Re: Crackers report great news for 1Password 4

hawk7000hawk7000
edited March 2014 in Lounge

Some comments on http://blog.agilebits.com/2014/03/10/crackers-report-great-news-for-1password-4/

What I feel is missing in the article is some actual word on how bad(?) this is for the "Agile Keychain Format", which to my understanding is used for sync by all versions, including 4 (http://learn.agilebits.com/1Password4/Security/rollout.html). The article just alludes to the situation being fairly dire in comparison (and seemingly avoiding the subject makes me think that is the correct conclusion), despite the "Agile Keychain Format" still being heavily used for what seems to be one of the more sensitive storage locations.

Also, relating to that it would be very interesting to hear some indication on when the transition to the new format will become available.

Edit: I should add that maybe it's just the headline that causes me to have a negative reaction, I suppose the actual point should be more about the importance of long passphrases. The article even has links to previous articles that while a bit old do cover the general concerns for the older scheme, just that the links are not in a context where it's entirely obvious that they will have that information.

Comments

  • khadkhad Social Choreographer

    Team Member

    Thanks for the feedback on this, @hawk7000‌. I agree that the point of the post was more about the importance of picking a good Master Password. As Jeff said in the post (emphasis mine):

    Your job is to pick a good Master Password so that it will take trillions of guesses before the attacker finds the right one. Our job is to make sure that they can’t make millions of guesses per second on common hardware, thus significantly slowing down the guessing process, ideally to the point of futility. We do our job by using a “slow hash” for deriving encryption keys from your Master Password. In 1Password 4, that slow hash is PBKDF2-HMAC-SHA512. For the Agile Keychain Format it is PBKDF2-HMAC-SHA1.

    The focus in the post was on the Cloud keychain Format because that is what hashcat just added support for cracking. We had an older post when there was news about hashcat's abilities with regard to the Agile Keychain Format. As you mentioned, it was not linked prominently, but that was not the focus of that particular post. Perhaps we can make it clearer. I've mentioned this to @jpgoldberg‌.

    I don't have much more information about the transition than what is already in the "Rolling out the 1Password 4 keychain" you are already aware of. As mentioned there, because of our priority to ensure that no data is lost or misplaced, we are proceeding slowly. There are a lot of moving parts, and syncing across so many different versions on so many different platforms requires a lot of work to get right. We genuinely appreciate your patience in that regard.

    The easiest way today to transition to the new data format today — if you wanted to do so — is to switch your syncing from Dropbox to iCloud. That mechanism, obviously, is only available on iOS and OS X. If you are syncing your 1Password data among systems that include Windows and Android, you will need to stay with the Agile Keychain Format until those are ready for the 1Password 4 Cloud Keychain Format.

    One of the reasons that the new data format is being synced by iCloud only at the moment is precisely because we don't want that data pushed to Windows until 1Password for Windows is ready for it. When you start seeing additional sync mechanisms the Cloud Keychain Format, you will know that syncing with Windows is coming soon (for undisclosed values of "soon").

    Finally, I apologize in advance if my reply was a little disjointed. It's really late here, and it's been a long day. Please let me know if there is anything else I can help with or if I missed anything. It is great that you are thinking about these things. :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thanks @hawk7000‌!

    You are probably correct that I should have been more clear about the differences between the Agile Keychain format and the new format in that article. I'll see if there is a reasonably easy edit I can make to do so.

    As you know the situation with respect to the Agile Keychain Format hasn't changed since last year (other than advances in hardware available to the attacker). Last April hashcat reported 300,000 guesses per second against an Agile Keychain with 10000 PBKDF2 iterations on a machine with 4 GPUs.

    As @khad mentioned, the rollout of new format is taking time. It's now been more than a year that its been available on iOS (From December 2012) and nearly half a year on Mac. It simply is very very hard to change a sync format for software that covers multiple platforms. Believe me, we are as impatient about this as you are. 1Password 4.2 for Mac sets a new minimum of 25,000 PBKDF2 iterations (and a maximum of 100,000) as it calibrates this for new keychains (or when you change a Master Password).

This discussion has been closed.