Not being able to have a separate master password on IOS than Mac I believe gives me weaker security

jebr

[color=#000000]Initially I was very excited about this but now I'm not.[/color]



[color=#000000]I use the Mac version and sync via dropbox. On 1Password 3 I had a shorter master password on my IOS 1Password than my desktop version (as my iphone is passcode protected, can be remote wiped, and the app is PIN and password protected). I realise that my main master password was stored in my IOS keychain but I was ok with that as my phone is not jail broken.[/color]



[color=#000000]On the desktop I use a mega strong 32 character random password in conjunction with a Yubikey in static password mode to type some of it in.[/color]



[color=#000000]With the old set-up as my 1Password keychain stored in dropbox was encrypted with such a strong 32 character password I was very relaxed about storing it there. With 1Password 4 I will have to use a weaker encryption password as the desktop and IOS version seem to have to use the same master password.[/color]



[font="Lucida Grande, Lucida, Verdana, sans-serif"][color="#000000"][size=3]If I am correct then I believe that this is a weakening of security for me. Any password that I can remember will be cryptographically weaker than a 32 character random one that is currently protecting my keychain in drop box.[/size][/color][/font]



[color=#000000]Does anyone else have any views on this?[/color]



Jonathan Robinson

jhollington

I can understand your point, and in fact I railed against this myself back when I discovered that this was how the 1Password app worked on Android (see [url="http://forum.agilebits.com/index.php?/topic/8534-1password-ignores-protection-settings"]http://forum.agilebi...ection-settings[/url]). My logic is that a requirement to use the Master Password at every turn would in fact weaken security for most users (who would choose less complex passwords) and frustrate those who want to use seriously complex passwords -- even those like me that can remember a 40-character random string <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



Of course, others have valid opinions for considering the storage of the Master Password on iOS devices to be an equally serious security risk from their point of view. Check out [url="http://forum.agilebits.com/index.php?/topic/10412-storage-of-master-password-on-ios-devices/"]http://forum.agilebi...on-ios-devices/[/url] for a great discussion on this, including the tradeoffs between the 1Password 3.x method and what is now effectively the method used in 1Password 4).



I think the reality is that there's a diminishing returns factor in terms of exactly how strong your Master Password really has to be to provide adequate cryptographic protection. Yes, a password that you can remember will [i]technically[/i] be "cryptographically weaker than a 32 character random one" but you may simply be talking about the difference between taking 500,000 years to crack your password versus 3.5 billion years. See [url="http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/"]http://blog.agilebit...ohn-the-ripper/[/url] and [url="http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/"]http://blog.agilebit...ster-passwords/[/url] for some great discussion on this.



So while obviously changing your password down to something like "cat" or "dog" is going to be a very bad idea, the reality is that there's probably no real need to use a 32-character randomly-generated password that you can't otherwise remember, other than to make yourself feel better. I use a randomly-derived collection of 40 alphanumeric characters because I can easily remember it, but in reality, I'd probably be just as secure by a four- or five-word diceware password (or really any four or five words that I can remember that aren't inherently related to each other (see [url="http://xkcd.com/936/"]http://xkcd.com/936/[/url]).



Personally, despite my earlier concerns, I've found the Quick Unlock Code feature in 1Password 4 to be a more than reasonable compromise. The actual, long, hard-to-type Master Password is only required when 1Password is flushed out of RAM and needs to be reloaded from scratch, which in most cases is actually pretty uncommon unless you regularly use large, demanding apps in between 1Password sessions. This means that most of the time, I [i]am[/i] using a four-digit code to access 1Password, however it's being done in a much more secure way, as the code and master-password-derived decryption key only exists in RAM, and you also only get [i]one[/i] failed attempt at the QUC before you're required to re-enter the actual Master Password again. In my case, I find that I may need to actually enter the real Master Password no more than once per day, depending on how much I'm using my iPhone to do other demanding stuff (like playing games).

