Feature request: Custom account key

In a tinfoil-hat scenario where the account key generator was compromised, would it be possible to brute force the master password?

If so, when creating an account, could we specify a custom account key?


1Password Version: 5.5b23
Extension Version: 4.5.0.2
OS Version: 10.11.1
Sync Type: Dropbox

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2015

    @R031E5: No. And I don't expect that this is something we'll do in the future either, but only time will tell. In order to benefit from the increased security afforded by random data (the Account Key) augmenting the Master Password, it has to be, well...random.

    Human beings are really, really bad at producing even random-ish data. That's an understatement; we really can't do this ourselves. Since almost no one can remember a random Master Password, the Account Key provides some much needed randomness to strengthen the Master Password against brute force attacks. Otherwise we'd all need to use much, much longer Master Passwords to get the same effect.

    And you may want to take off that tin foil hat. It can actually amplify radio frequencies in certain bands. How's that for paranoia? ;)

  • Hi,

    in my opinion it is not good to have this option. It would lower security if you choose account key by your self. If you don't trust account key generation you can't trust encryption anyway.

    Randomness is the key.
    I wrote this lines before brenty replyed, so it maybe duplicate.

  • R031E5
    R031E5
    Community Member
    edited November 2015

    @brenty I understand. My line of thought was more of my computer deploying the random seed rather than the 1password servers. Of course I wouldn't "type" the Master Password by hand, but I've worked for clients with policies that specify that the private key must be generated and stored in-house.

  • @R031E5,

    The Accountkey and all cryptographic function are done on your computer and not on 1password server.

    Random

  • R031E5
    R031E5
    Community Member

    @random_31731ec7aea Thank you, I still haven't read the white paper, which I probably should've done beforehand.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2018

    @random_31731ec7aea: Thank you! :)

    The Accountkey and all cryptographic function are done on your computer and not on 1password server.

    @R031E5: Yknow, I feel silly for not mentioning that earlier. Random is absolutely correct. A key part of the security of 1Password for Teams is that your Master Password and Account Key are created locally on your computer (the former by you, the latter using the OS random number generator). We do this for security, but as you noted this can be important when it comes to your company's policies as well!

    I don't blame you or anyone else for not having read the 1Password for Teams white paper. After all, it's our job to understand this and explain it to anyone asking these kinds of questions. And I apologize for letting you down in that regard. It isn't a legitimate excuse, but this is all very new to me too, so I've not only got all of this so fresh in my mind that I take it for granted, but also I'm not used to being able to talk about it yet, so that's something I really need to work on.

    That said, based on your interest in the security of 1Password for Teams, I encourage you to read the white paper. I find it very enjoyable myself, and your questions lead me to believe that it might be right up your alley. I didn't write it, so I don't mind saying that it's both informative and entertaining! Just be aware that it's a work in progress, so we'll be revising it and adding even more information over time. We'd love to hear your feedback! :chuffed:

This discussion has been closed.