No more passwords ???

dwk
dwk
Community Member

Hi,

I recently read a review from here: http://www.pcmag.com/article2/0,2817,2407168,00.asp

From the review, I found out that 'LogMeOnce' and 'True Key' moved away from traditional master password and replaced it using device authentication.

I think many people agree that passwords are old but they are not obsolete. However, having more options is not a bad thing at all from my perspective. For some, even remembering master password might be cumbersome since master passwords are supposed to be long and complicated.

In short, I hope AgileBits consider getting rid of master password :)

I know I sound crazy but I had to say what was on my mind for quite some time. Cheers ~


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dwk: It's certainly something we'd all love to do, but there are a few good reasons why this probably won't happen anytime soon. As you mentioned, passwords are still very much a thing. Certainly there are efforts to replace them, but if the internet has taught us anything, it's that technology comes fast, but leaves slowly (hello, IPv4!) Additionally, the Master Password has the crucial benefit of being unhackable, in the sense that it is stored only in your brain, and (so far) it isn't possible to systematically extract data from there. And while we have things like Touch ID which are great, not having a Master Password at all would mean that I'm not able to access my data at all if my finger is too cold, wet, or dirty (or all of the above) to be read. Definitely an interesting area, but we're not there yet. :)

  • dwk
    dwk
    Community Member
    edited January 2017

    Thanks for the reply @brenty !

    Looks like I will have to get along with my master password I guess :)

    I have another question regarding passwords in general.

    Let's assume password A and B ( A = asdf1234 , B = !asdf1234). To us human brain, two passwords are very similar since there is only one character difference in the front. What I would like to know is if the system recognizes it as similar passwords or totally different passwords. To my knowledge, computer side of things don't exactly work the way our brains do so I'm very curious whether those two are considered as entirely different combination.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dwk: I'm not sure what you mean by "recognize". Are you referring to 1Password noticing that these are similar? 1Password only tries to calculate strength or find duplicates. But if you're talking about password cracking, brute force attacks will take into account patterns, since there's a ton of information out there on actual user passwords from data breaches. You probably just wanted to use that as an example though, and I'm missing your point. Let me know! :lol:

  • dwk
    dwk
    Community Member
    edited January 2017

    What I want to know is if using password A and B at the same time is okay or not. If A and B are considered entirely different passwords in terms of password cracking algorithms then it is safe to assume that using those two passwords at the same time is okay.

    The reason I'm asking is because I have to memorize quite a few master passwords. I know it sounds a bit odd but that's the situation I'm stuck with :(. So I had to come up with a way to make a few very complicated master passwords. I made my own rule of making master password to make sure they had some consistency for me to remember with ease.

    For example, the rule would be [ symbol ] + [ name of an animal ] + [ my favorite number ] + [ first three letters of the service I'm using ]

    The rule above would be used to create my master passwords. Now, the only difference between my master passwords would be the last three letters. To human beings, master passwords that are created using the rule above are very similar. So, if a hacker wanted to hack me, would it be easier because of the above rule ? In other words, would it be easy for password cracking algorithms to crack my master passwords ?

  • XIII
    XIII
    Community Member

    Most websites that employ good security will use a "hashing" function that uniquely transforms your password into another string. Two strings that are almost equal before hashing might lead to completely different results.

    However, if a hacker is able to crack two of your passwords using this scheme, it does not take much pattern matching capabilities to discover that only the last 3 characters differ. Even if the hacker does not recognize how they map to services used, it might be fairly easy to brute force attack your accounts on other sites that use the same scheme.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @XIII is exactly correct.

    This notion of generating passwords for sites by hashing a master secret along with site specific information is an idea that gets rediscovered with surprising frequency. Yet few (none?) of its advocates look at the prior history to see why the idea has been consistently rejected by people who study password security.

    See Cracking PwdHash: A Bruteforce Attack on Client-Side Password Hashing (PDF) for a detailed discussion of performing exactly the sort of attack XIII mentioned. Let me quote its abstract:

    PwdHash is a widely-used tool for client-side password hash- ing. Originally released as a browser extension, it replaces the user’s password with a hash that combines both the password and the website’s domain. As a result, while the user only remembers a single secret, the passwords received are all unique for each site. We demonstrate how the hashcat password recovery tool can be extended to allow passwords generated using PwdHash to be identified and recovered, revealing the user’s master password. A leak from a single website [emphasis added] can therefore compromise a user’s account on other sites where PwdHash was used. We describe the changes made to hashcat to support our approach, and ex- plore the impact this has on speed of recovery.

    It really is important that the passwords that you use on different sites be independent of each other.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dwk: All of the above is true, but reading this I wondered if you are meaning something else by your description than XIII and jpgoldberg interpreted. If they were on point, just ignore the rest.

    But, if instead of using these passwords for logging into websites, you mean you're using them to unlock different vaults, using a pattern may not be the the worst thing to do. While I can't speak to other products you might use, unlike websites, 1Password doesn't store your Master Password, so it isn't something that could be compromised on some remote server, therefore allowing anyone with access to the dump to see it and perhaps notice a pattern.

    If, however, the previous interpretation was correct and you simply have a need to memorize and type multiple password regularly I'd encourage you to use word-based passwords generated randomly, since that gets you the best of both worlds: a strong password that you can know and use yourself if needed. Cheers! :)

  • dwk
    dwk
    Community Member

    AgileBits' Forum support is one of the reasons why I love AgileBits.

    I guess I will have to use entirely different passwords. :(

    Aside from the password talk I have another question. I use local vault instead of 1Password.com service so I have to keep a backup of my local vault. I transfer my backup data into a USB and lock it using BitLocker. Would it be enough ?

  • AGAlumB
    AGAlumB
    1Password Alumni

    AgileBits' Forum support is one of the reasons why I love AgileBits.

    @dwk: Likewise, having these kinds of discussions are why I love my job. :chuffed:

    I use local vault instead of 1Password.com service so I have to keep a backup of my local vault. I transfer my backup data into a USB and lock it using BitLocker. Would it be enough ?

    Security-wise? Absolutely! It's kind of overkill, since your 1Password data is encrypted already...but I wouldn't want to discourage you from using an encrypted drive since you could use it to secure other, non-1Password data as well. Cheers! :)

This discussion has been closed.