1P PBKDF2 iterations are less than recommended by OWASP. Please do better.
Comments
-
I followed Ben's suggestions and sure enough...the key is set to '650000'.
Ok, great - thanks for confirming that. I've tried those steps without success - there's something I'm doing wrong or a browser setting that's different, and I don't know what it might be.
0 -
I can confirm what @GreyM1P said. I saw my iteration count change from 100000 to 650000, via the below process.
The count was revealed by the below variation of @Ben's approach, revised for Chrome/Edge on Windows.
(But let me hasten to agree with @GreyM1P that this focus on iterations ignores the qualitatively important security advantage of the Secret Key.)
- Change your password (including: to itself, or to a temporary one and immediately back to the one you know & love)
- Either Restart your browser or disable/re-enable the 1Password extension (to refresh its settings).
- Examine your iteration count:
- Click the 1Password icon in browser toolbar.
- Right-click in the dialog-box popup, then select Inspect
- Application > Storage > Keysets
- Expand each Value, then expand each encSymKey
- Look for p2c, which is the number of iterations.
(Above steps worked for Edge browser on Windows.)
0 -
Whenever any of the following actions are taken on your 1Password account, your account will start using 650,000 iterations:
account password change
Secret Key regeneration
account recovery (in 1Password Families, or 1Password for Teams or Business accounts)Users who sign up from now on will also be using 650,000 iterations by default.
Why has it been set up so that one must jump through one of these 4 "hoops" to get the extra iterations? I must admit that I am not the most technically inclined but why couldn't it have been a simple toggle on?
0 -
@GreyM1P If I update my account password to trigger the increased PBKDF2 iterations, will that prevent me from accessing my 1Password data using 1Password 7? (I mostly use 1Password 8, but I do have a couple devices that have 1Password 7. I'm not concerned about slower performance on those devices and would prefer slower performance (if noticeable) for the benefit of the increased iterations.)
0 -
I've updated mine, and use both 1P7 and 1P8. I'm sure the iteration count is passed as a parameter, hence why it is visible in the browser inspector.
0 -
-
Why has it been set up so that one must jump through one of these 4 "hoops" to get the extra iterations? I must admit that I am not the most technically inclined but why couldn't it have been a simple toggle on?
@jmjm I'm assuming they can't automatically make the switch for everyone automatically because they'd have to know your master password already in order to re-encrypt it with more iterations. Plus, making that change could have performance impacts and 1Password would be making that decision for someone running an old device like an iPhone6s from 2015, not letting them make that decision themselves. You can "change" your password by just typing in the same password over again, and it'll change to 650,000
0 -
I wanted to chime in to say that I appreciate how 1P has handled this whole situation...even before increasing the iteration count. I trust the math (and encrypted devices) and will not be proactively changing my password in order to get the higher iteration count.
Back in LastPass, there was a very obvious sluggishness that showed up when I increased the iteration count to the 400,000s (before OWASP updated their number). 1P's performance has been a breath of fresh air.
I am also thankful that 1P is being thoughtful about replacing PBKDF2 with something better. No need for a knee-jerk reaction when there is no real threat to the current model.
0 -
@driblet Just chiming in to add that I haven’t noticed any perceptible performance difference after changing my password with the resulting increase in PBKDF2 iteration count on my 7 year old PCs or my 1 year old iPhone.
But I agree that there is no need for someone to change their account password to get a higher iteration count (unless their account password is weak, in the which case the better solution would be to create a better account password).
Personally, my approach is to create a password strong enough that it should be resistant to brute force attacks even with no PBKDF2. But I went through the update process anyway because I like having that little extra protection just in case. :-)
0