Master password strength

DavidBDavidB Senior Member
edited November 2016 in Lounge

I notice that the blog article "Toward Better Master Passwords," which seems to have been last updated in 2013, recommends using "four or five words" for a Diceware passphrase. https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/

In 2014, the Diceware FAQ itself upped its previous recommendation of five words to "six words for most users, or five words with one extra character added at random."
http://world.std.com/~reinhold/dicewarefaq.html#howlong

What is the current Agile recommendation?

Also, how are 1Password users coping with entering a strong password on their phones?

Thank you,

David


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • dancodanco Senior Member Community Moderator

    As far as coping on an iPhone, if it's a recent one, set it to use TouchID for most of the time.

  • DavidBDavidB Senior Member

    @danco,

    Yes--but what about the rest of the time?

    David

  • dancodanco Senior Member Community Moderator

    Can be set to require the Master Password so rarely (I think there's an option to need it only on device restart) that it's not worth worrying about. Just grit your teeth and enter that long password once in a while.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @DavidB

    Arnold Reinhold and I have had a number of conversations about this and we don't really disagree (on much) once you get down to certain details.

    I believe that the "four or five" words advice in Toward Better Master Passwords remains good advice for 1Password Master Passwords. I also think that Arnold's "seven words" recommendation makes good sense in a particular context.

    Arnold's advice is assuming an attacker who (a) has no way in except for password cracking, and (b) has the cracking resources of the NSA. So let's assume an attacker who has no other way in but is willing to dedicate, say, one billion1 USD.

    When it comes to brute forcing cryptographic keys, people believe that billion dollar attack is might be able to break an 80 bit key but not a 90 bit one. So the idea is that a 90 bit key should keep you safe from a billion dollar attack.

    Simple (and small) differences

    Size of wordlists

    Arnold's Diceware list has 7776 words on it, so each word in a passphrase contributes 12.92 bits. Our list has approximately 18400 words, so each word in a passphrase contributes 14.17 bits. This isn't a huge difference, but it does mean that a four word password using the AgileBits wordlist will give you 56.67 bits, with the Diceware list you will bet 51.70 bits. At five words, the difference is clearer (Diceware: 64.62 bits: AgileWords: 70.84).

    Threats

    Arnold is addressing an audience that (believe that) they could be subject to a billion dollar attack that is limited to password cracking. I believe that that attack scenario is extremely rare for our customers.

    If someone were willing to spend a billion dollars to get at your data they would find it easier to break into your house and modify your own computer or software. They might install cameras or keyboard "listening" devices at every location that you might type in your Master Password. There are just far too many cheaper ways than a billion dollar password cracking attack except in the most extraordinary circumstances.

    The big difference: keys versus passwords

    The one thing that I think Arnold got wrong is that he assumed that an 80 bit key is as easy to crack as an 80 bit password. In both cases an attack will use specialized, purpose built hardware. But a key is just a number, and moving on to the next number and trying it is extremely cheap compared to generating the next password to guess and trying that. Both things like PBKDF2 and the fact that password guesses are slower to generate than key guesses mean that password cracking is inherently slower than key guessing.

    Let us suppose that it is a million times slower to guess a password than it is to guess a key. (This is actually a conservative estimate when we consider the use of things like PBKDF2.) A slowdown of a factor of one million is equivalent to 20 bits. That is, it would take as much effort to crack a 50 bit password as it would to crack a 70 bit key.

    So in this light, a four word password from the our list (56.67) bits, should be at least as hard to crack as a 76 bit key. A five word password from our list (70.84 bits) should be at least as hard to crack as a 90 bit key. So if we have set our target at 90 bits of strength (as Arnold does), then a five word Master Password from our wordlist will get you there.


    1. By "billion" I mean "thousand million" or 109. I don't know how many readers might still be using the long scale for number names. ↩︎

This discussion has been closed.