To protect your privacy: email us with billing or account questions instead of posting here.

Password policies are useless

heubergen
heubergen
Community Member

After a short break I'm trying 1Password again but your Password policies upsetting me really. I have a very safe 8 characters password containing no real words, numbers and special characters. But no the online service tells me to use at least a 10 characters password. I'm not gonna learn and change my password on every site where I'm unable to use my password manager just because 1Password doesn't like mine. My consequence? I'm using now a very simple weak password containing one real word and some numbers. But hey, at least it's 10 characters so that automatically makes it safe, right?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @heubergen - I'm sorry the Master Password requirements for 1password.com accounts upset you. The ten-character limit is indeed for security purposes. You would find (if you had tried) that even at ten characters, if you'd tried to use AAAAAAAAAA or password123 or similar, those would have been disallowed as well. If you had an eight-character password that you had committed to memory and wanted to use as your Master Password for your 1password.com account, you could have added another two characters onto the end of it - maybe a symbol and a numeral? Your choice - and kept using it with just those two added characters.

    I certainly wouldn't recommend you use a weak password anywhere, these days; that's contrary to the spirit of what 1Password helps you do and protect against.

  • XIII
    XIII
    Community Member

    If this article by Ars Technica is correct a password of 8 characters could already be hacked (offline) in less than 6 hours in 2012...

    A minimal length for a password might be a good password policy (one of the best?).

  • Indeed. And if memorability is a concern you might consider using a words based password, which 1Password can generate for you. Our words based passwords are roughly based on diceware.

    Ben

  • rlh
    rlh
    Community Member

    @heubergen, I feel your pain. When I signed up for Families, my years-old Master Password was also too few characters. It was a tough change to make but my fingers are gradually getting used to it.

    However, another comment you made caught my attention.

    I'm not gonna learn and change my password on every site where I'm unable to use my password manager just because 1Password doesn't like mine.

    Do you mean that for some number of sites where you can't use 1Password for some reason that you default to using that same 8 character password on those sites that also unlocks you 1Password? In general, password reuse is a bad thing. And more than any other password in my life I wouldn't want to reuse my 1Password Master Password! (In fact, that is what made me willing to change my Master Password after all those many years; I had used it in some other contexts--long since changed--but I was worried that password might be out in the wild and this was a good opportunity to eliminate that risk.) If that's not what you meant, forgive me.

    Bottom line is that despite the pain in changing, I have ended up with a larger sense of comfort now that I have a much longer Master Password. I hope everything works out for you.

  • Good catch, @rlh. I didn’t originally interpret it that way but if that is what is happening you’re right... reusing any password is not great.. reusing the 1Password Master Password especially so.

    Ben

  • heubergen
    heubergen
    Community Member

    You're right @rlh about that I'm using the same password everywhere where I can't type it in with a password manager. But I'm only human and I just don't see the point of a 10 characters requirement. To brute force my good (8 characters) password would take weeks when not years so why forcing me to 10?

  • bkh
    bkh
    Community Member
    edited August 2018

    To brute force my good (8 characters) password would take weeks when not years

    That may not be true anymore, given highly-tuned password cracking software running on multiple GPUs. For some discussion on this question, see articles such as these (the third contains a nice calculation from Jeffrey Goldberg of 1Password.)
    https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

    https://security.stackexchange.com/questions/43683/is-it-possible-to-brute-force-all-8-character-passwords-in-an-offline-attack

    https://www.quora.com/How-fast-could-the-worlds-fastest-supercomputer-brute-force-crack-a-password-Could-anyone-provide-a-spreadsheet-with-how-fast-the-worlds-fastest-supercomputer-could-break-a-password-that-is-1-2-3-100+-characters-long

  • rlh
    rlh
    Community Member

    @heubergen, For me personally, one of the reasons I was willing to "invest" in upping my password to >10 characters was this seemed like an opportune time (somewhat imposed by the folks a 1Password) to "future-proof" my Master Password.

    As shown in threads such as:

    https://www.reddit.com/r/dataisbeautiful/comments/322lbk/time_required_to_bruteforce_crack_a_password/

    8 character passwords may withstand 50-60 days of cracking or as little as 12 hours depending on what GPU investment the bad guys have made. So, despite the pain I decided I would move into the many-to-hundreds of years range on the referenced article's table.

    However, let's not debate password length or the speed of computers an attacker might have. I'd urge you to contemplate your password reuse. Because, regardless of the time it takes to brute force a password, if a reused password does become compromised at any one site, subsequent attackers will use that password as part of a focused cracking attempt, or worse as part of a credential stuffing attack (if you are also using the same email/user ID to log into those sites). And all it takes is for one site to store a password in plaintext, an inappropriately salted hash, etc. to make password compromise easy for passwords of any length.

    Clearly, I'm not offering you any practical solution to avoid reuse. And please don't take this as an attack of your password management approaches. More than anything I'm sharing my personal evolution from "I don't need a password manager" to a drastically more paranoid approach to account security. And "never reuse passwords" has become one of my mantras (and thus you are my "victim" ;) ).

    As an aside, thanks to the AgileBits team and Have I Been Pwned for the Watchtower 2.0 capability to flagged compromised passwords. If any of my unique, incredibly long passwords ever show up I know that either that site has been hacked (even if they haven't admitted it) or (as statistically improbable as it would be) someone else managed to generate the same random password and theirs was compromised. Either way, I can quickly change that password and formulate a plan to assess and contain the damage. And better to have that problem for only one site, not many...

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2018

    @heubergen: Nope. Any attacker, even a fairly incompetent one, can just use a pre-calculated table of all short passwords, and 8 characters isn't much at all in that regard. Keep in mind that each additional character increases the number of possibilities exponentially, so you're giving up more additional security by clinging to 8 characters than you'll get added convenience by not having to remember/type two more.

    While an 8 character password randomly generated using a set composed of 93 characters (symbols, digits, and letters) would have a fairly respectable 52 bits of entropy, a password you made up yourself will not. And again, an attacker can just try all possible 8 character combinations over the course of a few months. Going to 9, 10, and beyond means literally quadrillions more they would have to try. And they will try the shorter ones before trying the longer ones. It would be foolish not to. That's why 10 is the minimum. It won't kill you to add two more.

    I'd also strongly encourage you to not reuse passwords. That's why you're using 1Password anyway right, so you don't have to? If one of the sites where you're using the same one is breached, someone could use it on others as well (not to mention if it's short they could just guess it). use a unique password for each, and this doesn't happen. Obviously it's infeasible to remember all of those, but that's where 1Password comes in!

    I know that in some cases it's necessary to remember and type passwords besides our Master Password though, but, as they say, there's an app for that: 1Password can generate random word-based passwords for you using a Wordlist composed of 18,000. So you can get something like "duff league kite lobby", which is already going to be harder to guess than a random 8 character password because there are more possibilities of 4 words from 18,000 (56 bits) than there are 8 characters from 93 characters. And of course with 1Password, even in a situation where you can't have 1Password filling, 1Password can still remember it for you so you don't have to. Cheers! :)

This discussion has been closed.