CurbedEnthusiasm

When I heard about this change in 1P4, I was disheartened. I think it creates much more burden on users who have long (40+ character) master passwords. To me, Agile had it right with 1P3 and having two separate master passwords. It made much more sense. I don't think I'll be upgrading, which is a shame as I wanted to. But this change doesn't sound appealing to me. Sometimes change takes place for no good reason other than thinking "what can we change?" I feel this is one of those times.



Agile, you had it right before! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

liliumdavidii

[quote name='jhollington' timestamp='1355430893' post='65097']

Personally, despite my earlier concerns, I've found the Quick Unlock Code feature in 1Password 4 to be a more than reasonable compromise. The actual, long, hard-to-type Master Password is only required when 1Password is flushed out of RAM and needs to be reloaded from scratch, which in most cases is actually pretty uncommon unless you regularly use large, demanding apps in between 1Password sessions. This means that most of the time, I [i]am[/i] using a four-digit code to access 1Password, however it's being done in a much more secure way, as the code and master-password-derived decryption key only exists in RAM, and you also only get [i]one[/i] failed attempt at the QUC before you're required to re-enter the actual Master Password again. In my case, I find that I may need to actually enter the real Master Password no more than once per day, depending on how much I'm using my iPhone to do other demanding stuff (like playing games).

[/quote]



I agree and prefer much more the "new, more secure" mode, it is almost as practical as the old method, but it's much more secure...

jhollington

[quote name='CurbedEnthusiasm' timestamp='1355436883' post='65117']When I heard about this change in 1P4, I was disheartened. I think it creates much more burden on users who have long (40+ character) master passwords. To me, Agile had it right with 1P3 and having two separate master passwords. It made much more sense. I don't think I'll be upgrading, which is a shame as I wanted to. But this change doesn't sound appealing to me. Sometimes change takes place for no good reason other than thinking "what can we change?" I feel this is one of those times.[/quote]



If you look at the other threads I've linked to above, I think Agile felt that it actually had perfectly valid reasons to change this approach based on improving security. Having the Master Password stored in the iOS keychain to enable Dropbox sync was definitely one security concern that many had, and the removal of that does theoretically make the app more secure.



Further, as I've noted above, if a 40-character Master Password is really a problem, then the solution is clearly to make it slightly shorter. I think there's a placebo-style comfort zone that comes with having long, random passwords that doesn't necessarily apply in the case of 1Password's encryption -- it's [i]theoretically[/i] more secure, but well past the point where it matters in practical terms. Based on Jeff's articles (again, linked above), a four-word Diceware password (approximately 16-24 characters) would be both easy to remember and type and would still provide more than reasonable security against any potential practical attack currently available -- something like 58 years to crack via brute force. Five diceware words -- still likely less than 30 characters -- would push that number up to 449,528 years (according to Jeff's chart at http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/). Remember too that this is a [i]mean[/i], not a maximum.



The common argument here is about cracking methods that haven't yet been devised, but I'm comfortable that 1Password will carry the technology forward at the same rate as Agile's team has proven itself to be quite up to speed in this regard. As the power of cracking computers increases, so does the power of computers being used for 1Password, and therefore the number of PBKDF2 iterations can be increased correspondingly. Going from 1,000 to 25,000 (again, as per Jeff's chart), takes those 58 and 449,528 year numbers up to even more absurd lengths.

Penelope Pitstop

As usual jhollington makes a cogent argument. I wholeheartedly agree.



Personally I use something longer than five words and 32 characters. I do not find it a chore even on the iPhone's tiny keyboard particularly because of the QUC feature and my system has more than sufficient entropy.



I never liked the previous idea of separate passwords and security levels. Unnecessary extra complexity in my view. Made it confusing and harder to set up. Most people I know used a single master password anyway because it was too much of a pfaff to do otherwise.

jpgoldberg

Hi all.



