This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Master Passwords with non-ASCII characters

benfdc
benfdc Perspective Giving Member
in Mac
I was wondering if I could use non-ASCII characters in a master password. So I opened the guest account on my Mac, launched 1P, and created a keychain with the password piçkle (I keyboarded the ç as Option-c).



Worked fine.



Then I exported some data as an encrypted HTML file with the same password. Couldn't open it in Safari, Firefox, or Chrome.



I also can't open the 1Password.html file (aka 1PasswordAnywhere).



Bummer.



I was also wondering if such a keychain would be openable by 1P/Win, but the html problem is a potential deal-breaker in its own right.



Is this a browser limitation, or something that you could fix by tweaking the code?



Or is it an undocumented "feature" for users who want to disable 1PasswordAnywhere? <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/emoticon-0136-giggle.gif' class='bbc_emoticon' alt='(giggle)' />
Flag

Comments

  • Ben
    Ben AWS Team
    Hi benfdc



    I did a bunch of testing on this. Using a password of çççç (which I've since changed), I was able to:

    Unlock 1P Mac

    Unlock 1P iPad -- note that you first have to login with your old master password and under sync settings update your password, otherwise Dropbox will simply stop syncing. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> This requires re-setting up Dropbox sync on the iPad.

    Unlock 1P Windows



    I was also able to export an encrypted HTML page but was not able to unlock it using çççç as the password. Note though that you can (and probably should) use a different password for the exported HTML page than your Master Password.



    I could not get 1PasswordAnywhere to work. I tested Firefox, Safari, and IE.



    I'm thinking the HTML based options could be fixed with some tweaking but I (a) am not certain of that and (<img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/cool.png' class='bbc_emoticon' alt='B)' /> have no idea how much effort would be involved.



    As such I think using such a password is a great option if and only if you don't need to use 1PasswordAnywhere. In any other scenario it seems to work great.



    I did note though that I had to copy and paste the characters into my 1P iPad as I don't have those characters on my keyboard... though I do seem to remember there is a way to get them.



    Ben
    Flag
  • benfdc
    benfdc Perspective Giving Member
    Well, 1PasswordAnywhere is [i]de rigueur[/i] for me, so that's pretty much that. I don't imagine that improving this situation would be assigned any sort of priority given that your Defender Against the Dark Arts seems to be on a "scientifically-secure master password" kick (not that there's anything wrong with that). There are certainly other missing features that would rank higher on my wish list, as any perusal of my comments in the forums would confirm.



    If there were any way to be confident that Unicode characters in master passwords defeat 1PasswordAnywhere, I suppose that you could document it. Hey, it's not a bug; it's a feature! I don't know how one might try to prove that, though, and if you can't then it's nothing more than security by obscurity.



    Anyway, from one Ben to another, thanks for checking into this.



    —Ben F
    Flag
  • [Deleted User]
    [Deleted User]
    Hey Ben,



    On behalf of the other Ben, you are very welcome!



    I'm confident that your comments are being taken to heart by our security team.



    We learn a lot from hearing from our users and his or her concerns, and I appreciate your willingness to offer your thoughts.



    Cheers!



    Brandt
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi Ben,



    You make a number of excellent points. We would love to have full Unicode master passwords across all instances where a master password could be entered. In a technical, but not very useful, sense we do have this support. 1Password is actually indifferent to character set and character encoding choice. It will use whatever is passed to it. The difficulty is that different operating systems and environments can hand a different chunk of data to 1Password depending on the system it was entered on even if it is the "same" from the user's point of view.



    Let me give you the worst example that I've encountered. I had a master password that had a the character ü in it. This worked fine as long as I always entered it using Option-u u on an English keyboard layout. If, however, I changed my keyboard layout to Hungarian and simply entered what seemed like the same character, the master password didn't always work.



    Back in the days, before 1PasswordAnywhere or 1Password for iOS or 1Password for Windows, this wasn't a big problem. As long as people typed in their master passwords the same way each time, 1Password did the right thing. But once people starting entering this master passwords on different systems, problems would pop up. I was one of those people who had to change master passwords once 1PasswordAnywhere was introduced.



    So unless you stick to one platform and keyboard layout, the only really safe bet is to stick with old-fashioned US-ASCII. One tip that I use (for people old enough) is that there used to be conventions to within languages for sending telegraphs. So instead of ü use ue. I assume that there was some convention for French in using ç in telegraphs.



    [quote name='benfdc' timestamp='1314207980' post='42186']

    If there were any way to be confident that Unicode characters in master passwords defeat 1PasswordAnywhere, I suppose that you could document it.[/quote]



    I'm not sure that I understand what you are asking. Unicode in 1PasswordAnywhere doesn't "defeat" 1Password; it's just that what eventually makes it to the input to our encryption can be different.



    Cheers,



    -j
    Flag
  • benfdc
    benfdc Perspective Giving Member
    edited September 2011
    Hi, Jeff!





    What I mean by Unicode defeating 1PasswordAnywhere:



    Suppose that I use Dropbox to sync my keychain.



    Suppose that I don't want 1Password.html to be openable in a web browser.



    Suppose that there's no option in the preferences to not generate 1Password.html, or that there is one (and if it was a snake it would have bit me) but I just keep overlooking it.



    Based on about ten minutes of noodling around on my Mac, using peterpiperpickedapeckofpiçkledpeppers as my master password will do the trick. But that's not exactly a formal proof.



