This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Caps lock doesn't matter [Not a bug, 1P Is smart about this]

SWR
SWR Junior Member
edited December 2010 in Mac
Not sure whether it happen in 3.5.2 but I started to notice this on the latest update 3.5.3



With or without CAPS lock on, I can get into 1Password or any supported browser when typing in the master password. However with CAPS off and using SHIFT key, 1Password did what it's supposed to do i.e. recognizing the correct or wrong password.



Is it a bug? Gotta fix this CAPS lock issue.



UPDATED

Yup, same issue with 3.5.2



Tried changing master password to something like "password1234" and by typing "PASSWORD1234" with CAPS lock on, I could get in. But "PASSWORD1234" by using SHIFT key, wrong password will be triggered. Tried the opposite by using "PASSWORD1234" as a master password and I can get in by typing "password1234"!!!



Now wondering how secure is 1Password.

Comments

  • dteare
    dteare Agile Founder
    edited December 2010
    I'm sorry for the confusion SWR but we recently changed 1Password to work around CAPSLOCK issues. If you enter a password and it is incorrect, we capitalize the password and re-try it. We also re-try it lowercased as well in case you inadvertently had CAPSLOCK enabled when creating the Master Password.



    Originally I was not a fan of this change but we were motivated by a few very long and painful debugging sessions. Several users reported being locked out of 1Password because they didn't realize CAPSLOCK was on. Unfortunately, when this happens, people panic and do not read the FAQs closely, nor listen when we reply saying "check your CAPSLOCK key". Instead of replying again asking "are you sure?", we just decided to change 1Password to check for them <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • SWR
    SWR Junior Member
    Hi Dave,



    So it's a small feature thing for the blur ones? If so, I think it's really a bad idea in the name of security. But for the 'password-for-dummies' group, it's a brilliant idea.



    For me, I like a security program respect what I type and not make the guess work for me.



    In conclusion, it's not a bug (I guess).



    Thanks.
  • MikeT
    MikeT Agile Samurai
    [quote name='SWR' timestamp='1292429008' post='17650']

    Hi Dave,



    So it's a small feature thing for the blur ones? If so, I think it's really a bad idea in the name of security. But for the 'password-for-dummies' group, it's a brilliant idea.



    For me, I like a security program respect what I type and not make the guess work for me.



    In conclusion, it's not a bug (I guess).



    Thanks.

    [/quote]



    Hi SWR,



    It wouldn’t matter in terms of security, it doesn’t decrease or increase security because it depends on the original password created by the user. 1Password is smart enough to shift case-sensitivity mode when it detects that a user has a master password with no case sensitivity and automatically does both levels to remove the CAPLOCK annoyance. Please note that many brute force applications will do both levels at same time, so it wouldn’t decrease security when it comes to this. If the user change the password to be case-sensitive (just one upper case character is enough to activate the case-sensitivity if it was all lower case), 1Password won’t do both levels because both test will fail automatically.



    Does that help ease your mind?
  • SWR
    SWR Junior Member
    Yup, 1P is smart for blur group. Having sit back and think about it, I think it's a bit cool. I usually know what I type and I do check for CAPS lock. Occasionally, it's okay if I forget to toggle the CAPS lock when necessary. But in a sense, this feature does halve the guesswork if someone try to get into a blur user's computer. In that way, it's a decrease in security. I think this feature is a good and bad idea at the same. Given a choice, I rather not have it.
  • dteare
    dteare Agile Founder
    edited December 2010
    I wanted to add that 1Password does not change your Master Password in anyway. We do not take "pAssWOrd123" and convert it to "password123" as that would weaken the password considerably.



    Your Master Password is always remembered exactly as you typed it, whether CAPSLOCK is on or off. All we're doing is testing 3 combinations of your typed password against your originally typed password when you attempt to unlock 1Password (as you typed it, all uppercase, all lowercase).



    This is not weakening your security in anyway as we have to run the PBKDF2 function (a function for generating the encryption key that is purposely slow) each time for each password. All we're doing is automating some manual typing for the user. This would not help a determined thief as they would not be using the keyboard to type the trillions of combinations needed to crack your password <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />