This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
On Elcomsoft's latest paper
Unfortunately, the algorithm to protect the master password on the 1Password iOS app is not as secure as it could be. Elcomsoft did some research, see [url="http://www.slideshare.net/andrey.belenko/secure-password-managers-and-militarygrade-encryption-on-smartphones-oh-really"]http://www.slideshar...hones-oh-really[/url] and [url="http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf"]http://www.elcomsoft...-EU-2012-WP.pdf[/url]
The main problem is the use of PKCS7 padding which makes brute forcing the password really fast. Is this something that can be addressed? I'd love to switch to 1Password because I'm using SplashID now and their security is much worse.
I met the researchers from Elcomsoft yesterday, and they are really nice. I'm sure they would be able to give you pointers about making 1Password more secure. One example is using thousands of PBKDF2 itterations to make brute force guessing a lot slower.
The main problem is the use of PKCS7 padding which makes brute forcing the password really fast. Is this something that can be addressed? I'd love to switch to 1Password because I'm using SplashID now and their security is much worse.
I met the researchers from Elcomsoft yesterday, and they are really nice. I'm sure they would be able to give you pointers about making 1Password more secure. One example is using thousands of PBKDF2 itterations to make brute force guessing a lot slower.
Flag
0
Comments
-
Welcome to the forums, RichieB! It is great that you are thinking about these things. Elcomsoft's paper underscores our ongoing advice to users: strong security requires strong passwords. Using 6 characters — or less?! — is universally a bad idea. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' />
What you can do today to ensure your data is protected is the same thing we have recommended all this time: use a 1Password Master Password on iPhone and iPad that is long enough to provide adequate protection for your needs. You can refer to the table in our blog post to determine the length of password that makes you feel most comfortable. (Hint: anything beyond 10 characters and you are looking at hundreds of thousands of years.)
[url="http://blog.agilebits.com/2012/03/16/strong-security-requires-strong-passwords/"]http://blog.agilebit...rong-passwords/[/url]
Additionally, on the desktop (both Windows and Mac), 1Password already uses 10,000 PBKDF2 iterations to significantly slow down attackers. Currently this is not available on iOS as we needed to support older devices. The next major release of 1Password will only support iOS 5 and at that time we will be incorporating PBKDF2 along with some other improvements to make an already secure system even better.
The aforelinked blog post explains why 1Password is already secure despite some sensational headlines you may have seen. Of course, we are always working to improve 1Password since, as Bruce Schneier famously said, "Security is a process, not a product."
Please let me know if you have any further questions or concerns. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
Cheers,Flag 0 -
Thanks, RichieB. I actually have an update. We were initially going to roll out PBKDF2 in the iOS apps in 1Password 4, but we will be issuing an update soon for the 1Password 3 iOS apps which adds this. As mentioned above, the desktop apps already provide this protection.
I hope that helps. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
Cheers,Flag 0