Knowing how good a pasword is for use as your 1Password account password

fabnavigator
fabnavigator
Community Member

I know that 1Password has a tool to create good passwords, but what if I want to create my own password? I can test a password by typing it into a login item and checking the strength meter. Should I shoot for a full green bar?
I see multiple web based password checkers that come up with an estimated time to crack the password. Is that at all accurate? Plus, I worry about typing my password into some web site.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Hi there @fabnavigator

    You're right to worry about entering your 1Password account password anywhere that isn't 1Password, and I recommend that you don't. It's very hard to know what happens to it if you do, and whether it's stored, for example.

    There is guidance on what makes a good 1Password account password here:

    How to choose a good 1Password account password

    At the bottom of that page, you'll see a link to our online password generator, which will produce four hyphenated words, such as forcible-puffery-brutal-coarse. You don't need to use the hyphens if you don't want to – four or five randomly-generated words are a good account password. You could use 1Password's built-in password generator to produce this instead:

    I hope that answers your question fully, but please do let me know if I can be of any further help. :)

    — Grey

  • fabnavigator
    fabnavigator
    Community Member

    Hi @GreyM1P

    Thank for for reinforcing my suspicion that I shouldn't enter my password into a web password checker.

    Please address the question I asked about checking the strength of a password I create.

    "but what if I want to create my own password? I can test a password by typing it into a login item and checking the strength meter. Should I shoot for a full green bar?"

    Thanks,

    Bill

  • @fabnavigator – You don't need to worry about filling the password strength meter, no – four or five randomly-generated words will be memorable but strong enough, particularly because we also have the Secret Key to keep your 1Password data secure.

    It's important to note that your account password is the main way you should expect to unlock 1Password, so make sure it's something you'll remember. There's no way to reset your account password, so it must be one that you can enter from memory.

  • fabnavigator
    fabnavigator
    Community Member

    Thank you. I'm all set now.

  • Mycenius
    Mycenius
    Community Member
    edited December 2022

    "...four or five randomly-generated words will be memorable but strong enough, particularly because we also have the Secret Key to keep your 1Password data secure" on the servers. Just think it's important to have that clear. 🙂

    So keep in mind @fabnavigator the secret key has no benefit to you at all on your local device - it only (helps) protect the data sync'd to the 1Password servers (and if they were ever breached). The strength of your password and only your password protects the copy of the data on your local device (be it PC, MacBook, Phone, etc) - so if a bad actor gets access to that (physically or remotely) your password strength is what will protect your data...

  • fabnavigator
    fabnavigator
    Community Member

    Wow! @Mycenius I had do idea that any data was kept locally on my devices. I'm new to 1Password, but I thought that the only copy of my data was on their servers, and could only be unencrypted with my Secret Key and password.

  • Mycenius
    Mycenius
    Community Member
    edited December 2022

    I had do idea that any data was kept locally on my devices.

    That's how 1Password provides offline access on your device my friend. 😉 Personally I prefer that too - as you aren't left to the mercy of internet access. Also there has to be data on your device at some time regardless - otherwise it'd have to pass unencrypted across the internet from the servers to you every time you filled in a password field 😁

    I thought that the only copy of my data was on their servers, and could only be unencrypted with my Secret Key and password.

    That's how Bitwarden works - when you log into the app it downloads the vault (encrypted) from the server and unencrypts it on your device, when you log out or close the app it deletes the copy of the vault from your device so there is no record of it. Next time you log in it redownloads it... (obviously if you update info it sends an encrypted copy back to the servers). But in 1PW's case it works (slightly) differently and keeps an encrypted copy on your device always.

  • ForBigFire
    ForBigFire
    Community Member

    Somewhat related question: if I were to change my account password to something stronger, are my vaults (both the offline copies and the 1Password cloud copy) re-encrypted with the new account password? I changed my password once, and I notice that the secret key did not change (although 1password did give me another download of the Emergency Kit file.) I recently migrated from LastPass, and from what I understand, when you change your master password there, it re-encrypts the data with your newly-generated key (based on the new password).
    What's confusing me is that the whitepaper describes how an account password change "does not re-encrypt the keyset". What does this mean?

  • @ForBigFire

    If I were to change my account password to something stronger, are my vaults (both the offline copies and the 1Password cloud copy) re-encrypted with the new account password?

    Sort of, yes. Your vaults are actually encrypted with something called the Vault Key, and there are some layers of encryption between that and your account password. I'll explain what I mean (or at least try to!):

    • Your email address, Secret Key, and account password are used to derive your Account Unlock Key.
    • This Account Unlock Key encrypts and decrypts the symmetric key for the keyset that's referred to in your quote from the white paper.
    • That keyset contains a public key and a private key. The public key encrypts the Vault Key and the private key decrypts the Vault Key.
    • The Vault Key is what protects your actual items.

