To protect your privacy: email us with billing or account questions instead of posting here.

Response to Elcomsoft!

cnsanford
cnsanford
Community Member

Do you guys have a response to the cracker aimed at 1password announced by Elcomsoft?

https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/

Comments

  • Ben
    Ben
    edited August 2017

    There are already some great replies in the comments on that article, which I think are worth reading.

    The short answer is, and always has been: "Use a strong and unique Master Password." :)

    We wrote this response to a similar situation:

    AgileBits Blog | On hashcat and strong Master Passwords as your best protection

    Much of what is written there still applies. There is one thing that is notably out of date and that is the fact that most folks aren't using Agile Keychains anymore. Most folks are either using the OPVault format, or 1Password.com.

    OPVault design - 1Password Support

    That isn't to be dismissive of their claims. I have no reason to doubt them. But their own press release suggests that even at a speed of 95K/sec (which is what they claim to have achieved with our data), "only short passwords are able to be cracked." Not to mention someone would have to have access to your encrypted data in order to perform such an attack. So I think it is important to consider what it is that they are actually claiming they can do, and what the implications of that are.

    Thanks.

    Ben

  • cnsanford
    cnsanford
    Community Member

    Thanks! Updated my master password in light of the attention, so they have achieved something!!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hey, every little bit helps! Thanks for bringing this up. Perhaps others will do the same. :chuffed: :+1:

  • mei
    mei
    Community Member
    edited August 2017

    In this post, Elcomsoft claims its recovery software is capable of brute force attacks on, among others, the 1P database, at a rate of 95,000 passwords per second with ONE (!) Nvidia GTX 1080. This has me concerned. Hence, I would like to hear your thoughts on the matter, including:

    • what does this mean for the length of your master password, given that large governments, corporations and malevolent groups can come up with insane amounts of GPU processing power? What would you advise as a minimum length password given this vulnerability?
    • what steps are you going to undertake to address this issue?
    • when can we expect a fix?

    Kind regards,

    Mei


    1Password Version: 6.8
    Extension Version: Not Provided
    OS Version: 10.12.6
    Sync Type: Not Provided

  • Manaburner
    Manaburner
    Community Member
  • mei
    mei
    Community Member

    Thanks. I guess it's not as bad as Elcomsoft is trying to advertise.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2017

    @mei: We're still waiting for an update, but based on the information provided it appears they used a very, very old vault to achieve these results. The only technical match is for an AgieKeychain vault with a very low (by today's standards) PBKDF2 iteration count, and we've improved that there in the years since and also in the OPVault format, its successor. @jpgoldberg commented on this on their blog, and hopefully they'll clarify this in the article as well. Cheers! :)

  • Manaburner
    Manaburner
    Community Member

    Thank you for the link to that comment. I hope you'll publish a blog entry once you have received a reply from them to mitigate the FUD this has caused.
    On a side note: whenever I read "OPVault", I as a gaming nerd, first think of OP = Overpowered, instead of OnePassword. But I guess it still kind of fits securitywise :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thank you for the link to that comment.

    @Manaburner: Holy cow I butchered that link. Fixed. :lol:

    I hope you'll publish a blog entry once you have received a reply from them to mitigate the FUD this has caused.

    It's possible, though I'm not sure there's much material there. I think so long as they issue a correction that will be best since that's going straight to the source, so to speak. :)

    On a side note: whenever I read "OPVault", I as a gaming nerd, first think of OP = Overpowered, instead of OnePassword. But I guess it still kind of fits securitywise :)

    I lol'd. I'm not sure that was intentional, but it should have been and perhaps that was a missed marketing opportunity. :tongue:

  • Manaburner
    Manaburner
    Community Member

    It's possible, though I'm not sure there's much material there. I think so long as they issue a correction that will be best since that's going straight to the source, so to speak

    Understood. I only thought of a blog entry as something you can link to, when the question arises again.

