This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

PBKDF2 Calibration

I've read the explanation of what PBKDF2 is and why its good for us but on the MAS page for 1Password it talks about "even better security with PBKDF2 calibration".



My simple (?) question is, what (if anything) is better about this implementation than the one in 3.8.5?

Comments

  • Ben
    Ben AWS Team
    I believe it is that we are using more (twice?) the amount of iterations. I'll see if Jeff, our Chief Defender Against the Dark Arts can reply here though. He would be able to give you a more accurate answer. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
  • Can you provide a link to "the MAS page" referred to above...I'd like to read about all the goodness.
  • Ben
    Ben AWS Team
    Launch the Mac App store from /Applications/App Store.app and then click on 1Password. There should be a large banner at the top, but if it rotates away, you can also search for it.
  • roustem
    roustem AgileBits Founder
    I will have to correct Ben on this.



    The new security framework available on Lion has a PBKDF2 calibration feature. It allows to automatically detect the best possible number of iterations for the password strengthening function.



    This is much better than hardcoding a certain number of iterations because, as computers get faster, the number of iterations will keep going up. For example, we used to hardcode 1,000 iterations to make it work well for everyone but on my new MacBook Pro, the calibration function returns 25,000 iterations as a best number.
  • Thanks for the replies. If I'm reading this right then the calibration is being done on the basis of how many iterations can be performed within a predetermined time?



    If so then I have a couple of follow up questions.



    1)If you are syncing across machines with different specs how will the calibration be handled? If I first create a password entry on my zippy new MacBook Pro should I expect to see a bit of a lag in using that entry on my increasingly rusty old Mac mini or will syncing encourage the calibration to default to the setting for the slowest machine?



    2) Will the parameters of the calibration ever be available to the user? (e.g. A "more secure / more speedy" slider - I'd happily trade off a little speed of response for increased security)
  • roustem
    roustem AgileBits Founder
    [quote name='Noah Buddy' timestamp='1315695692' post='47496']

    Thanks for the replies. If I'm reading this right then the calibration is being done on the basis of how many iterations can be performed within a predetermined time?



    If so then I have a couple of follow up questions.



    1)If you are syncing across machines with different specs how will the calibration be handled? If I first create a password entry on my zippy new MacBook Pro should I expect to see a bit of a lag in using that entry on my increasingly rusty old Mac mini or will syncing encourage the calibration to default to the setting for the slowest machine?

    [/quote]



    That could be a problem. At the same time, when calibrating 1Password sets the calibration to 50ms. So, even if your Mini is 20 times slower, the unlock time will still acceptable.



    [quote name='Noah Buddy' timestamp='1315695692' post='47496']

    2) Will the parameters of the calibration ever be available to the user? (e.g. A "more secure / more speedy" slider - I'd happily trade off a little speed of response for increased security)

    [/quote]



    At this time we are trying to simplify as much as we can. Having too many options makes life for most users harder and it also doesn't allow us to add the new features as fast as we would like.
  • [quote name='roustem' timestamp='1315696120' post='47499']



    That could be a problem. At the same time, when calibrating 1Password sets the calibration to 50ms. So, even if your Mini is 20 times slower, the unlock time will still acceptable.



    [/quote]



    That's what I was thinking and I'd actually rather have it that way 'round. Thanks for taking the time to respond.
  • P.S. I think you should make a bigger deal of this feature - you've pretty much just convinced me to switch to 3.9.

    As written I don't think the MAS page explains this feature at all well. Security that gets better as machines get faster is great.
  • khad
    khad Social Choreographer
    Maybe we can have a blog post on this. I know Jeff loves explaining this sorts of things, and I think he does a great job at doing so in simple language that everyone can understand. I'll suggest this. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />