Create a secure master password, help!

Options
ghostdog
ghostdog
Community Member
edited November 2018 in Mac

hi, I'm going to start using the subscription and I need create my master password.

You think is recommendable and very secure use base64 or sha256 to create a password, by example I choose this word: "ghostdog"

but I encode that work to base64, so my master password is: Z2hvc3Rkb2c=

but I always remember the word "ghostdog" like my master password, I just encode to bas64 when I need enter to 1password.

I encode on terminal mac like this:

echo -n 'ghostdog' | openssl base64 | tr -d '\n' | pbcopy

anyway... the point is that I don't want use a silly pass like "ghostdog" to my master password, but encode it! looks very secure.

and what about! SHA256, even more secure? "ghostdog" encode is:

dfcbc2ed7d220fcc669819d47f7d487d79468e4d1ea025f37dd42680e636dad2

any help please, I really want create a secure master password and that's the way that I'm thinking.

is secure? or just a stupid idea?

ps: of course I'll be using other word later than "ghostdog" is just and example to use here... a lot people can read this thread and know the pass.

by the way, how many characters holds the master password?

help!
thanks

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni
    Options

    Welcome to the forum, @ghostdog! How to create a good Master Password is a perennial - and excellent question. In fact, it's so ubiquitous that we've compiled a set of our best thinking on the matter. It includes links to other people's stuff, as well as some thoughts by our own Chief Defender Against the Dark Arts, jpgoldberg.

    With regard to your specific idea, it's definitely not stupid. But anyone who truly wants your data will have already thought of things like using hashes or other means to obscure what is in reality quite a simple password ("ghostdog"). Any skilled attacker who targets you specifically will already plan to use your names, those of your loved ones, birthdays, pets' names, common words you use such as pseudonymous forum usernames -- as well as variations on each of those; everything from "l337speak" to common hashes, etc. Automating this process isn't difficult and needs to be done only once. You're likely better off with the suggestions we offer in the above link -- but as long as you remember the one basic rule -- don't share your Master Password with anyone -- you'll be well on your way.

    It's also worth mentioning that for 1password.com accounts, we employ 2SKD (Two-Secret Key Derivation) using your Secret Key to help keep you safe. Let us know if you have any questions! :)

  • ghostdog
    ghostdog
    Community Member
    Options

    Thank you,

    what about create a master with a Diceware Passphrase: http://world.std.com/~reinhold/diceware.html ? good idea?

  • Ben
    Ben
    Options

    @ghostdog

    Yes! Diceware can be a good method — as long as you use a sufficient number of words and don't "fudge" the randomness. What I mean by that is: I wouldn't recommend picking a different word because you don't like the randomly chosen one.

    Ben

  • ghostdog
    ghostdog
    Community Member
    Options

    thanks Ben.

    I was thinking use 5 words give it for the dice and one adding an extra NON word from the list.

    Just maybe stupidly thinking "that list of words are know by hackers, they can match all words to crack with a computer" (hard to do it but...) so I add sixth personal word maybe helps.

    Or you recommend just use the 5 words that the dice give me? and that is, no extra personal word?

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @ghostdog: Diceware is a really neat thing. But I will say that you may want to at least consider using 1Password's Wordlist generator instead. It's got something like twice as many words in it (14k), so you get much higher entropy for each one.

    In either case, you should assume an attacker is smart and knows how you created your password. But that doesn't really help them know what your password is; they'd still need to do considerable work, even with the aid of technology, that would be costly in terms of both time and resources to guess. And 1Password makes each guess harder using PBKDF2. :)

  • ghostdog
    ghostdog
    Community Member
    Options

    @brenty thanks, do you mean that use this:

    and not the "dice" method, due the 1pass have more words.

    is correct?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2019
    Options

    @ghostdog: Exactly! But I'll add some notes below. :)

    I just realized that I gave the size of the Wordlist as 14k above though. That's incorrect. It's what my brain said for some reason, but when the math didn't come out the way I'd remembered I went back to the source and realized I'd just misremembered. It's actually over 18,000 words. So we end up with a calculation like this:

    log2(18000) = 14.135709286 <- bits of entropy per word
    14.135709286(4) <- length of password (words)
    = 56.54283716 <- bits of entropy total

    So a four word Wordlist password is very strong, which is why we use that as the default. It's comparable to nine characters chosen at random:

    log2(68) = 6.0874628413 <- bits of entropy per character
    6.0874628413(9) <- length of password
    = 54.78716556 <- bits of entropy total

    Using five words, as you are in your example, is exponentially stronger, and still easy to remember and type. There is strength in randomness, and using words is much more human-friendly. Cheers! :)

  • ghostdog
    ghostdog
    Community Member
    Options

    thanks again @brenty I'll change my master pass for 4 o 5 words using the 1pass generator.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    Sounds good. You're very welcome! :) :+1:

This discussion has been closed.