How do users take advantage of increased 1Password security?

misterdna
misterdna
Community Member

It seems you're making the keychain stronger with updates to 1Password. However, it would be great for users if you explained exactly what steps we need to take to utilize the new updates, and exactly how to execute those steps. My understanding is, without taking some actions with our keychains, the increased security to 1Password doesn't benefit existing users at all.

I'd suggest you proactively push these steps out to your users, and suggest they take the steps (especially considering many of us sync using Dropbox, and want all our passwords and VITAL information about our identities to be as safe as possible on a not 100% secure cloud space). Otherwise, it feels like you're not really helping your existing customer base take advantage of the security improvements.

My longterm security worry is, someone gets ahold of my keychain today, and in the future (5 years? 10?), when computers and attack methods have become much more powerful, a "bad guy" will be able break into my keychain, and learn everything they need to steal my identity. Even if I've changed my passwords, so much other vital information is a keychain, it's a thought that truly concerns me. Hence, I really think every 1Password user should be alerted, and carefully instructed on how to maximize their protection. Otherwise, I think your updates are wasted on the majority of your users.

Comments

  • Hi @misterdna,

    We mentioned in the release notes for the Mac app and Windows app that by changing your master password, the 1Password app will automatically start using the increased security strength of your data.

    To do this, you just have to open the main 1Password app, unlock, go to its Preferences > Security, and change your master password. Once you do that, 1Password will increase the iteration counts of the PBKDF2 to make your keys more computer-intensive to attack against.

    We have more work in this area coming, specifically 1Password 4 for Mac/Windows. They'll have a lot of major security improvements and when user upgrade to it, their data is automatically upgraded to benefit from the improvements. If you'd like to know more, you can read our security guide for it.

  • misterdna
    misterdna
    Community Member

    Thanks for the quick reply. I saw something that said you had to create a new password and create a new keychain (or something to that effect). So it was the second part I wasn't clear about. For some reason, just creating a new password didn't seem like it was all that was necessary, based on my memory of what I saw in the release notes (or maybe I just saw a synopsis, not the entire release notes?). Anyway, thanks!

  • misterdna
    misterdna
    Community Member
    edited May 2013

    Okay, a related question for you. I use a cloud-based backup to access my 1Password data when I'm not at home. The cloud service keeps previous version of my data, as a safety net for users. It stores all the agilekeychain contents as separate files. Now that I have updated my 1Password password, exactly which backed-up agilecheychain files need to be deleted, to make sure my older password (with the older, less strong encryption) are not still available, in case of some type of account breach of my cloud account?

    This question might also apply if I felt my 1Password password had been discovered, and I wanted to make sure the data accessible with the old password isn't floating around on the cloud.

    Thanks!

  • khad
    khad
    1Password Alumni

    I saw something that said you had to create a new password and create a new keychain (or something to that effect).

    In 1Password 3 for Mac (up through version 3.8.10) keychains were created using 1,000 PBKDF2 iterations.

    Starting in 1Password for Mac 3.8.11 (released in December 2011) and continuing through version 3.8.20 keychains were created using 10,000 PBKDF2 iterations. Changing the Master Password did not change iterations in those older versions.

    1Password for Mac 3.8.21 (released in April 2013) keychains are created using 10,000 PBKDF2 iterations. On a Master Password change, iterations will be increased from 1,000 to 10,000 if necessary.

    Now that I have updated my 1Password password, exactly which backed-up agilecheychain files need to be deleted, to make sure my older password (with the older, less strong encryption) are not still available, in case of some type of account breach of my cloud account?

    Please see Jeff's reply in this existing thread for the same question.

  • misterdna
    misterdna
    Community Member

    Thanks!

  • khad
    khad
    1Password Alumni

    Cheers! :)

This discussion has been closed.