This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Encrypted web page security level

sirius
sirius
edited November 2010 in Mac
Sorry, this should have been posted in the 1Password forum for Mac. Wish I could move it to there.



How secure is an export of 1Password as an encrypted web page? Is this page as secure as a 1Password file? I cannot find anything in the knowledgebase or the forum about security of such a page.
Flag

Comments

  • khad
    khad Social Choreographer
    I hope Jeff steps in to correct me if I am wrong <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />, but my understanding is that an Encrypted Web Page export is on par with our 1Password Logins bookmarklet. (Both are JavaScript-based.) That is to say, it is just as secure but not as well-protected against attack. The same encryption is used but your data file is also hardened by [url="http://en.wikipedia.org/wiki/PBKDF2"]PBKDF2[/url] which vastly hinders brute force attacks. In short, it slows down the process so minutely that we never notice in day to day use — since we only enter the password once at a time — but the aggregate effect of the delay is much greater when attempting millions of combinations of possible passwords. The Encrypted Web Page does not have this extra protection, but for most every-day purposes it is quite secure.



    I hope that helps.
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    edited November 2010
    [quote name='sirius' timestamp='1290642177' post='15890']

    How secure is an export of 1Password as an encrypted web page? Is this page as secure as a 1Password file? I cannot find anything in the knowledgebase or the forum about security of such a page.

    [/quote]



    Hi Sirius. That is a great question!



    As Khad said, the principle security difference between the exported encrypted HTML on the one hand, and your 1Password data on the other is that the former doesn't use password strengthening (other than salting) while the latter uses a complex key derivation function for key strengthening (PBKDF2).



    What these means in effect is that your HTML export is [i]only[/i] as strong as the access code you assign to it, while the protection on your 1Password data itself is actually [i]stronger[/i] than your master password.



    The actual algorithms we use in the two cases differ (Blowfish for the HTML export, AES-128 elsewhere), but this doesn't affect security.



    The upshot is that more care should be taken to ensure that an HTML export doesn't fall into the hands of the bad guys, as a brute force attack on its access code (basically an automated program that guesses millions of potential access codes) is more feasible than trying the same sort of attack against the 1Password data itself. Additionally, more care should be taken in choosing an access code for these exports.



    I hope this helps, Sirius. I'll see about getting this written up for our Knowledge base once we've addressed the absolutely fantastic (if somewhat overwhelming) response to our Thanksgiving Newsletter.



    Some references:

    [list=1]

    [*] PBKDF2 http://en.wikipedia.org/wiki/PBKDF2#Systems_that_use_PBKDF2

    [*] Cryptographic salting: http://en.wikipedia.org/wiki/Salt_(cryptography)

    [*] PBKDF2 in 1Password: http://help.agile.ws/1Password3/cloud_storage_security.html (see section on password strengthening)

    [/list]



    Cheers,



    -j
    Flag