This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
1PasswordAnywhere / Encrypted HTML file and PBKDF2
I am a recent user and really love 1Password. It really makes life so much simpler when dealing with all registrations and logins and other sensitive info.
I was investigating the level of security that 1Password provides and have a couple fo questions.
One of which was to do with whether the encrypted HMTL file generated from the app now uses PBKDF2?
I saw this from Jeff in the comments section in [url="http://blog.agilebits.com/2011/04/looking-ahead-in-security/"]his April post[/url] on your blog:
[i]The encrypted HTML exports from 1Password for Mac do not (yet) use PBKDF2, so it is important to treat those files with care and to use very good passwords for them. This is one of the several places where we need to adjust for more modern hardware. And again here, to be extra safe it is probably wise to quit the browser after using it.[/i]
I am assuming this does not apply to the HTML file contained in the agilekeychain package (used for 1PasswordAnywhere) but only the exported encrypted HTML file. Is this correct? I noticed the "yet" in the quote above but could not find a trace of any change in the release notes. Has this been implemented yet by any chance?
Seeing that SHA-1 passwords are now relatively easy(ier) to crack - see [url="http://www.darknet.org.uk/2010/11/sha-1-password-hashes-cracked-using-amazon-ec2-gpu-cloud/"]this article[/url] or [url="http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/"]this one[/url], which concludes:
[i]This just shows one more time that SHA1 for password hashing is deprecated – You really don’t want to use it anymore! Instead, use something like scrypt or PBKDF2! Just imagine a whole cluster of this machines (Which is now easy to do for anybody thanks to Amazon) cracking passwords for you, pretty comfortable [/i]
I would rather avoid using them (and therefore the encrypted HTML file) so it would seem to point to using the 1PasswordAnywhere file (assuming that it does use PBKDF2).
However, I am assuming a Windows machine could read the "simple" encrypted HTML file but not the Mac package that is the agilekeychain. Is that correct?
If so, any better way to have a strong security sharing accessible from Windows?
If not, I do not see much point in using the encrypted HTML file (legacy feature?).
Thanks,
Jezza
I was investigating the level of security that 1Password provides and have a couple fo questions.
One of which was to do with whether the encrypted HMTL file generated from the app now uses PBKDF2?
I saw this from Jeff in the comments section in [url="http://blog.agilebits.com/2011/04/looking-ahead-in-security/"]his April post[/url] on your blog:
[i]The encrypted HTML exports from 1Password for Mac do not (yet) use PBKDF2, so it is important to treat those files with care and to use very good passwords for them. This is one of the several places where we need to adjust for more modern hardware. And again here, to be extra safe it is probably wise to quit the browser after using it.[/i]
I am assuming this does not apply to the HTML file contained in the agilekeychain package (used for 1PasswordAnywhere) but only the exported encrypted HTML file. Is this correct? I noticed the "yet" in the quote above but could not find a trace of any change in the release notes. Has this been implemented yet by any chance?
Seeing that SHA-1 passwords are now relatively easy(ier) to crack - see [url="http://www.darknet.org.uk/2010/11/sha-1-password-hashes-cracked-using-amazon-ec2-gpu-cloud/"]this article[/url] or [url="http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/"]this one[/url], which concludes:
[i]This just shows one more time that SHA1 for password hashing is deprecated – You really don’t want to use it anymore! Instead, use something like scrypt or PBKDF2! Just imagine a whole cluster of this machines (Which is now easy to do for anybody thanks to Amazon) cracking passwords for you, pretty comfortable [/i]
I would rather avoid using them (and therefore the encrypted HTML file) so it would seem to point to using the 1PasswordAnywhere file (assuming that it does use PBKDF2).
However, I am assuming a Windows machine could read the "simple" encrypted HTML file but not the Mac package that is the agilekeychain. Is that correct?
If so, any better way to have a strong security sharing accessible from Windows?
If not, I do not see much point in using the encrypted HTML file (legacy feature?).
Thanks,
Jezza
Flag
0
Comments
-
Hi Jezza,
Great question. 1PasswordAnywhere reads from your normal 1Password data file, which is protected using PBKDF2.
The two places where we don't use PBKDF2 are:[list]
[*]Login bookmarklet (which is being phased out for this and other reasons)
[*]Exported HTML files (File > Export > Encrypted web page) The disposition of this feature isn't certain, but you are right to call it a "legacy feature".
[/list]
But because 1PasswordAnywhere uses your 1Password data file as is, it must use PBKDF2. What you may find is that 1PasswordAnywhere takes a few seconds to unlock.
So you were pretty much right about everything. And thanks for investigating how keys are derived from master passwords. I hope that we meet your (high) expectations.
Cheers,
-jFlag 0 -
Maybe I missed any discussion on this. Was there a critical reason this feature was removed? I might be in the minority, since I really have no need to use Dropbox service nor do I have any need for a mobile/iOS device ... but I found the export to encrypted web page to be a great feature (not only for keeping a flash drive back-up but for ensuring it was a useable back-up if I did have to access my 1PW data at a different location/computer. I just tried to use the 1PasswordAnywhere feature ... granted ... it is doable .... but found it far more involved than just exporting the data to an encrypted web page. Is this a done deal and one more thing I will need to accept and get used to or can this decision be reversed in a future update? I guess I will have to stick with 3.8.10 for the time being.Flag 0
-
Hey nachalnik,
I merged your post with this existing thread. The feature was removed in the latest beta, so you were right to post in the beta forum, but it won't be long before the beta is pushed to the stable channel. I thought it prudent to keep the discussion in one thread.
The "encrypted web page" export option was removed as we "beef up" security a bit in a few places. That along with the increase in PBKDF2 iterations as well as the removal of the Logins bookmarklet are all an effort to keep 1Password ahead of the curve in security in a proactive manner rather than waiting for the legacy features to become a problem as computing power continues to increase.
Please see above and let me know if you have any additional questions or concerns.Flag 0 -
Thanks for the answer (I only thought of checking this now as I did not seem to receive an email notification of an update...)
I have been very happy with 1Password since I installed it and it is just such a great time-saver! (I am sure even life-saver in some circumstances!)
I did see that you increased the number of iterations for PBKDF2, but that this applies only to new files. What is the best way to re-import all info from my current 1Password into a new file to benefit from that iteration increase?Flag 0 -
Please see my instructions in this thread:
[b] [size=5][url="http://forum.agilebits.com/index.php?/topic/9645-how-to-take-advantage-of-increased-pbkdf2-iterations-in-3811-and-later/"]How To: Take advantage of increased PBKDF2 iterations in 3.8.11 and later[/url][/size][/b]Flag 0