This is one of those situations where "everybody is right".[list=1]

[*]We need stronger master passwords for data that lives in the cloud or on machines that don't involve strict data protection (like desktops that can be stolen, and unlike iPhones that have stricter protections on application data)

[*]It is much harder to enter some types of passwords on an iPhone than on a desktop

[*]Forcing the same master password across systems means that people will end up using one that works on the tiniest keyboard of all of their systems.

[/list]

That is all true. And it is something that we were fully aware of when we made this decision. I've fallen far behind in documenting1P4 security design features. But let me overview what is coming.[list=1]

[*]By using a single Master Password, 1Password on iOS no longer needs to store secrets (such as obfuscated Master Passwords) in the iOS keychain for automated syncing to work. Quite simply, the iOS keychain, even with the tightest data protection class, is something that we wanted to move away from.

[*]There are tricks to develop strong, memorable, Master Passwords that aren't too much of a pain to type on an iPhone. I've been putting together such a system (it involves diceware-like word lists), but I need to tinker with the lists a bit more. Watch our blog for further information. Basically, I am getting very very high security with a passphrase that is just three words longs with all characters without having to switch keyboards on the iPhone. That is, these are all lowercase letters and SPACE.

[/list]

I'm asking for a bit of patience before I've got this scheme really "ready to use" by the general public.



It is easy to overlook the fact that any security "trade-offs" are actually security-versus-security trade-offs. There are good security reasons [i]for[/i] moving to a common Master Password, but as you've all noticed, there are good security reasons [i]against[/i] it as well. It's just that in this case, the reasons "for" aren't as visible as the reasons "against". (Which is why I need to catch up on writing documents.)



Cheers,



-j

jhollington

[quote name='jpgoldberg' timestamp='1355506023' post='65273'](Which is why I need to catch up on writing documents.)[/quote]



I'm eagerly awaiting these updated documents. While I don't even pretend to have the math and programming chops to actually [i]create[/i] an encryption system, I know enough about the technology to be interested in the technical details and have a lot of respect for those who do. I also realize that this may be asking too much since you haven't even had time to write the standard stuff, but I'm also looking forward to a geek edition should one ever appear <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

jebr

Thanks for the reply Jeffery.



I have to admit I'm still not convinced. I'm not an expert in the maths (UK person not a typo!) behind the crypto but I believe that a good random sequence generated with a random number generator with a lot of entropy would produce the "safest" password in terms on a brute force attack.

I realise that everything in security is a trade off between high security and convenience / usability, and the system employed should protect against the most likely risk etc.. In my view the biggest risk for me is my data at rest on dropbox which I consider almost like a public file share (to me this is more risky than storing the master password in the IOS keychain).



So, I need to understand how encrypting my 1password data with some dice-ware type scheme could be anywhere near as robust as using a truly random password. Surely a dice-ware scheme would be susceptible to dictionary type attacks whereas a random sequence would not?

I will look forward to your updated documentation.



In the mean time I would value peoples thoughs on Steve Gibson's "passwords haystacks" scheme. His idea is that length trumps complexity and so suggests a long padding scheme. Could this provide a good solution of a password that is easy to type in on the iPhone keyboard while providing enough security?

[url="https://www.grc.com/haystack.htm"]https://www.grc.com/haystack.htm[/url]



--Jonathan

Xe997

[quote name='jebr' timestamp='1355512021' post='65298']



In the mean time I would value peoples thoughs on Steve Gibson's "passwords haystacks" scheme. His idea is that length trumps complexity and so suggests a long padding scheme. Could this provide a good solution of a password that is easy to type in on the iPhone keyboard while providing enough security?

[url="https://www.grc.com/haystack.htm"]https://www.grc.com/haystack.htm[/url]



--Jonathan

[/quote]

About Steve Gibson...



http://allthatiswrong.wordpress.com/2009/10/11/steve-gibson-is-a-fraud/

jebr

Well I'm not sure I agree with the web-site about Steve Gibson but that is going off topic.



