PBKDF2 Calibration

Noah Buddy · September 2011

I've read the explanation of what PBKDF2 is and why its good for us but on the MAS page for 1Password it talks about "even better security with PBKDF2 calibration".

My simple (?) question is, what (if anything) is better about this implementation than the one in 3.8.5?

Ben · September 2011

I believe it is that we are using more (twice?) the amount of iterations. I'll see if Jeff, our Chief Defender Against the Dark Arts can reply here though. He would be able to give you a more accurate answer. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

The Doctor · September 2011

Can you provide a link to "the MAS page" referred to above...I'd like to read about all the goodness.

Ben · September 2011

Launch the Mac App store from /Applications/App Store.app and then click on 1Password. There should be a large banner at the top, but if it rotates away, you can also search for it.

roustem · September 2011

I will have to correct Ben on this.

The new security framework available on Lion has a PBKDF2 calibration feature. It allows to automatically detect the best possible number of iterations for the password strengthening function.

This is much better than hardcoding a certain number of iterations because, as computers get faster, the number of iterations will keep going up. For example, we used to hardcode 1,000 iterations to make it work well for everyone but on my new MacBook Pro, the calibration function returns 25,000 iterations as a best number.

Noah Buddy · September 2011

Thanks for the replies. If I'm reading this right then the calibration is being done on the basis of how many iterations can be performed within a predetermined time?

If so then I have a couple of follow up questions.

1)If you are syncing across machines with different specs how will the calibration be handled? If I first create a password entry on my zippy new MacBook Pro should I expect to see a bit of a lag in using that entry on my increasingly rusty old Mac mini or will syncing encourage the calibration to default to the setting for the slowest machine?

2) Will the parameters of the calibration ever be available to the user? (e.g. A "more secure / more speedy" slider - I'd happily trade off a little speed of response for increased security)

roustem · September 2011

[quote name='Noah Buddy' timestamp='1315695692' post='47496']

Thanks for the replies. If I'm reading this right then the calibration is being done on the basis of how many iterations can be performed within a predetermined time?

If so then I have a couple of follow up questions.

1)If you are syncing across machines with different specs how will the calibration be handled? If I first create a password entry on my zippy new MacBook Pro should I expect to see a bit of a lag in using that entry on my increasingly rusty old Mac mini or will syncing encourage the calibration to default to the setting for the slowest machine?

[/quote]

That could be a problem. At the same time, when calibrating 1Password sets the calibration to 50ms. So, even if your Mini is 20 times slower, the unlock time will still acceptable.

[quote name='Noah Buddy' timestamp='1315695692' post='47496']

2) Will the parameters of the calibration ever be available to the user? (e.g. A "more secure / more speedy" slider - I'd happily trade off a little speed of response for increased security)

[/quote]

At this time we are trying to simplify as much as we can. Having too many options makes life for most users harder and it also doesn't allow us to add the new features as fast as we would like.

Noah Buddy · September 2011

[quote name='roustem' timestamp='1315696120' post='47499']

That could be a problem. At the same time, when calibrating 1Password sets the calibration to 50ms. So, even if your Mini is 20 times slower, the unlock time will still acceptable.

[/quote]

That's what I was thinking and I'd actually rather have it that way 'round. Thanks for taking the time to respond.

Noah Buddy · September 2011

P.S. I think you should make a bigger deal of this feature - you've pretty much just convinced me to switch to 3.9.

As written I don't think the MAS page explains this feature at all well. Security that gets better as machines get faster is great.

khad · September 2011

Maybe we can have a blog post on this. I know Jeff loves explaining this sorts of things, and I think he does a great job at doing so in simple language that everyone can understand. I'll suggest this. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

PBKDF2 Calibration

Comments