Hashcat, and what to do now?

I just visited the Agile blogs and quickly read through the news about Hashcat. I'm not knowledgeable about these technical details and don't understand much of what I've read. In any case, I also noticed that at the bottom of that blog post is an "Update 1" which says "At the moment, changing your Master Password will only recalibrate the number of PBKDF2 iterations when you use 1Password 3.9 on the Mac. We will have further information about 3.8 and 1Password on other platforms shortly".

So, what I want to know is what action should current 1Password 3.8.x users do? I was all ready to change my masterpassword using the private + diceware method, but something from the Update 1 tells me that maybe I shouldn't change it right now until something else (PBKDF2 iterations, whatever that means!) is fixed/updated?

Please give users like me actionable comments :) While the Hashcat explanation is long and probably thorough, it doesn't do users like me much good when we don't understand 95% of it! Thanks!

Comments

  • tiantai
    tiantai
    Community Member

    Anyone ?

  • charlie98
    charlie98
    Community Member

    I'm always willing to venture a personal opinion and in this case my opinion is hashcat is not relevant. what matters is - how secure is your master password now. can it be cracked in days, weeks, years, eons? Check out the strength of your password and decide how urgent this really is. There will always be a new threat as computing techniques and hardware advance.

    From a which one to pick, 3.8 or 3.9, my only advice is to keep your product as current as possible and depend upon AgileBits, they are going to know well before you if their products are at risk.

    my 2 cents worth

  • tiantai
    tiantai
    Community Member

    Thanks!

    3.8 is the version available to those who purchased their 1Password Mac from the website.
    3.9 is the version available on MacApp, i.e., those who did not buy directly from the website. These are two parallel versions of the version 3 software.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @tiantai,

    Our advice is that if you have a good Master Password there is nothing you need to do. If you don't have a good Master Password you should consider changing it to something stronger. This isn't really anything new. The hashcat stuff gives us an opportunity to remind people of that advice.

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • Jeff's right: a strong master password is critical to keeping your data secure. There's no feasible way for us to protect weak master passwords.

    With that said, we just released 3.8.21 with a little more "insurance" than the previous version. When you create a new keychain in 3.8.21 or change your master password, your encryption keys are now protected by 25,000 PBKDF2 iterations instead of 10,000. While this slows down Hashcat's attack as Jeff showed in his blog post (http://blog.agilebits.com/2013/04/16/1password-hashcat-strong-master-passwords/), increasing your master password strength, even just a little, increases your security much much more.

    For 3.9 users we actually do things a little differently and calibrate the number of iterations based on your hardware. It depends on your machine but it averages out to around 25,000 iterations.

    I hope that helps. Please let us know if you have any more questions and we'd be happy to help.

  • tiantai
    tiantai
    Community Member

    Alright. Thanks!

  • khad
    khad
    1Password Alumni

    On behalf of Dave and the rest of the team here, you are quite welcome! :)

    If we can be of further assistance, please let us know. We are always here to help!

This discussion has been closed.