Does master PW need to be so long?

mail_ronandclaudia
mail_ronandclaudia
Community Member

It was my understanding when I started using 1PW about 3 years ago that the master PW was 'local' and didn't have to be 17+ characters long. With the number of times I need to access 1PW, putting this long master PW in each time will be a hassle. (I use the fingerprint on my iPhone6 - easy). Is it that essential to have the master PW so long?


1Password Version: 5.3
Extension Version: 4.3.1
OS Version: OS 10.10.3
Sync Type: dropbox

Comments

  • TomSafety
    TomSafety
    Community Member

    It may be because I am using 1Password 3 but my main password is significantly less than 17 characters long.

  • Vee_AG
    Vee_AG
    1Password Alumni

    Hi @mail_ronandclaudia,

    Your master password is your choice. It can be as long or as short as you want it to be... But, of course, we fervently recommend you choose a strong, memorable master password to protect your secure data.

    Our encryption is as strong as can be, but since all your data can be unlocked with your master password, it's very important that it be difficult to crack. But since it can also lock away your data forever if you forget it, it's also very important that it be something you can remember.

    We published a blog post on this very topic that may interest you: Towards Better Master Passwords

    If you are being prompted to enter your master password more often than you want to, you can change the auto-lock settings by selecting from the menu bar: 1Password > Preferences > Security. You will still need to enter it sometimes, but the fewer boxes checked in those preferences, the less often you'll have to enter it.

    Hopefully this information will help you come up with a combination of lock settings and master password that strikes the right balance for you between security and convenience. :)

  • MikeT
    edited June 2015

    Hi @mail_ronandclaudia,

    Just to clarify, your master password is not stored anywhere, not even locally. Are you referring to where we used to say that you can use a weaker master password on the iOS device only as it is local and difficult to attack?

    You should be using a strong master password everywhere with 1Password to be safe. As Vee linked to our blog post on this, you can use a long dice-ware type of password to make it easier to memorize it.

    1Password encrypts your data with the strongest encryption standards and levels regardless of what length your password is, meaning that the encrypted part of your data is already the strongest as it can be without worrying about the length of your chosen password. The encryption key that encrypts the data is encrypted with your master password.

    So, for attackers, it is not the encryption they're attacking against, it's already very difficult to beat as it has been used around the world for more than a decade without a solid break for the encryption.

    What they do instead is guess what the password is, not attacking the encryption. Since it is your master password that decrypts the strong encryption key, it has to be long enough that it would take forever to crack it in your lifespan. You can have the strongest encrypted data in the whole world or even the universe but if it is encrypted by a master password of "123456", it takes 1 nanosecond to guess that and just unlock the encryption key to start decrypting your data.

    PS: This is a very simple explanation of what goes on but we strengthen your password with an algorithm that extends the amount of cracking time that has to be performed per guess. So, if we use a math formula that takes a minute to scramble your password before encrypting the file, it means someone else has to take a minute per password to guess it. You can find out more how here: https://blog.agilebits.com/2011/05/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/

    If you want to learn more, we have a lot of guides you can read: https://support.1password.com/security/

This discussion has been closed.