    To roughly equate that to the real world (with some gross oversimplification, I might add), you might think of it this way:

    1. Your car has a mechanical locking mechanism. Whether it's locking or unlocking, it's ultimately the same thing, just in one of two directions - a motor moves a rod to lock or unlock the doors. This is similar to the Vault Key which protects your items in 1Password. (Yes, I know a rod isn't a key, but follow me here! 😁)
    2. The keyfob for your car has two buttons, Lock and Unlock. Each of these sends a different signal to the receiver in your car and can only move the locking rod in one direction each. Without the use of those buttons, you can't command the rod to move. Pressing the Lock button will only ever lock the car, never unlock it, and vice versa. You need both to be able to access your car and keep its contents safe. In our model, let's think of the Lock button as the public key which encrypts the Vault Key, and the Unlock button as the private key that decrypts the Vault Key.
    3. That keyfob can now be thought of as the "keyset" - it has multiple functions which are used for locking and unlocking.
    4. You keep the keyfob in a lockbox with a padlock on it to stop anyone else from using it. The key for that padlock would be equivalent to the User Keyset Symmetric Key in the white paper, and let's say it's stored in a safe, with a combination lock. The combination for the safe can be changed whenever you want. In this case, the safe combination is equivalent to the Account Unlock Key.
    5. Let's say the safe combination is very long and complex and you could never remember it. Let's also say that you have to work it out (derive it) each time you want to open the safe. To do this, you combine some things together mathematically. For example, you might (**very **hypothetically) choose some mathematical mixture of some numbers that you can always remember or find. If one of those numbers was changed, you'd have to change the safe combination to a new value so that when you next calculate the safe comnbination, it'll work.

    ☞ For example, if the age of your dog was one of those values, you'd have to change the safe combination every time the dog has a birthday. 🐶🎂

    In our case, your email address, Secret Key, and account password are combined together to derive the Account Unlock Key. If any of those three changes, the Account Unlock Key changes too. This is equivalent to changing the combination of the safe. So, here's what would happen in our fictional car-key example:

    • one of the things you use to calculate the safe combination changes, so
    • you update the safe combination to match the new results of that combination, but
    • the key for the padlock in the safe doesn't change,
    • the car key doesn't change, and
    • the rod that pushes the locks in the car open or closed doesn't change

    What would that mean in this example? Assuming our slightly unusual world where you have to unlock the safe each time you want to open your car, you'd have a chain of keys which has to start with the safe combination. You can't get the next key in the sequence without the one before. So even though nothing "downstream" of the safe combination changes, it's still just as inaccessible.

    I hope that answers your question. It's a bit long, I'll grant you, so it's a bit to process, but please do let me know if you have any questions, or if I can be of any further help. :)

    — Grey

  • ForBigFire
    ForBigFire
    Community Member

    @GreyM1P Thanks for the answer, it might be a while before I fully understand it, but the analogy is definitely helping. What I'm trying to understand is, how is this "vault key" derived? If, say, I initially started 1Password with a not-so-strong password, was that password the one used to make the vault key? And if I change the account password to something stronger afterward, if someone got ahold of the vault (whether in the 1password cloud or from my device), would they only need the older, weaker password to decrypt the vault? (Let's assume they also know the email address and secret key.) If so, how do I rectify this situation?

  • @ForBigFire

    It's a lot, I know! 😅

    how is this "vault key" derived?

    It's created on your device using 32 bytes, generated randomly, giving 256 bits. Neither your email address, Secret Key, or account password have anything to do with its derivation.

    And if I change the account password to something stronger afterward, if someone got ahold of the vault [...] would they only need the older, weaker password to decrypt the vault?

    No. When you change your account password, you (by definition) change the Account Unlock Key. That old account password wouldn't be able to derive the new Account Unlock Key, and so wouldn't get any further along the chain, as it were.

  • ForBigFire
    ForBigFire
    Community Member
    edited December 2022

    @GreyM1P that's just what I needed to know, thank you so much! I think I'm starting to understand the specific scenario mentioned in Appendix A:

    Thus an attacker who gains access to a victim’s old personal keyset can decrypt it with an old account password and old Secret Key and use that to decrypt data that has been created by the victim after the change of the account password.

    So if the attacker somehow gets the old keyset, my newer account password doesn't matter, and what I (and 1Password) need to do is to ensure that the attacker never gets ahold of the old keyset, whether in transit or in the user's device. What are the ways that 1Password does this?

This discussion has been closed.