To protect your privacy: email us with billing or account questions instead of posting here.

1P PBKDF2 iterations are less than recommended by OWASP. Please do better.

2

Comments

  • JAC3467
    JAC3467
    Community Member

    One more thing, the Security Now podcast has been digging into this topic in its last two episodes (I just listened to the most recent) as well as in depth on the LastPass breach.

    https://twit.tv/shows/security-now

  • eldritch
    eldritch
    Community Member
    edited January 2023

    JAC3467: I saw that recently as well. They are basically taking the 180 perspective and opinion to what 1password staff has had to say about the amount of iterations and what the token really does for us in terms of security.

    I for one totally disagree with Leo and his Security Now podcast expert. Having the token in my opinion immediately at the very least doubles the security of all accounts without taking into consideration the math or complexity of the master password. This is just logical and make sense.

    1password staff:

    That being said I do find it kind of alarming how dismissive and almost oddly defensive the 1password staff has been about the iterations argument. Why not just respond with:

    "We're always looking for new innovative ways to improve security for our customers so this is something that has certainly been under consideration at one time however we're currently looking into what appears to be an even more secure method of protecting everyone..please stand by." I think a response like this would have been more appropriate and would have likely been more acceptable to everyone.

    Unfortunately all of the responses save for one in particular I'm seeing here seem very knee jerky and sound more like excuses and not very well thought out. I think in particular stating that by allowing customers to control the iterations it opens them up to lowering security below standards sounds extremely illogical. It stands to reason that if you implemented a feature like this you would require a minimum for god sakes that meets standards...I mean come on. Security is constantly evolving and improving so it's not like you'd have anything to be ashamed of by adding this as a feature. I think it's the least that could be done to show more value for now seeing as how this is the MOST expensive product on the market right now.

    At any rate I'm a brand new 1Password customer still learning about what I've switched to and the staff I'll be dealing with. I hope we can hear about this KDF replacement more sooner than later.

  • feasiblebanana
    feasiblebanana
    Community Member

    Especially since 1Password support has recommended things like users printing out their Emergency Kit and keeping it with them, the “secret-ness” of the secret key isn’t as high as 1Password support is implying in this thread.

    If nothing else, even from a compliance perspective, for businesses who are selecting new password managers after LastPass, the lack of flexibility to customize this (even from a business admin perspective) or to even update the iteration count to industry-accepted standards will be a mark against 1Password compared to its competitors in the market today.

  • LumberJack
    LumberJack
    Community Member

    @Ben @GreyM1P This seems like an answered argument. From what I've just read, the 1Pass team that has been responding, quite respectfully I might add, has just backed up the prime topic of this thread: "How important are iterations". The more iterations, the more secure...true. But 1Pass is proven to be even more secure with their addition of the 128 bit key. It seems like the more profitable approach would be to increase the key size, not iterations, for better security. But hey, engineering encryption systems is not my forte and it seems like there's an untouched $1,000,000 speaking for itself.

    Plus, randomly generated 40 character accept and forget passwords within the vault are all too easy to create. Even if I need to remember a 30 character password for the master password (I literally do) It's the only one that I need to remember, that's the point lol. The power is in the end user to not create dumb passwords. Will they...yeah...but they know better. Even if it was default to 310,000 iterations...a dumb password is a dumb password. Using a dictionary attack or password lists would be better time spent for an adversary when brute forcing a dumb password anyway. I don't know of a user that consistently generates random alphanumeric 10 character passwords. It's frequently some modification of L33t Sp34k...of which a dictionary or password list would be a better suited attack...in my opinion.

    1Pass team, thank you for your well answered responses, expertise, and transparency. Thank you for teaching me something. Tbh, I think that you might have just gotten a customer out of me. If you have the time, I would like to hear about what some people were talking on this thread about when a device is stolen. @eszense said:

    "If one's laptop is lost, both the encrypted blob and secret key will be compromised, and the master password will be the only remaining line of defense. Assuming the master password is of average strength for usability reason, a high iteration would make the difference between crackable and uncrackable."

    Thank you!

  • Kat34
    Kat34
    Community Member

    Standards matter. OWASP just increased their standards Jan 2023 to PBKDF2-HMAC-SHA256: 600,000 iterations

    Reference: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

    1Password has new customers looking their way based on the LastPass failure, yet they seem to argue above that OWASP standards don't matter. Customers want defense in depth and every standard matters depending on the breech. 1Password should not just point to their "secret key" as being superior, but rather should use every recommended standard setting to protect our data. That is job #1.