I'm more interested in the padding scheme which is well documented on the like above. Whether or not one likes the author, the scheme itself could be technically debated sticking to the facts / math.

Xe997

[quote name='jebr' timestamp='1355514157' post='65307']

Well I'm not sure I agree with the web-site about Steve Gibson but that is going off topic.



I'm more interested in the padding scheme which is well documented on the like above. Whether or not one likes the author, the scheme itself could be technically debated sticking to the facts / math.

[/quote]

Well about the scheme. A password created with that system is only secure if the attacker doesn't know the system being used to create the password. Gibson's website is a well known one. Surely criminals are aware of this padding system and can add it to their bag of tricks. You see, when guessing someone's password it's not a choice between list of dictionary words/common passwords and brute force. The attackers are aware of the usual systems of creating passwords like replacing the letter O with the number 0, throwing in a number at the end, symbol at the beginning and so on.



With Diceware on the other hand your system involves a random element. You can assume that the attacker knows what diceware list you use and number of words. The password is still secure, if you have enough words (I use 7, 8 or 9). The math is easy. What's 7776^9? A very big number.



TLDR: the attackers are smarter than Gibson. The attackers are not smarter than the dice.

roustem

There is a trick that would allow you to use a different password.



If you change the master password on your Mac then you will still be able to unlock the iPhone with the old password. This is because the password change on iPhone will only take place after you type the new master password. As long as you are typing the old password it will remain.



I don't think we are going to recommend using it though because it might change in future.

jebr

Thanks Roustem



That answer has concerned me. If what you are saying is correct then when you change you password the actual encryption key that is encrypted with your new MP is added to the keychain along-side the key encrypted with the old MP. Only when the IOS devices receives the new MP will the old one be removed.

=>So if I change my password and don't type in into my iPhone right away would my old (possibly compromised password) still work (even after dropbox has synced over the updated keychain?

=>What happens if I change the MP on the mac again will all 3 password work on the iPhone?

=>What happens if I have several IOS devices do I have to type the new password into all of them before the old one ceases to work.

I am a fairly technical users so would appreciate a detailed (non woolly) answer please.



Thanks

roustem

[quote name='jebr' timestamp='1355843381' post='65886']

If what you are saying is correct then when you change you password the actual encryption key that is encrypted with your new MP is added to the keychain along-side the key encrypted with the old MP. Only when the IOS devices receives the new MP will the old one be removed.

[/quote]



When you change the master password on Mac (or another iOS device) your encryption key is re-encrypted with the new password (after PBKDF2). Then it is synced to the device. At this point the device has both its own database with the old password and the synced data.



Only after you enter the new master password the database is updated. A lot of things can go wrong with syncing (imagine not downloading the encryption key correctly) I did not feel safe replacing the local encryption key without confirming that the user can unlock the app with the new password.

jebr

Hmm thanks, so if someone felt that their password had been compromised they would need to update it on the mac and then login to each of their IOS devices before that password become completely invalid. If so this should be highlighted strongly in the documentation as I don't think this is obvious.



If you kept logging in with the old MP to the IOS device can the 1password keychain still be modified (new logins etc.) on the mac and sycned across to the IOS device ok?



Before I moved to 1password I spent a long time reviewing all the very detailed technical information about what encryption is used and how the dropbox syncing worked etc. I was only happy to use the app once I understood how it worked in detail. Its a shame that the documentation has not kept up with the new version that works differently "under the hood" i.e. this ver 4 is not just a new GUI.

benfdc

I prefer the 1P3 unlock procedure because I prefer not to enter my master password in public. Too much risk of "shoulder-surfing." With 1P4, if someone watches my iPhone's screen as I enter my password and can get hold of my keychain (via, say, compromising my Dropbox account), I'm toast. With 1P3, the shoulder-surfer would not learn my actual master password and so would have to steal my iPhone.



