This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

How To: Take advantage of increased PBKDF2 iterations in 3.8.11 and later

thejerm
thejerm Junior Member
[quote][color=#282828][font=helvetica, arial, sans-serif]Improving defence against brute force attacks by increasing PBKDF2 iterations from 1000 to 10000. Currently this applies only to newly created data files. For more information on PBKDF2, please see [/font][/color][url="http://blog.agilebits.com/2011/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too"]our blog[/url][color=#282828][font=helvetica, arial, sans-serif].[/font][/color][/quote]



With this change is there an easy way to create a new data file and import the previous data file information? I would really like to take advantage of the better security.

Comments

  • khad
    khad Social Choreographer
    edited December 2011
    To take advantage of the increased PBKDF2 iterations in 1Password 3.8.11 and later:



    [size=5]1. Backup your data file ([b]File > Backup[/b]).[/size]



    [size=5]2. Export all your data to 1PIF ([b]File > Export All > 1Password Interchange File[/b]).[/size]



    [size=5]3. [url="http://help.agilebits.com/1Password3/create_new_keychain.html"]Create a new data file[/url].[/size]



    [size=5]4. Import the file you created in step one ([b]File > Import[/b]).[/size]





    To securely delete the [i]unencrypted[/i] 1PIF file in Finder:



    [size=5]1. Empty your trash ([b]Finder > Empty Trash[/b]). (This will ensure that only the 1PIF is securely deleted since the process takes a long time and there is likely no need to securely delete [i]all[/i] of the items in your trash.)[/size]



    [size=5]2. Move the 1PIF file to the trash ([b]File > Move to Trash[/b]).[/size]



    [size=5]3. Securely empty your trash ([b]Finder > Secure Empty Trash[/b]).[/size]



    If we can be of further assistance, please let us know. We are always here to help!
  • Great update with 3.8.11! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    [quote]Improving defence against brute force attacks by increasing PBKDF2 iterations from 1000 to 10000. Currently this applies only to newly created data files. For more information on PBKDF2, please see [/quote]



    Will older files be able to switch to to 10k iterations any time soon?



    If not, what is the simplest way to export and re-import to a newly created 1Password 3.811data file?
  • khad
    khad Social Choreographer
    Thanks for asking about this (and the kind words), Daniel.



    I had posted a reply to this question in the beta forum just a couple days ago. The developers work so quickly that it is already a stable release now, so I merged your post with the existing thread and made sure it was in the 1Password 3 "stable" forum.



    Please see above and let me know if you have any other questions. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    Cheers,
  • [b]@khad[/b] excellent, thanks! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
  • benfdc
    benfdc Perspective Giving Member
    Just don't try this with 1P/Win. As I learned to my great dismay a few days ago, the only data type that 1P/Win can import from a 1PIF is logins.
  • benfdc
    benfdc Perspective Giving Member
    [quote name='khad' timestamp='1322536189' post='54580']

    To securely delete the [i]unencrypted[/i] 1PIF file in Finder:



    [size=5]1. Empty your trash ([b]Finder > Empty Trash[/b]). (This will ensure that only the 1PIF is securely deleted since the process takes a long time and there is likely no need to securely delete [i]all[/i] of the items in your trash.)[/size]



    [size=5]2. Move the 1PIF file to the trash ([b]File > Move to Trash[/b]).[/size]



    [size=5]3. Securely empty your trash ([b]Finder > Secure Empty Trash[/b]).[/size]



    If we can be of further assistance, please let us know. We are always here to help!

    [/quote]



    Secure Empty Trash may not suffice to protect sensitive plaintext data in a modern Mac operating environment that includes Spotlight, Time Machine, and possibly cloud sync and backup apps like SugarSync and Carbonite. I'm not sure that users should be comfortable having a plaintext 1PIF file sitting on a hard drive for any length of time. I suppose I could unmount my Time Machine drive, turn off Spotlight, and disconnect from the internet before writing a 1PIF, but my usual practice is to create my 1PIFs on a flash drive or in an encrypted .dmg or .tc volume.
  • khad
    khad Social Choreographer
    [quote]Just don't try this with 1P/Win[/quote]

    Right. That's why this is in the 1Password 3 for Mac forum. There would be no benefit to doing this in 1Password for Windows at this time. Thought the benefits can still be reaped in 1Password for Windows if you are syncing via Dropbox.



    [quote]Secure Empty Trash may not suffice to protect sensitive plaintext data in a modern Mac operating environment[/quote]

    Good points, Ben! This is something of which to be mindful. For most users I believe Secure Empty Trash will suffice, but I should have provided the additional information that you did. Thanks for adding that!
  • benfdc
    benfdc Perspective Giving Member
    [quote name='khad' timestamp='1322795991' post='54792']

    For most users I believe Secure Empty Trash will suffice, but I should have provided the additional information that you did. Thanks for adding that!

    [/quote]



    I'm wondering whether Apple provides any way for you to flag a file or folder to not to be processed by Spotlight or backed up by Time Machine. If this is possible, it might be worth implementing.
  • Both Spotlight and Time Machine allow you to exclude files and folders from them. In Time Machine, click on the Options button. In Spotlight, click on the Privacy tab.
  • benfdc
    benfdc Perspective Giving Member
    [quote name='Jeff Leigh' timestamp='1322842777' post='54816']

    Both Spotlight and Time Machine allow you to exclude files and folders from them. In Time Machine, click on the Options button. In Spotlight, click on the Privacy tab.

    [/quote]



    Thanks! That's good to know. Perhaps 1P/Mac could create such a folder during the installation process and make it the default location for exported 1PIFs. If there's no API for accomplishing this, then 1P could certainly prompt the user to set this up, and an explanation could be included in one of the tutorials or FAQs in the User Guide. Here's hoping!
  • [b]@khad[/b] It worked great. I noticed that the new file is about 50% smaller. Less over head with the 10k iterations or did I do something wrong? <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
  • danco
    danco Senior Member
    [quote name='khad' timestamp='1322536189' post='54580']

    [size=5]3. Import the file you created in step one ([b]File > Import[/b]).[/size]



    If we can be of further assistance, please let us know. We are always here to help!

    [/quote]



    I got stuck at step 3. Because, when one imports, one reaches



    "Step 5. Enter the name of the folder for imported objects"



    and I have no idea what that means.



    Is it meant to be a new agilekeychain, a new location for the keychain, or what. I could not see the answer in Help, the User Guide, or anywhere.



    I hope I get a reply before I need to use 1PW.
  • danco
    danco Senior Member
    Later.



    It seems that just clicking on the Import button works fine, but this is not at all clear. It needs to be made clear somewhere in the documentation. Maybe the actual interface needs changing, but clear documentation would do.
  • khad
    khad Social Choreographer
    "Enter the name of the folder for imported objects" might be better as "Enter [b]a[/b] [b]name[/b] [b]for[/b] the folder for imported objects". It's just a folder name which is completely up to you to decide. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
  • danco
    danco Senior Member
    It's just a matter of clarity. I had some software licences to import later, and the situation became clearer.





    The point is that one does not even need to enter anything, it seems. Leave it blank and the items still get imported, and live in the All folder.
  • khad
    khad Social Choreographer
    Yes, I'll see if we can make this clearer in the future. Thanks for the feedback!
  • Is a simple "upgrade security / upgrade to new data file format" workflow in the pipeline? ie. a single button-click in 1P? If so, I'll wait...
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi Mezzanine,



    [quote name='Mezzanine' timestamp='1323945057' post='55536']

    Is a simple "upgrade security / upgrade to new data file format" workflow in the pipeline? ie. a single button-click in 1P? If so, I'll wait...

    [/quote]

    We try not to talk about features until they are delivered, so although that is a great question, I'm not going to answer it.



    What I can say is that if you have a decent master password, then there is no need to rush to do anything. PBKDF2 is, to a substantial extent, a defense layer for those whose master passwords aren't very strong. I suspect that everyone who is following this discussion already has a pretty good master password.



    If you want the math, take a look at [url="http://blog.agilebits.com/2011/08/better-master-passwords-the-geek-edition/"]Better Master Passwords: The geek edition[/url] for the background. Moving from 1000 PBKDF2 iterations to 10000 is like adding 3 bits of entropy to the effective strength of the master password. You can do much more than that by adding a single random character to it.



    I don't want to take away from the changes that we made. It is important that we adjust things as we go along. But that doesn't mean that there is something wrong with the 1000 iteration data files. It just means that when we create new ones, we'd like to start out with some extra oomph in that department.



    Cheers,



    -j