    Please update 1Password to comply with OWASP standards, now 600,000 iterations.

    Thanks

  • Kat34
    Kat34
    Community Member
    edited January 2023

    [Duplicate post removed by moderator]

  • strif4
    strif4
    Community Member
    edited January 2023

    @Kat34 Wow that is a significant change now, 1P needs to act soon imo.

    1P now only have 1/6th of the recommended iterations set by OWASP.

    I think you guys should urgently look into this now given what has happened with Lastpass. Complacency has no place for a password security company, not acceptable as a leading company in the field.

    This would be extremely bad PR if someone's master password got hacked and journalists/researchers notice this severe lagging of iteration standards even though it has been requested by customers on 1P forum and wasn't taken seriously.

    Now is not the time to be nonchalant about security issues raised by customers, 1/6th of industry standard is quite poor no matter how you spin it.

  • TD1PasswordUser
    TD1PasswordUser
    Community Member
    edited January 2023

    Bitwarden posted on Mastedon this week that it has increased client-side iterations to 600,000 as well as double-encrypting these fields at rest with keys managed in Bitwarden’s key value. https://fosstodon.org/@bitwarden/109745277062224768

    OWASP has now increased their recommended PBKDF2 iterations to 600,000.

    One of the most important things about security is peace of mind. 1 Password needs to do something in response to these competitive/best practices changes. Increasing the count seems like a no-brainer now that devices can easily handle more. An announcement for adding something in addition to PBKDF2 would be very welcome – something that can avoid increased GPU processing power.

    Thanks for listening 1 Password. Don’t make me regret leaving LP and choosing you over BitWarden!

  • A quick update from the 1Password team

    Hi everyone.

    Those who've been following this thread will have seen my previous responses, so I won't go into those points again in too much depth, but I'd like to provide a quick summary of where we are now, and where we're going.

    The current situation:

    As it stands, 1Password uses 100,000 iterations of the PBKDF2 algorithm, in combination with the Secret Key, to derive further keys. We've demonstrated above that including the Secret Key significantly strengthens it, and thus strengthens the output. All of this computation is done locally, on your device, and your account password and Secret Key are never transmitted to 1Password.

    Factors to consider:

    1. Increasing the number of iterations used for the PBKDF2 algorithm is only one way to improve the strength of the key material it generates.

    Even then, it isn't one of the best:

    • Including the Secret Key adds 128 bits of entropy to the input. A typical (even pretty good) human-memorable account password might only be about 40 bits of entropy, so the Secret Key can be said to be doing a lot of the heavy lifting here.
    • A longer account password, even by adding one or two characters, effectively works as a multiplier. There are 96 ASCII characters in the set we recommend using for maximum compatibility, so each character added to the account password does the same as multiplying the number of iterations by 96 times. Using the same account password as you do now, but with two extra characters, would be equivalent to 921,600,000 iterations.

    Iterations used for the algorithm are a bit like what megapixels have become in phone cameras – more can be better, but there are usually other factors which can improve quality significantly, without just shoehorning a bigger sensor into the phone.

    2. More iterations won't save a bad account password from being bad.

    If a user chooses an account password which they've used elsewhere, then the number of iterations just becomes a delay which will inevitably be overcome. It doesn't matter if we used a billion iterations, for example, if your account password is in a list of cracked passwords.

    This is where the Secret Key comes into play. To download the vault data in the first place, you must have both the account password and the Secret Key. A bad account password is only a risk on devices where the account is already signed in, instead of just trying to sign in on our website.

    3. You need to be having a REALLY bad day for this to have a meaningful impact on your security.

    We've linked to this comic before on this Community, but its message bears repeating:


    — from the comic XKCD, at https://xkcd.com/538

    By the time the number of iterations is the weak link in your defences, there are probably other, more significant, threats to your security. If someone has access to your device and is determined enough to break into your 1Password data, they would potentially also have access to you, and could use threats against you to compel you to enter your account password. This is often called rubber-hose cryptanalysis or "the $5 wrench attack", after the comic above.

    If that's not the case (and I hope it's not!), a lot of things would need to line up for the number of iterations in a key derivation function to be the weak point:

    • The attacker has access to your device (physically or remotely), and
    • they can unlock your device, or disk encryption is turned off (which is on by default for iOS, Android, and macOS), and
    • you haven't remotely wiped the device, or locked it, and
    • the account password for your 1Password account is weak (see above).

    Taking those things into account, then a (very determined) attacker might be inconvenienced by a higher number of iterations and it may slow down their ability to crack your 1Password data. The point here is that there are other safeguards which prevent the number of iterations from being the only thing that protects your data.

    4. Increasing the number of iterations will naturally have an impact on performance.

    Maybe this isn't a big deal, and you have swanky new devices with more power than you know what to do with. In which case, that's no problem.

    However, we have to balance what the experience will be like on older devices that are still supported, and think about any backwards compatibility issues that might arise. As an example, Apple devices tend to receive software updates for quite a while. An iPhone 6s, introduced in September 2015, can run iOS 15, which means it can run 1Password 8. There have been leaps and bounds in computing power over the last 7 years, and it's something we have to weigh up when making decisions.

    Where we're going from here:

    Our Principal Security Architect, Jeffrey Goldberg, has mentioned previously that we're exploring a new key derivation algorithm. PBKDF2 is still secure, but newer algorithms are available which can perform even better. As I've said before, work is still ongoing in this area, and we want to make sure that any changes to the fundamentals of 1Password's security model are done thoughtfully and with as little disruption to customers as possible.

    As an interim step while we evaluate a new key derivation algorithm, we are also looking at our options to bring the number of PBKDF2 iterations we use in line with the recently updated recommendations made by OWASP.

    Now, you might ask, "But hang on, doesn't this go against what you've been saying in this thread so far?". To be clear, everything said so far is correct and accurate: increasing the number of iterations isn't a one-size-fits-all fix, and (as we've seen above) isn't actually the most effective option when it comes to hardening PBKDF2, which is where the Secret Key really earns its dinner.

    And, of course, none of this takes away from the fact that you should always choose a good 1Password account password. We'd recommend four or five randomly-generated words, using 1Password's secure password generator.

    If you're already using a good account password, increasing the number of iterations will help a bit, but it won't be a game-changer.
    If you're using a weak account password, the Secret Key helps "raise the floor" on what goes into the algorithm anyway, so it has your back.

    Considering point 4 above about performance, our security engineering team is making sure that the experience of increased iterations on older supported setups will be acceptable.

    Right now, we don't have any solid dates for the change, or more details beyond what I've included here, but I thought I would just give everyone a bit of insight into what we're doing, so that our customers understand we're on it and aren't just sitting idle.

    I'll be happy to answer any questions you might have. :)

    — Grey
    1Password Support

  • strif4
    strif4
    Community Member

    I am impressed how fast Bitwarden increased their iterations to 600k, looking forward to 1P doing the same.

    @GreyM1P I would like to know the significance of "double-encrypting these fields at rest with keys managed in Bitwarden’s key vault (in addition to existing encryption)."

    Does 1Password do the same? Is there any benefit to double encryptions?

  • @strif4

    Does 1Password do the same? Is there any benefit to double encryptions?

    In short: no, and not really, in that order.

    1Password encrypts your items (once) with a symmetric Vault Key. This key is encrypted and decrypted using a public/private keypair, the User Keyset, in our terminology. This User Keyset is encrypted with a User Keyset Symmetric Key, which is itself encrypted by the symmetric Account Unlock Key, which is derived from your email address, Secret Key, and account password.

    The decryption flow is like this:

    1. Derive the Account Unlock Key using the email address, Secret Key, and account password.
    2. Decrypt the User Keyset Symmetric Key using the Account Unlock Key.
    3. Decrypt the private key in the User Keyset.
    4. Decrypt the Vault Key using that private key.
    5. Decrypt the items using the Vault Key.

    In terms of whether double-encrypting anything has any benefit, my personal opinion on that is no, because if the first round of encryption was good enough, the result would be (almost) perfectly random noise anyway. Further encrypting that noise would then result in something which is just as random.

    It's like having a really good paper shredder and putting the pieces through a second time – if the shredding was good enough the first time round, the second round isn't really adding any benefit.

    In our security model, encrypting your 1Password items with the Vault Key will turn them into that random noise. The other layers are more about protecting the key material than adding any further layers of encryption to the actual data.

    Hope that helps. :)

  • Hello all.

    I mentioned earlier:

    As an interim step while we evaluate a new key derivation algorithm, we are also looking at our options to bring the number of PBKDF2 iterations we use in line with the recently updated recommendations made by OWASP.

    That change has now been made, noted by this line in our release notes:

    SECURITY – Increase PBKDF2 default to 650000. {19309}

    — from 1Password.com Release Notes

    Whenever any of the following actions are taken on your 1Password account, your account will start using 650,000 iterations:

    • account password change
    • Secret Key regeneration
    • account recovery (in 1Password Families, or 1Password for Teams or Business accounts)

    Users who sign up from now on will also be using 650,000 iterations by default.

  • Kat34
    Kat34
    Community Member

    Thank you for doing this. I especially appreciate you explaining what a user needs to do to put this update into effect.
    Enjoy your weekend!

  • dogAndPonyShow
    dogAndPonyShow
    Community Member

    Thanks 1P for making this change. I completely understand your rational for PBKDF2. Appreciate these things can be a bit of a PR job, especially due to the problems LastPass exposed themselves to. It's a hot subject right now.

    Question: if we don't do any of the above changes (eg change password or secret key), is there a way for a user to update their PBKDF2 iterations to the higher number? Thanks.

  • @Kat34

    You're welcome! We're here if you need us. :)

  • @dogAndPonyShow

    For the time being, we're changing the number of iterations that your account uses only if you make a deliberate security action, such as those shown above.

    To be clear: we're not recommending that customers go out of their way to increase the number of iterations – as we've shown previously, there's no real need because of the Secret Key. We're just taking the opportunity to do that if account details are being changed (or the account is being recovered) anyway.

  • dogAndPonyShow
    dogAndPonyShow
    Community Member

    Thanks GreyM1P.

    Quickest option is to update password.

  • XIII
    XIII
    Community Member

    Can I update the password and then revert to the current one?

    (And still get this increase in iterations?)

  • @XIII You can "change" your password to the same one it currently is and skip a few steps. You'll still get the increase in iterations. You will have to re-authenticate on each device you've installed 1Password on, even if you change to the same password.

    Ben

  • klafredo
    klafredo
    Community Member

    To be clear the "1432 (build #1432) – released 2023-01-26" is the web version? My app version looks very different.

  • Ben
    Ben
    edited January 2023

    To be clear the "1432 (build #1432) – released 2023-01-26" is the web version?

    Correct — this change was in the 1Password.com service.

    My app version looks very different.

    Could you please clarify — looks very different from which?

    Edit: Disregard. I see what you're saying now. Yes, the desktop and mobile apps should be version 8.

    Ben

  • strif4
    strif4
    Community Member

    Very impressed with 1P.

    Now you guys have the highest iterations in the game and also the secret key.

    I had a bit of a chuckle when I saw it was changed to 650k not 600k, you guys just decided to 1 up Bitwarden/OWASP for the fun of it lol.

  • XIII
    XIII
    Community Member
    edited January 2023

    You can "change" your password to the same one it currently is and skip a few steps.

    That turned out to be a "disaster" (it seemed):

    Couldn’t change your password.
    Error: Not saving user info for public computer.
    

    However, I did get email that my password is changed and now the iOS Apps remain offline... Help!

    (it was not really a public computer, but I do select that so nothing gets stored in the browser)

    EDIT: logging out and logging in again seems to help, but you might want to improve this flow!

  • cruise2001
    cruise2001
    Community Member

    Something tells me there will be a run on password changes in the very near future.

  • @cruise2001

    We're not expecting the vast majority of our users to pay much attention to this change or go out of their way to change their account password or regenerate their Secret Key – they're already protected by the complete 1Password security model, and we haven't made this change to "patch" or "fix" anything.

    This change is only being made to accounts opportunistically when credentials are being rolled anyway, and it's purely an interim step before we move to a different key-derivation algorithm entirely.

    As much as I've been like a broken record talking about the Secret Key in this thread, it really is some of the serious structural integrity of the 1Password security model. Increasing the number of iterations is just dotting the is and crossing the ts.

  • Ixoth
    Ixoth
    Community Member
    edited January 2023

    Hmm, I changed my password but I was not able to change amount of iterations (did not see even such option)?

    I used 1password web version to change the password (in iOS firefox, if that matters).

  • @Ixoth

    You'll have been upgraded to 650,000 iterations automatically as part of that process – there's no option or switch to turn it on or off. :)

  • JAC3467
    JAC3467
    Community Member

    @Ben, @GreyM1P - Happy to see the iteration change. I just upgraded to 7.9.9 on my Mac, and there was also an iOS upgrade. Was this change applied to those apps to? This security update was not mentioned in the release notes.

    Thanks for the clarification.

  • cruise2001
    cruise2001
    Community Member

    I followed Ben's suggestions and sure enough...the key is set to '650000'.

  • Ixoth
    Ixoth
    Community Member

    @GreyM1P ah I see 😀 thanks for confirmation that higher number of iterations are automatically in effect.

This discussion has been closed.