    —Ben
    Flag
  • [Deleted User]
    [Deleted User]
    Ben,



    Sorry for the late reply on this, I guess my main question here would be why you'd want to disable the 1Password.html file from being generated? This doesn't contain any of your actual 1Password data, it's still accessing the same encrypted files as it would on the desktop.



    I'm not saying you don't have a valid reason to not want it, I'd just like to understand why so we can look into options to help users like yourself.
    Flag
  • benfdc
    benfdc Perspective Giving Member
    [quote]I guess my main question here would be why you'd want to disable the 1Password.html file from being generated? This doesn't contain any of your actual 1Password data, it's still accessing the same encrypted files as it would on the desktop.



    I'm not saying you don't have a valid reason to not want it, I'd just like to understand why so we can look into options to help users like yourself. [/quote]

    Stu—



    I can't think of a reason off-hand.



    I suppose it boils down to this. Somewhere in the documentation, it might make sense to say something about using non-ASCII characters in a master password. Where it will work, and where it might cause problems.



    So far as I know, it looks like we can safely say that using non-ASCII characters may interfere with the user's ability to open 1Password.html in a browser. Maybe it's possible to make a stronger statement than that. In any event, the way I see it, whether this is a good thing or a bad thing is arguably up to the user, so long as users are informed. And the way I see it, if users are NOT informed of this limitation, then it's undocumented behavior and therefore a trap for the unwary.



    YMMV. If you don't think that the program should act this way, because it's more likely to trip up users than to benefit them, I would call that a legitimate judgment. Of course, if you take that view, it becomes all the more important to document the behavior.



    I don't know if you have a "known issues" page somewhere in the product documentation, but that's certainly one place that this could be written up UNLESS AgileBits were to take the position that "it's not a bug—it's a feature."



    Just my 2¢.



    —Ben F
    Flag
  • [Deleted User]
    [Deleted User]
    edited September 2011
    Ben,



    As always, thanks for your comments. I forwarded this thread to the rest of the team for their review, and I'm sure that your recommendations will be discussed.



    I always enjoy reading your perspective, and I am confident that other members do to.



    Cheers!



    Brandt
    Flag
  • benfdc
    benfdc Perspective Giving Member
    edited September 2011
    [quote name='bswins' timestamp='1315107647' post='44319']

    I always enjoy reading your perspective, and I am confident that other members do too.



    [/quote]

    Oh you do, do you? [b][i]So why am I still listed as a Junior Member[/i][/b]‽ [s] <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_angry.png' class='bbc_emoticon' alt=':@' />[/s]



    <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
    Flag
  • [Deleted User]
    [Deleted User]
    edited September 2011
    Let's see, click a few buttons.... how's that ? <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Seriously though, I believe the forum software 'upgrades' statuses based on the number of posts you have.
    Flag
  • benfdc
    benfdc Perspective Giving Member
    edited September 2011
    [quote name='stu' timestamp='1314821367' post='43614']

    I guess my main question here would be why you'd want to disable the 1Password.html file from being generated? This doesn't contain any of your actual 1Password data, it's still accessing the same encrypted files as it would on the desktop.

    [/quote]

    Stu—



    I just realized that I never actually answered your question, but just continued talking about what [i]I[/i] was interested in. And I am NOT interested in preventing 1password.html from being generated, or preventing it from working assuming that it is generated.



    I suppose that space might be an issue. Another is that the file actually does reveal stuff. Not my passwords, of course, but the things, places, and URLs that I have passwords for. I recognize that this info is just as exposed in the rest of the keychain, but 1Password.html wraps it all up in one convenient bundle.



    —Ben F
    Flag
  • benfdc
    benfdc Perspective Giving Member
    [quote name='stu' timestamp='1315251319' post='44786']

    Let's see, click a few buttons.... how's that ? <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

    [/quote]

    Oooh, that's MUCH better!
    Flag
  • [Deleted User]
    [Deleted User]
    Ben,



    The "Member" may be based on post count, but that moniker above your "default" avatar is most certainly "earned". <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    Cheers!
    Flag
  • benfdc
    benfdc Perspective Giving Member
    edited September 2011
    I guess I oughta have a highfalutin avatar to go with my new highfalutin title.



    I imagine that most security geeks should get the reference. Not sure why the graphic is clipping though; it looks fine in the upload pane.
    Flag
  • brenty
    brenty
    Awesome! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/laugh.png' class='bbc_emoticon' alt=':lol:' />



    I really enjoyed reading this discussion. Made me think about things from a different perspective. Character encoding is indeed a bit of a headache, especially when it comes to cross-platforming. I personally keep my character set on the simpler side to facilitate typing on a tiny touchscreen, as alluded to previously.



    To answer your question, I believe it is clipping because the image is a not a perfect square. It looks like a number of pixels are being trimmed from each side. JUDO CHOP! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/ph34r.png' class='bbc_emoticon' alt=':ph34r:' />
    Flag
  • benfdc
    benfdc Perspective Giving Member
    edited September 2011
    Thanks for the help, Brent, but I found a better variant.



    On your larger point, I was just noodling around and tossed up a silly question. It was [i]you guys[/i] who went and decided to get all serious about it.
    Flag
  • [Deleted User]
    [Deleted User]
    edited September 2011
    Hello Ben,



    Love the avatar! Hadn't seen it before tonight.



    Nothing silly about your question, and I'm sure other people have thought about it, but didn't think to ask it.



    As usual, I appreciate your [i]perspective[/i]. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    Cheers!



    Brandt



    P.S. I did enjoy your [i]cycle [/i]reference. Thanks for that too. Good memories. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' />
    Flag