computers get faster and faster, so passwords will get easier and easier to crack every year.

On another topic regarding the Master Password. Anyone use a Yubikey for part of your MP? Read of a guy using 1Password and he modified a Yubikey to output a single static long string of characters. He put in part of his MP, then pressed the Yubikey to enter in a bunch of junk, then put in the last half for his MP. So he had a super long MP that even he didn't know what it was.

One thing I thought was interesting about LastPass. Is they say you can lock out regions for log-in access so they can't log-in if not in the region you authorized. So say someone stole your log-in credentials and your MP, that they couldn't even use it unless they were within the region you designated. Also there are other restrictions you can place in how your account is accessed like limiting what devices are allowed to access it and not allowing Tor users to access it, etc. I went with 1Password cause I like keeping things like this off the net, but these LastPass login restrictions did make me wonder if these things could make LastPass more secure as I think it might make things more secure from access to your entire data if your MP was found out through Keylogging or malware.

Because I guess anyone anywhere can sneak in and get your vault and MP if they can get it, whereas LastPass would stop some or a lot of access even if they got your login and MP credentials.

MikeT

Hi @baker,

One problem I ran into is password limits. i.e. severe length limits and/or no special characters allowed.So you can't get a "Fantastic" rating no matter what you do in some of those instances.

Correct. One way to help with that is to provide TOTP support. In this case, even if someone figure out your weak password, they can't log in without the time-based code. Some banks provide a key fob to their users for situations like this as well.

I'm guessing maybe getting to use a made up non-disclosed username for log-in ID, instead of a public e-mail address, will give more security given the password limits imposed on those sites.

It might help in certain situations as long as the site is secure and the user ID can't be retrieved elsewhere.

Anyone use a Yubikey for part of your MP?

You might want to read this if you haven't seen it before: https://www.quora.com/Will-1Password-ever-support-YubiKey

Is they say you can lock out regions for log-in access so they can't log-in if not in the region you authorized. So say someone stole your log-in credentials and your MP, that they couldn't even use it unless they were within the region you designated.

Well, it depends on how specific the region is. If we're talking about a country, state, city type of thing, there's nothing that prevents an attacker from getting a VPN (virtual private network) service, connect to a server in the same city as the user (which the keylogger/malware can log as well), and access it from there.

If you have a malware on the system that allows total control, the game is considered to be over for the user. There is no much protection you can use against this.

khad

I'm guessing maybe getting to use a made up non-disclosed username for log-in ID, instead of a public e-mail address, will give more security given the password limits imposed on those sites.

Food for thought regarding treating an identifier as an authenticator:

Can I use 1Password to generate usernames, not just passwords?

Because I guess anyone anywhere can sneak in and get your vault and MP if they can get it, whereas LastPass would stop some or a lot of access even if they got your login and MP credentials.

That's one way to look at it. However, 1Password is an encryption-based system, so it doesn't face the same threats that an authentication-based system faces. For complete details on this important distinction, please see:

Authentication vs. Encryption

From that article (emphasis added):

1. We, AgileBits, are not involved in your use of your data. This makes it far easier for 1Password to ensure Privacy by Design. We not only don’t have access to your data in any form, but we (largely) lack the capability to collect it or your Master Password and encryption keys.
2. Because 1Password’s security doesn’t depend on gatekeepers, it faces no threat based on subverting those (non-existent) gatekeepers.
3. Because 1Password’s security doesn’t depend on gates or walls protecting unencrypted data, there is no threat based on removing those (non-existent) walls.
4. Because 1Password’s security doesn’t depend on authentication, there is no need to strengthen those non-existent authentication processes. In particular, there is neither the need nor possibility for two factor authentication.
5. If AgileBits were to get abducted by aliens tomorrow, you would still have access to your data since we never store it on our servers.

baker

One thing I worried about is getting infected with keylogger or malware that can get your MP or other info that isn't detectable from anti-virus and anti-malware programs. So you could have malware running in the background keylogging and never know it if it's the kind that isn't detectible. I'm just going off of reports I've read of things that are out there. That's one reason why I liked the two factor option by LastPass to help reduce the chance of someone getting in.

Really hope that 1Password is able to develop some type of two-factor authorization in the future. The kind where if someone had your vault and MP, that they still couldn't get in and that the two-factor "key" isn't something discoverable through malware or viruses. I know 1Password is maybe working on two-factor.

baker

@khad

Thanks for the info and the links. I'll read up on it. Some of it I've already read up on.

I do know about 1Password being resistant to certain threats vs. something like LastPass. I went with 1Password, like you mentioned, to keep all my data off the net and be in full control of my data. Just still hoping for some type of two-factor where your 2nd "key" to get into the vault isn't discoverable by malware or hacking. That way if your vault and MP is compromised through hacking or whatever, they still can't get in anyways.

khad

@baker, technically speaking, 1Password doesn't even do one-factor authentication. It's security does not depend on authentication. Your data is protected by an encryption-only process. The Authentication vs. Encryption article goes into more detail about that, so I'm sure you will find more info there.

We're working on another article to explain the two-factor situation, but in the meantime perhaps I can share some thoughts.

Just because 1Password is an encryption-based system doesn't mean that it is impossible for us to do something that looks like two-factor authentication. There are roughly two approaches. One of them is key splitting.

1. Key splitting is the result of processing your Master Password doesn't actually get you a working key to decrypt further, instead that result would need to be XORed with another 128-bit key. So it is simply a case of storing that other "half" of the key on some other device. 1Password would need to be able to read that device, which may be tricky on iOS, but it isn't insoluble. (Using a YubiKey to generate a static string as half of your Master Password is a sort of "poor man's key splitting".)

2. The other approach would be to move the keyfile. Your data file contains an encrypted key, which is what gets decrypted by the key derived from your Master Password. It would be possible for us to allow that file (and its backups) to reside on some other device or location. Both that file and the Master Password are required to get any further.

We are more inclined to do key splitting rather than having a movable keyfile.

The real technical difficulty is getting this to work on every platform. Again, because this is all about data decryption and not authentication, we can't just implement this on one platform (if it were to be anything other than just for show). So while this isn't insurmountable it means that even the "simple" approaches that I described would be tricky.

But the real reasons that we haven't put in substantial effort in that direction is because for every case where someone reports that their computer or device has been stolen, we get probably a hundred more of "I forgot my Master Password" or "I damaged my data and didn't have usable backups". Our fear is that key splitting or keyfile moving wouldn't just double the rate of people getting locked out, but would increase it much more.

The threat of data loss becomes very substantial.

Again, because we aren't running a system that people authenticate against, there is nothing we can do the help people recover their data if they damage a key or forget their Master Passwords.

Now, of course we could make it an advanced option with lots of warnings, but we know that some folks will always dial up security settings to 11 whether it is in their interest or not. Remember that 1Password is a mass market product. It's great that security geeks use and respect it, but we don't want to give our users rope to hang themselves with.

I'm just spelling out why, to date, we have resisted calls for two-factor authentication. It's harder to get right for a decryption system than for an authentication system, and we think that it might do more harm than good.

None of this is written in stone. The threat landscape, patterns of usage, and device capabilities change. So while we haven't announced any plans to do this, we have left the door open in the design of our new data format.

baker

@khad

Thanks. Yes, I understand there being a difference between how 1Password operates and something like LastPass.

I understand that your MP just decrypts the vault and something like LastPass is a log-in system.

I do understand the difficulty of doing something like "two-factor" or whatever it would be called with 1Password. I do like the idea of being able to do something like "two-factor" with 1Password if it was able to safely be worked out. Just gives you more protection as if they get your vault and MP, then you're currently screwed.

But I would say if you guys do work on some type of "two-factor" in the future, I'd prefer whatever method you go with if it is something that can't be gotten through hacking or keylogging or malware. That way if someone got in and got your vault and MP, that they still couldn't get into your vault no matter their keylogging or malware they may install to get your "two-factor". Though I'm just suggesting here, as how 1Password is setup, there may be no way to make "two-factor" malware, keylogging, or hack proof.

Only reason I was looking at adding in the Yubikey like that other guy did. Was so you would get a super "strong" MP. I believe that only helps if they get your vault but not your MP. I believe Yubikey operates like a keyboard, so the data it submits probably is accessible through keylogger or whatever the same if you didn't use it.

khad

@baker,

Completely understandable. I think this is a good threat to try to protect against. It does become a bit tricky, though.

Just gives you more protection as if they get your vault and MP, then you're currently screwed.

You make it sound so easy. :)

Since your vault is not located on our servers, there is no centralized place for an attacker to obtain it. Getting your vault would take a lot of work. But then, even if an attacker had your vault, they would need to crack it. This is easier said than done.

Defending against crackers, PBKDF2

Don't underestimate how well a good Master Password can secure your vault. Heck, even the crackers report good news for 1Password.

…there may be no way to make "two-factor" malware, keylogging, or hack proof.

I think this is important to keep in mind. Even in an authentication-based system, if someone has that kind of access to your machine, they can just read the data the authentication-based system is sending back to after you authenticate. There is more to it, of course, but once your system is that far compromised it is a matter of "when" not "if" it is game over. As in sportsball, the best offense is a good defense. (Or something like that.)

