Does 1Password login allow CRTL C pasting master password?

TambourineMan
TambourineMan
Community Member

I obviously need to ditch LastPass and am seeking a replacement.

I used a 25 character master password with computer generated lower, upper, numbers and symbols. I kept this in a VeraCrypt vault and could copy and paste it into the sign in prompt rather than trying to type it in each time and having to correct my many typos. I want to use an even longer one for my new password manager. I read that 1Password does not permit this.

Is this correct?

What is the maximum password length allowed in 1Password? (I appreciate my password may be salted and hashed to increase the apparent length.)

Also, does the 1Password process require a timeout for too many incorrect sign in attempts?


1Password Version: TBD
Extension Version: TBD
OS Version: Win10
Browser:_ Brave

Comments

  • Tertius3
    Tertius3
    Community Member
    edited January 2023

    Locking your password manager with a completely unmemorable and untypable account password is a horrible idea. By saving this to some disk location, you put it to risk of being stolen (if someone sneaks on your computer without you realizing it), and you're just replacing one master password with another - your encrypted storage is of course also secured with some unlocking mechanism, so it's only as weak as the storage password. You will also take every step to enter your master password as little as possible, and by avoiding entering your master password, you weaken your security as well, for example by lengthening the timeout of automatic app locking or disabling automatic app locking in general.

    Your master password should be something you can memorize and never forget, and it should be easy enough to type, so you will actually use the password manager and not try to circumvent it, because it's so difficult to enter the password.

    If you follow the current discussions started by Lastpass migrators, you find links to the Security White Paper from 1Password, which explains how 1Password handles its security. The strength of your account password is increased by the account secret key, which is as good as cryptographically unbreakable even if you chose the worst account password ever.

    You need to tailor the strength of your account pasword to the risk of your local computer being stolen or compromized, because the secret key is cached within the 1Password vault cache and only the account password is protecting your data on your local machine. The same data on the cloud storage is additionally secured with the secret key. On mobile phones, the strength of the account password is not so important, because today's mobile devices have encrypted storage, so it cannot be just copied from a locked phone. If your local PC is a laptop, consider using Bitlocker encryption, and nothing can be copied offline except you know the bitlocker key or proper Windows credentials.

    The most cryptic password isn't the most secure password - if you cannot memorize it, you risk losing your whole password database, and that's not much less severe as if all passwords would get compromized.

    The official recommendation: https://support.1password.com/strong-account-password/

  • TambourineMan
    TambourineMan
    Community Member

    @Tertius3

    Thanks for your thoughtful reply.

    My view is that memorable ones are not as good as computer generated ones that are very difficult to memorize. Most memorable (aka human conceived ones) are easier to crack.

    The file containing the master password is only kept on a local device, not the cloud and is encrypted in VeraCrypt which is one of, if not the best open-source encryption apps for files, partitions or operating systems. Many believe it is better than bitlocker. One advantage is if my desktop or laptop (rarely used away from home) were stolen I would know a lot sooner than I would learn from a password manager company that my vault was stolen and can then change my passwords.

    The secret key only helps make a bad password better if it is the online vault that is compromised.

    A password should be written down. Half (or a part) should be given to your attorney (or perhaps put in a bank safe box) and the other part(s) to a close family member/ beneficiary in case you are unconscious, mentally incompetent or dead.

  • @TambourineMan

    My view is that memorable ones are not as good as computer generated ones that are very difficult to memorize. Most memorable (aka human conceived ones) are easier to crack.

    I would suggest that not all computer generated passwords are difficult to memorize. For example, I just generated the following password using 1Password:

    ARISE dade newcomer mantrap

    While this may be more difficult to memorize than something you've come up with off the top of your head, I suspect most folks could memorize it with a little bit of time and repetition. It would be a fairly strong password too, had I not just posted it on a public message board. 🙃 😅

    I'd recommend checking out this blog post on passphrases:

    Use Passphrases for Your Wi-Fi Network and Streaming Apps

    The secret key only helps make a bad password better if it is the online vault that is compromised.

    That is largely true, yes. The Secret Key was designed to protect the data stored in our servers. The account password is intended to protect the data stored on end-user devices.

    A password should be written down. Half (or a part) should be given to your attorney (or perhaps put in a bank safe box) and the other part(s) to a close family member/ beneficiary in case you are unconscious, mentally incompetent or dead.

    That is certainly one strategy that could be employed. 😃 I've also discussed the idea of an executor account in the past, e.g.:

    https://1password.community/discussion/60262/preparing-for-the-inevitable-a-specific-vault-for-executors-successor-trustees

    Perhaps that is worthy of consideration as well.

    Ben

  • TambourineMan
    TambourineMan
    Community Member

    @Ben

    So far the latest LastPast breach has been fortuitous as it had prompted me to do an overdue (because it is/will be so tedious) needed update of my password security and emergency planning hopefully before the hackers will have time to crack my LP vault (and anyway important accounts are also protected by 2FA/MFA) and before any “emergencies,” but at almost 80 that time is coming.

    Re passwords/phrases I appreciate length can substitute for strength. I was not familiar with entropy and am not sure I yet understand it. But to my layman’s understanding it would seem that an extended ASCII password would be less crackable than a 128 one at the same number of characters. My 25 ext'd printable ASCII PW would seem as long as most 4 – 5 lower case dictionary word lower case alphabet ones but seems to me to be stronger.

    The issue of course is if I tried to (had to) frequently type it out. I keep the bulk of the PW in an encrypted VeraCrypt vault and then manually add some additional memorable characters. I have toyed with the idea on a longer addon to a (shorter) memorable, partial PW by virtue of a keyboard macro but I am not sure if the macro is stored in the KB memory or unencrypted on the PC.

    The other issue is getting another “frequent user” to use/type the master password. Convincing that “user” to use Google Authenticator was hard enough. LOL I will be getting 1PW but have not yet as I need to finish my research/password security design first. LP would trust a device for 30 days. I am not sure if 1PW does the same. I have and use Windows Hello but the other user is camera shy. So I have ordered some Verifi 5100 fingerprint scanners for our desktops.

    Regarding “emergencies” 1PW would do well to inform new (and old) customers about this concern. Few will be bothered to sign up for/read the forum or even blog posts – they need to be prompted/reminded during the setup or logon process similar to alerting about weak, duplicate, or compromised PW’s. Emergencies don’t just happen to old farts, but also to 20 something safeties.

This discussion has been closed.