  • pervel
    pervel
    Community Member

    I agree with @Manaburner. It would be nice with some updated numbers showing how strong the current encryption in 1Password is. The old blog post dates back to 2013.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Manaburner, @pervel: Ah, that makes sense. You guys were thinking of the big picture. I was focused on this particular case. I agree, I'd love to see a new blog post from @jpgoldberg . :)

  • bcallais
    bcallais
    Community Member

    Reading news about Elcomsoft, should I move to an excel file to store my password ???????


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Hi @bcallais,

    That would not be the conclusion I would draw from their statements. I don't think any 3rd party security experts would recommend that either.

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi, I have merged two discussion about this into the one you see here.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2017

    As far as we have been able to tell, Elcomsoft was testing a very old version of 1Password data. It looks like they were looking at a Agile Keychain Format created many many years ago.

    I have a great deal of respect for the technical work that Elcomsoft does. They are really good at this stuff, and have discovered some subtle weaknesses in some systems (not ours) over the years that needed to be fixed. But that respect I have for them does not extend to their marketing material.

    Which data did they test?

    At least from what we have seen about their various claims about 1Password over the years, they are very bad at reporting what particular data formats they tested, and they are very selective about what particular formats and versions they choose to test. This appears to be another instance of that.

    Local data only

    A Master Password guessing attack is not possible against data captured from our servers. This is what the Secret Key in our Two-Secret Key Derivation (2SKD) is for.

    So these cracking attempts are only relevant to data stolen from your system (or some third party syncing mechanism). This is why you still need to have a good Master Password.

    We have the honor of being a target

    One annoying thing about having a well-known reputation for security is that mentioning us in a press release gets something more notice. Way back when, Elcomsoft did an excellent analysis of crackability of password managers on mobile devices. Reading through the report you would learn there were loads of password managers for mobile devices that had horrendous or even no actual local data security. It was a scary read.

    But they also found a couple of issues with that version of 1Password for iOS at the time. One was an issue we really needed to improve, but the the other, while really clever and cool, was in practice completely unexplainable. Even with these, we were clearly among the very best of what they tested.

    But guess who was mentioned in their press releases? And the practically unexploitable issue is what they talked about at conferences (it was cool, though).

    I can't really blame them for this, and this is a minor price to pay for the position we are in. But it is annoying.

    Two pieces of advice.

    The advice here is going to be unsurprising, but I am happy to repeat it.

    1. If, for some reason, you are still using the Agile Keychain Format, move to using accounts or at least OPVault.
    2. Most importantly: Use a strong, unique Master Password.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2017

    @pervel and @Manaburner (and perhaps others) have asked for updated "numbers" about cracking times.

    I'm going to do something a little different this time around. Instead of talking about the time to crack (on some imaginary setup), I'm going to talk about the total cost to an attacker to crack. I

    Also, I am going to ignore the specific details of the number of PBKDF2 (or other slow hashing), and instead I will just assume that it is sufficiently strong.. Once these are "strong enough" there are diminishing returns in making them stronger. Consider using, say, 100,000 rounds (as we do with 1Password Accounts). To get the same benefit of merely adding a single randomly chosen digit to the end of your Master Password, we would have to go to 1 million rounds. Increasing PBKDF2 rounds is important and useful, but only up to a point. After that point it is a very wasteful and inefficient way to protect things.

    So I am using an assumption that is is a million (2^20) times more expensive to guess a single password (when done in bulk) than it is to perform a single cryptographic operation. Note that this includes not just the PBKDF2, but the generation of password guesses, the handling of those guesses, etc.

    Anyway, I am taking the cost of computation from estimates made from bitcoin mining from 2013 (1 million dollars for 2^70 cryptographic operations) and adjusting that cost using Moore's law, as a rate of computation costs halving once every 1.5 years.

    Based on this, here are my calculations for password generated from our wordlist based generator (18331 words) for passwords that are 3, 4, 5, 6, and 7 words long. As we are in the second half of 2017, I will use cost estimates for 2018.