From our Watch what you type: 1Password’s defenses against keystroke loggers blog post:

1. Keep your system and software up to date
2. Pay attention to what software you install and where you get it from
3. Use Windows Defender on Windows
4. Understand what software can and can’t do for you

Better descriptions of each point are in the full post. Also in that post, you will see that despite the fact that in principle, there is nothing that 1Password can do to protect you if your computer is compromised, in practice there are steps we can and do take which dramatically reduce the chances that some malware running on your computer, particularly keystroke loggers, could capture your Master Password.

(I am now realizing that perhaps I should have linked to that blog post earlier.)

I hope that helps. It is great that you are thinking about these things. Please keep the questions/suggestions coming!

---

EDIT: And thank you for starting the recent discussion that lead to the creation of that "Can I use 1Password to generate usernames, not just passwords?" support article. I just realized you already saw the answer to that in the original thread. I probably didn't need to link to it again here. Hopefully it will be helpful to others as well. :)

RichardPayne

@baker while keyloggers are certainly a concern, you'd spend you time better by preventing them from getting onto you system in the first place.

The reality is that if you're system is comprised enough for a keylogger to be installed then the attacker already has full administrative access. At that stage mfa is pointless; the attacker can simply dump the 1password.exe process memory and extract the encryption keys that you helpful unlocked using your mp and 2nd factor code.

baker

@ RichardPayne

I had been reading around and had learned of say keyloggers that can bypass anti-virus and run hidden undetectable, etc. So, you can have malware or whatever running and not be able to know. Yes it's good to make practice to prevent stuff from getting in like not downloading things from strange places, or links that are in bad places or probably look scammy. But even legitimate downloaded things can/do contain bloatware crap that you have to make sure you uncheck. But at times it puts it on your system anyways. Also not clicking links in emails as it could be phishing.

But one thing I've gotten flagged by antivirus, is just doing regular searching or reading around on webpages and there's a legitimate looking link that you click on and then get the warning antivirus flag. I had downloaded the Malwarebytes Anti-Exploit that is supposed to protect you from getting malware/viruses from your browsing by stopping it before it tries to get in. Now I don't know if that thing even works as there have been a couple of times I click on an innocent looking link that my antivirus immediately flags. But I never saw any warning from the Anti-Exploit even though it claims its supposed to stop things faster than how your anti-virus would react to something coming in from your browsing.

It sounds like to me in this day and age of trying to stay ahead of the game. That you are pretty much just gambling and hope you get by long enough without anything bad happening.

I do like how that Windows Bitlocker is supposed to be able to encrypt certain Windows OS files that viruses/malware like to get ahold of. Thereby stopping them if they can't get ahold of those OS files and change those that they need to function. Just wish Microsoft would put Bitlocker on all of their versions instead of just the Pro stuff.

I think with 1Password in order for "second factor" to really work. It would have to be something that hackers/keyloggers can't get or learn. Though it may not be possible with the way 1Password works on your system, vs. logging into a website like LastPass. Maybe something will come along later though.

svondutch

So, you can have malware or whatever running and not be able to know.

Correct. Such sophisticated malware is probably coming from your government, by the way.

en.wikipedia.org/wiki/Regin

baker

@svondutch

Thats one reason why people don't trust Windows Biltlocker that Truecrypt told people to start using. Because Truecrypt users believe Window's Bitlocker may have a backdoor in it for the government.

I may have to track down a good copy of Truecrypt 7.1a to save. They are currently in a 2nd audit right now even though Truecrypt authors abandoned it.

RichardPayne

@baker

I had been reading around and had learned of say keyloggers that can bypass anti-virus and run hidden undetectable, etc. So, you can have malware or whatever running and not be able to know.

Nothing is undetectable. It may be hard to detect but not impossible. This is why it is critical to keep you AV up to date.

Yes it's good to make practice to prevent stuff from getting in like not downloading things from strange places, or links that are in bad places or probably look scammy. But even legitimate downloaded things can/do contain bloatware crap that you have to make sure you uncheck. But at times it puts it on your system anyways.

Bottom line is that malware isn't magic. It is software running on your computer. It needs to be delivered there:

1) Physical insertion. You're screwed basically. Someone has gained physical access to your hardware and has corrupted the operation of either the OS or the hardware. This is fairly serious stuff though, so is unlikely to be a realistic threat for most of us.
2) OS Fault. This is a real risk and may allow execute of malware with root permissions. That said, keeping up to date on patches should reduce the risk significantly.
3) Application fault. This should be mostly harmless since you shouldn't be running with root access. Certainly, key loggers can not be installed like this.
4) User Error. Again, you shouldn't run with root access so this should be harmless.

You are right to point out installers because they are initiated as a user error and then ask for elevated permissions to execute. Whenever an app asks for elevation we should be extremely cautious, but installers require it so often that we can become blasé about them.
This is why you should research new software before installing it. If it is not very new and is engaging in dodgy practices then someone will have noted it.