If my iPhone is stolen, I expect that I would know it. However, my Dropbox account could be compromised without my knowledge.

roustem

[quote name='jebr' timestamp='1355854685' post='65903']

Hmm thanks, so if someone felt that their password had been compromised they would need to update it on the mac and then login to each of their IOS devices before that password become completely invalid. If so this should be highlighted strongly in the documentation as I don't think this is obvious.



If you kept logging in with the old MP to the IOS device can the 1password keychain still be modified (new logins etc.) on the mac and sycned across to the IOS device ok?



Before I moved to 1password I spent a long time reviewing all the very detailed technical information about what encryption is used and how the dropbox syncing worked etc. I was only happy to use the app once I understood how it worked in detail. Its a shame that the documentation has not kept up with the new version that works differently "under the hood" i.e. this ver 4 is not just a new GUI.

[/quote]



I see where you are coming from. In order to get the new data downloaded from Dropbox (and in many cases, from iCloud) the app must be started on the device. Without that the device will still have the old data. Unfortunately, it is not possible to propagate all changes to all devices instantly.



We had over 3 years to work on 1Password 3 documentation. The version 4 was out for only 5 days and I expect this to improve. Jeff Goldberg covered quite a bit about the changes in our internal documents. I will have to ask if he posted anything in public.

roustem

[quote name='benfdc' timestamp='1355860696' post='65919']

I prefer the 1P3 unlock procedure because I prefer not to enter my master password in public. Too much risk of "shoulder-surfing." With 1P4, if someone watches my iPhone's screen as I enter my password and can get hold of my keychain (via, say, compromising my Dropbox account), I'm toast. With 1P3, the shoulder-surfer would not learn my actual master password and so would have to steal my iPhone.



If my iPhone is stolen, I expect that I would know it. However, my Dropbox account could be compromised without my knowledge.

[/quote]



Have you tried the Quick Unlock Code that can be set in the Settings > Security?



The problem with the old pin code is that it was used to "protect" the encryption key and the items. Unfortunately, with only 10,000 combinations it does not provide much protection. In fact, when we were developing the migration of the old data we decided to only ask for the master password and simply pick the pin code in code. It really takes just a few seconds for the program to go through all possible combinations.

jhollington

[quote name='benfdc' timestamp='1355860696' post='65919']I prefer the 1P3 unlock procedure because I prefer not to enter my master password in public. Too much risk of "shoulder-surfing." With 1P4, if someone watches my iPhone's screen as I enter my password and can get hold of my keychain (via, say, compromising my Dropbox account), I'm toast. With 1P3, the shoulder-surfer would not learn my actual master password and so would have to steal my iPhone.[/quote]



There's another way to look at that, however. A shoulder-surfer is much more likely to read a four-digit PIN as you type it in, and they're much more likely to simply steal your [i]phone[/i] than hack into your Dropbox account -- particularly if they're a random stranger rather than a colleague (a random person sitting beside you would have no idea what your Dropbox account is, or even whether you're using Dropbox, but would know exactly where to find your phone <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> ).



On the flip side, if you're using a sufficiently secure Master Password, I think it would be pretty difficult for a shoulder-surfer to catch every digit, or for that matter even [i]remember[/i] what they saw you type. Even with a long diceware password, composed of several normal words, if you're entering 16-20 characters (which is ideally how secure your Master Password should be), somebody is going to have to be staring over your should for quite some time to get the whole thing.



[quote]If my iPhone is stolen, I expect that I would know it. However, my Dropbox account could be compromised without my knowledge.[/quote]



That's definitely a valid point, but the real question is whether you would be in a place to actually [i]do[/i] anything about it in a sufficient amount of time. If your phone is stolen randomly, chances are that even if the thief is going for your secure data (unlikely in most cases), it will take them some time to get into it. A person who has just watched you enter your passcodes would have immediate access to your data, a mobile device in their hands on which to make use of that information, and possibly even your wallet with your bank cards if they stole your entire bag.