    Now for more readable numbers, I will try to construct a table.

    length in words bits USD cost in 2018
    3 42.49 five hundred and forty
    4 56.65 nine million, nine hundred thousand
    5 70.81 one hundred and eighty billion
    6 84.97 three quadrillion, three hundred trillion
    7 99.13 sixty one quintillion

    Again, these are the costs for each target the attacker is going after. If you think (plausibly) that someone will spend 1000 dollers (after capturing your data from your systems) specifically on you, then a three word Master Password is not enough. You should go with 4 words, or add some of your own "non-word" to a three-word Master Password to make it "three words plus something special for you"

    If you think that someone is going to spend millions of dollars specifically on you (which means it is millions of dollars they don't spend going after something else), then they will probably just break into your residence and tamper with your computers, as that would be cheaper than going after a four word Master Password.

    I list the five, six, and seven word passwords just to show how much more quickly the cost rises for the attacker then it would by increasing the number of PBKDF2 rounds.

    My calculator

    This should probably just be done in a spread sheet, but for some reason or other, I started in R.

    costStrength <- function (bits, year=2016, MUSD2013bits = 70, pcratio=20, moore=1.5 ) {
         # bits: Strength of password in bits.
         # year: year of analysis
         # MUSD2013bits: log2 of crypto operations peformed by million USD in 2013 
         # pcratio: log2 how much harder to make a single password guess than a crypto operation
         # moore: Number of years for compute cost to halve.
    
         costNow <- MUSD2013bits + (year - 2013)/moore
         bits <- bits + pcratio
    
         diffBits <- costNow - bits
         cost <- 10^6/(2^diffBits)
         return(cost)
         }
    
  • Manaburner
    Manaburner
    Community Member

    I have understood almost nothing of the calculations :), but my take is: the longer the master password, the better, because it is more expensive for an attacker to crack it. Thank you @jpgoldberg for your post

  • pervel
    pervel
    Community Member

    Interesting calculations, @jpgoldberg. Is the "cost" primarily the electricity cost for running the machines?

  • prime
    prime
    Community Member

    Awesome thread! @jpgoldberg, I enjoy reading your stuff! Then I sometimes ask @brenty to translate it sometimes :lol:

    I love how these sites test on old software, but I am glad @jpgoldberg points out stuff and make them think. It makes me feel better about using 1Password.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    It turns out that they may have been testing recent versions of 1Password for Windows. The "local" data store Key Derivation Function hasn't been updated as it should have been. So I may need to apologize for the suggestion that they were going after old data.

    (Note that we just found this issue in Windows today, separately from the Elcomsoft report.)

    Again, however, I should note that once you have "enough" PBKDF2 iterations, you get a far far bigger gain in security for the effort by making small improvements to the Master Password than by increasing the number of PBKDF2 iterations.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Elcomsoft has posted an additional blog post on this topic:

    Attacking the 1Password Master Password Follow-Up

    I really think they did a good job of correcting the record and also going into some of the different factors involved here.

  • AskAli
    AskAli
    Community Member

    @brenty Great read! Thanks for telling us about it.

    @jpgoldberg So if I understand correctly, over time as devices get more sophisticated the time to crack will exponentially decrease as well as the resulting money needed to afford such materials according to Moore’s Law?

    As I understand a 4 word master password is sufficient (what I use based on your 18,000 word list). If this ever becomes irrelevant or insufficient say in the next 5 years or so and a more complex password is needed will you all let us know?

    Also, one thing I’m curious about is over time passwords need to be longer and more complex as technology gets better. How are we supposed to keep up and memorize even longer master passwords? Memorizing my secret key was hard enough. (Better safe than sorry) I doubt I could memorize 6 or 7 words, or it’d be hard/annoyingat the very least.