Correct. Such sophisticated malware is probably coming from your government, by the way.

en.wikipedia.org/wiki/Regin

From what I've read about that, it's not a virus but targeted malware. If you have a national agency targeting you then you're going to have to work a lot harder to stop them since they are one of the few entities capable of using physical insertion.

svondutch

installers (...) ask for elevated permissions to execute. Whenever an app asks for elevation we should be extremely cautious, but installers require it so often that we can become blasé about them. This is why you should research new software before installing it.

@RichardPaye Correct. One way to reduce risk is to look at the code signing certificate. This will tell you who the installer came from, and ensures it hasn't been tampered with since its publication. It does not guarantee the installer is safe to run though (some vendors are notorious for bundling crapware with their installers).

bkh

I understand that @RichardPayne and @svondutch are trying to put the security exposures into perspective. But I will take exception to a couple statements that, although correct, may lead us to assume more safety than we actually have.

Application fault. This should be mostly harmless since you shouldn't be running with root access.

With just my unprivileged access, malware can do a Cryptolocker-style attack on all my data files, or delete them, or bit-rot them. Or it can go out onto the internet masquerading as me. Lots of damage is possible, and "mostly harmless" may downplay that too much.

It is true that root access is even worse: then the bad guys can do things like overwrite the hard disk firmware with malware that creates a persistent infection that can be impossible to detect by software scans. (Because with current interfaces the only way to read the firmware is to ask the firmware to display itself, and it can lie).

One way to reduce risk is to look at the code signing certificate. This will tell you who the installer came from, and ensures it hasn't been tampered with since its publication.

It reduces risk, but "ensures it hasn't been tampered with" isn't a good claim because of forged certificates. There have been instances of certificate authorities being compromised, and the bad guys have been able to create cryptographically valid certificates for organizations like Microsoft and Google. These certificates have been used to trick users into installing "updates" or "apps" that appear to be properly signed by Microsoft or Google, but which actually are malware.

svondutch

There have been instances of certificate authorities being compromised, and the bad guys have been able to create cryptographically valid certificates for organizations like Microsoft and Google. These certificates have been used to trick users into installing "updates" or "apps" that appear to be properly signed by Microsoft or Google, but which actually are malware.

Correct, but these certificates were revoked as soon as the vendors were made aware of them. While not perfect, the certificate revocation system does work.

Again, if the government hacks you (we have very good reasons to believe the DigiNotar hack that allowed Iran to create certificates in Google's name originated from the NSA) then you're basically out of luck. They have the power and the resources to cover it up.

RichardPayne

With just my unprivileged access, malware can do a Cryptolocker-style attack on all my data files, or delete them, or bit-rot them.

It is mostly harmless because you wipe the system and restore your files from backup.

Or it can go out onto the internet masquerading as me. Lots of damage is possible, and "mostly harmless" may downplay that too much.

Mostly harmless was in the context of your system intgrity and the security of your vault. I was not passing comment of the risk to your social standing.

MikeT

Hi guys,

@RichardPayne,

It is mostly harmless because you wipe the system and restore your files from backup.

Assuming backups are being created by the users......

jpgoldberg

This discussion thread is fantastic! I should have checked in earlier.

One of the most difficult problems we face is "what should we do about malware running actively on your machine while you are using 1Password?".

The answer from the academic security community is "Nothing. That is not a situation you can defend against."

The answer from people using 1Password is "everything possible."

Our answer is to look at it case by case. Because the academics are technically correct, we tend toward that answer. But in cases where we can provide "easy" solutions against "common" attacks we will. But we most certainly don't want to promise something we can't deliver. And so things that appear to offer security against such attackers but don't fall into the category of "security theater". Using a "second factor" to defend against local malware would just be security theater. (A second factor might be useful for other purposes, but not as a defense against local malware.)

So there are relatively simple things we can do to thwart superficial keystroke loggers, but nothing we can do to thwart deep ones.

The other thing is that we are not in the AV business. We aren't going to be able to provide malware detection that is better than XProtect (built into OS X) or Windows Defender (built into Windows 8). And as @svondutch correctly pointed out, there is certainly malware that can go undetected for a very long some. Consider Stuxnet and Flame. Those are two US government sponsored things that went undetected for years. Or consider the Equation Group's (almost certainly US government sponsored) subversion of the firmware on hard disk drives to insert rootkits into the OS. Again, that went undetected for many years.

Now we have built 1Password itself so that we believe that if you have a sufficiently strong Master Password, nobody, not even the NSA is going to decrypt your 1Password should they capture it. But 1Password ultimately must trust the operating system and the hardware that it is running on. When there is malware with root/admin permissions running on your system, then the system that 1Password relies on is not trustworthy.