So while you're looking for a pay phone to report your credit cards stolen and attempt to freeze up your bank accounts, the perp could already be emptying them <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



(This actually happened to a colleague of mine -- it didn't involve 1Password per se, but he lost his laptop bag in an airport and by the time he noticed it missing -- within a half-hour -- the thief had already cleaned out all of his credit cards).

jhollington

[quote name='roustem' timestamp='1355862344' post='65923']I see where you are coming from. In order to get the new data downloaded from Dropbox (and in many cases, from iCloud) the app must be started on the device. Without that the device will still have the old data. Unfortunately, it is not possible to propagate all changes to all devices instantly.[/quote]



It's also worth mentioning that this is a limitation of iOS, and there's not really anything that the folks at Agile can do about it. Apps are only allowed to run in the background to perform certain specific functions, and full on-demand synchronization is not one of them. As a result, the data simply cannot be updated until you run the app.



I would imagine, however, that unless you've specifically turned OFF your data connection, there wouldn't really be any way to continue [i]using[/i] the old data, since the sync would occur whether you wanted it to or not. In fact, if you're using iCloud, even going into Airplane Mode before starting 1Password would probably not make a difference, since iOS would likely have already downloaded the iCloud data for 1Password to sync with.



Roustem: What about having 1Password 4 return to the Master Password entry screen immediately following a sync where the Master Password has been changed, thereby requiring the user to enter the new Master Password to continue? I haven't changed my Master Password in years (maybe never, in fact), so maybe this is already there and I simply haven't noticed it.

Xipper

I appreciate the discussion, however I would recommend warning people of this change on the info page for the new version of the iOS app. Can we also get support for "widescreen" keyboard layout on the unlock screen? Typing a complex password on the narrow keyboard is error prone and wastes a lot of time if you have to type it multiple times.



I've had the "Quick Unlock" feature enabled since installing the new version, I have yet to ever see it ask for the quick unlock code...every time it asks for the master password...unless I am just testing the feature, leave the app and open it right back up. However in real use I have yet to see the quick unlock code used.

jhollington

[quote name='Xipper' timestamp='1355945561' post='66017']I've had the "Quick Unlock" feature enabled since installing the new version, I have yet to ever see it ask for the quick unlock code...every time it asks for the master password...unless I am just testing the feature, leave the app and open it right back up. However in real use I have yet to see the quick unlock code used.[/quote]



Do you have [i]Auto-Lock[/i] enabled? This causes 1Password to revert to asking for the Master Password once that timeout expires, rather than the Quick Unlock Code. I think this is a bug that should be fixed at some point, but for now at least you need to set [i]Auto-Lock[/i] to "Never" and simply enable [i]Lock on Exit[/i] in order to use the Quick Unlock Code.

khad

[quote]Do you have Auto-Lock enabled? This causes 1Password to revert to asking for the Master Password once that timeout expires, rather than the Quick Unlock Code. I think this is a bug that should be fixed at some point, but for now at least you need to set Auto-Lock to "Never" and simply enable Lock on Exit in order to use the Quick Unlock Code. [/quote]

That is correct. Once [url="http://forum.agilebits.com/index.php?/topic/11528-quick-unlock-code-and-auto-lock/"]that bug[/url] is fixed the Quick Unlock Code should behave [url="http://learn.agilebits.com/1Password4/iOS/Settings/ios-auto-locks.html"]as expected[/url].





[quote]Can we also get support for "widescreen" keyboard layout on the unlock screen?[/quote]

I for one couldn't type on the widescreen keyboard to save my life. I'm sure it just has something to do with the fact that I only ever use the keyboard in portrait. Perhaps that is even a holdover from my Palm Treo days.



To me, typing on the widescreen keyboard is like typing on my MacBook with my knuckles. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



It is certainly a valid feature request, though. I'm sure other folks who use the widescreen keyboard often enough to become proficient with it would appreciate it.