    Thanks! I love what you do.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @AskAli: You're very welcome! And I have no doubt that Goldberg will have a blog post for us if and when we need to start moving to longer Master Passwords. Personally, I'm using 7 words already because I hate change more than I hate typing a long password occasionally. I think you're the first person who I've ever heard of memorizing their Secret Key. First of all, wow, that's pretty amazing! But second, I'd encourage you to consider using a stronger Master Password instead. I think you'll find that even 7 words is easier to remember and type than a Secret Key! Keep a copy of your Emergency Kit somewhere safe, and you'll always have your Secret Key there, even if you lose all of your devices (which would allow you to access the Secret Key in Settings/Preferences). You don't need to use a crazy Master Password today like I do, but you'll get much more security benefit from doing that than you will memorizing your Secret Key. Cheers! :)

  • AskAli
    AskAli
    Community Member
    edited August 2017

    @brenty Thank you :)

    Wow! 7 words! I thought 4 was crazy long enough, most people I know think even 12 characters is already way too long but they don't use password managers or anything, their passwords are probably something along the lines of like "doggy412". I really wish people knew more about security and just how important this stuff is, I'll try my best to spread the word!

    I'll probably do that then right now! I'm sure with enough practice it'll become second nature, I can type my passwords at crazy speeds. There's no reason for me to ever change my secret key as well correct? For other accounts like my Apple ID, which I consider very important, I use 4 words as well. I wanted to increase it but unfortunately they have a max limit of 34 characters and I have to type it on my phone often so I thought a word-based password might be enough. Otherwise I guess I could switch to a 34 random characters if you'd think that's better.

    & The reason I memorized my secret key is because I'm scared I might lose my emergency kit, it's just in my house at the moment. One of my absolute favorite features of 1Password is the ability to sign in from anywhere but for that you need your secret key.

    This is really random but I wanted to ask about the separators such as hyphens, spaces, underscores etc. Is there a reason the hyphen is default or a recommended one to use? Or does one inherently offer an advantage compared to another? When I first created my 1Password.com account I used your recommendations because I couldn't come up with any good passwords and I'm sure coming up with one myself would hardly be "random".

  • AGAlumB
    AGAlumB
    1Password Alumni

    @AskAli: To be clear, 7 words is definitely overkill right now. I'd just rather memorize this one and hopefully keep it for the rest of my life. lol

    The only reason to change a Master Password or Secret Key are if they are compromised or it's found that either are insufficient for technological reasons in the future due to brute force attacks. Either of these can be done on your Profile page at 1Password.com under Manage. Memorizing a Secret Key once is hard enough, so I think it's better to avoid setting things up where you have to again if you ever need to change it. Having an Emergency Kit somewhere other than at home (e.g. bank safe deposit box) would be preferable, since your Emergency Kit would also be at risk in a fire or theft situation. I totally get being worried about losing it, but doing that or having another family member as an Organizer who can recover your account for you will help you sleep easier.

    I'd say stick with your Apple ID password you've already got. It's easy to change in the future if you need to (compared to your Master Password). And you can use Apple's two-factor authentication to further protect your account without having to type random gibberish as your password.

    Regarding separator characters, there's not a substantial security benefit to these. Many folks have suggested using randomized separator characters, but that adds very little security and makes it much harder to memorize. Ultimately which separator you use when generating a password is a matter of preference, or sometimes helps with website password requirements. But at the same time, choosing the separators yourself wouldn't do much harm either, so long as the words are chosen truly at random. I usually just use spaces anyway, since it's natural to type and no one will be able to guess the words. :sunglasses:

  • AskAli
    AskAli
    Community Member
    edited August 2017

    @brenty: Gotcha! Makes perfect sense! I have the dashes but that's just because it was default so I kept it like it is. That's fine too as you said, and I don't need to fix what isn't broken, it'd be a hassle to change it just so it goes from dashes to spaces, they're both fine as is.

    Thanks for your input! I'm glad I can now make my account more secure and feel more at ease about it, honestly it's kinda scary seeing how tech is advancing and I truly wonder if there's an upper limit for this sort of thing, it just gets faster and faster to crack passwords and passwords are so important and widely used in this day and age.

    & I'll keep it in a vault and probably give a copy to my parents to store somewhere safe!

  • AGAlumB
    AGAlumB
    1Password Alumni

    That's a great idea. Always have a backup! Glad to be able to help in some small way. :chuffed:

This discussion has been closed.