Password salting, peppering, double blinding or whatever.

Brrry
Brrry
Community Member

The topic of password salting, peppering, and double blinding has been discussed multiple times in this forum. But, this is my understanding or opinion on it.
As Zatara214 said here: https://1password.community/discussion/comment/626536#Comment_626536
That In the event of some sort of security breach on 1Password's end, an attacker may be able to acquire a "blob" of your encrypted data, But It will nearly impossible to crack.
I don't find this statement to be convincing because no plan or strategy is completely foolproof. That is why we are always seeking ways to stay ahead of the competition. Look at what happened with LastPass. Someone obtained access to the vault, but LastPass stated that it is impossible to crack it, not even in a million years. Where are the subscribers now? I don't think 1Password want to face a similar situation as LastPass.
Password peppering, however, can be inconvenient for users as it requires them to manually add the extra characters or numbers. This defeats the purpose of using a password manager, which is meant to make the process of creating and remembering passwords easier. To address this issue, my suggestion is to add a feature in the 1password app that allows users to create preset password peppers.

This feature would allow users to create multiple pepper options, for example, if they want all of their passwords to end with the letter "a" or a specific number. When signing into a website, the 1password app will automatically fill in the password plus the preset pepper. These presets and settings should not be backed up on the server, but rather locally on a flash drive or other storage device of the user's choice.
Furthermore, by storing the preset pepper locally, the user ensures that there is a lesser chance of both their computer and the server being stolen at the same time. It is crucial to constantly look for ways to give attackers a hard time and this feature would be an effective solution to enhance password security while still maintaining user convenience.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Tertius3
    Tertius3
    Community Member

    @Brrry

    I don't find this statement to be convincing because no plan or strategy is completely foolproof.

    You are mistaken, if you assume there isn't something completely foolproof. There is math behind encryption, and it can be proven beyond doubt (that's the core of science, especially with math) that encryption with this and that algorithm, using these and those parameters and keys, will need more computing power to decrypt mankind is able to provide for the next 30-50 years and with current equipment even longer than the current lifetime of the universe.

    If implemented correctly. 1Password claims to have implemented correctly, and to prove this, it published its security design and calls auditors regularly to verify the implementation is according to the design, and they publish the results.

    What you assume what isn't foolproof is the algorithm, and you aim to improve the parameters of the algorithm. However, it's proven with math what parameters provide what kind of security, and 1Password chose parameters that are within the secure range. Now you mix this with a bad implementation on Lastpass' side. They claimed to have implemented a mathematically proven secure algorithm, but actually they didn't. They didn't secure what everyone thought they would secure. Now you assume 1Password did the same bad implementation (which is a wrong assumption). You're trying to create a workaround, a patch for Lastpass' bad implementation instead of doing the right thing by trying to seek a secure implementation in the first place.

    About your password peppering: I would not use it. Too inconvenient on every level. Too complex. And complexity decreases security, because it increases the probability of bad implementations.

    Don't be paranoid. I don't try to get 100% security for my washing powder vendor support site login. It's sufficient to be 80% better than the rest of the world. It's sufficient to have a system that is cracked after everyone else with less secure systems have been cracked, which is probably long after I have been passed away. In this race, you don't need to be the fastest runner, if you're chased by a hungry lion. It's already sufficient to be faster than the slowest runners, and it's completely sufficient to run within the big field of most of the other runners.

  • Brrry
    Brrry
    Community Member
    edited January 2023

    I understand the point you are trying to make, that encryption can be proven to be secure using mathematical proof and that the implementation of the encryption is key to its overall security. You also mention that 1Password has published its security design and regularly calls auditors to verify its implementation, which provides an added level of security compared to other password managers like LastPass. I also understand your point that having a system that is cracked after everyone else with less secure systems have been cracked is sufficient for most use cases.

    However, it's important to note that no system can be completely foolproof and that even with mathematically proven encryption, the implementation can still have vulnerabilities. Additionally, even with a secure implementation, the system can still be vulnerable to other types of attacks such as social engineering

    Password peppering can be inconvenient when done manually, therefore, I am requesting that it be added as a feature in 1Password, to make it easy.

  • MrC
    MrC
    Volunteer Moderator
    edited January 2023

    However, it's important to note that no system can be completely foolproof and that even with mathematically proven encryption, the implementation can still have vulnerabilities. Additionally, even with a secure implementation, the system can still be vulnerable to other types of attacks such as social engineering

    You're conflating two concepts here. An encryption system and the confidence in its implementation and mathematics, and a social engineering attack. Obviously if someone hands over their secrets, they cannot be saved by math.

    Nor can they be saved by your peppering technique.

    And if there is a weakness in the implementation (which you seem very concerned about), you've not demonstrated that adding a user's pepper remediates that weakness (nor all possible weaknesses).

  • Brrry
    Brrry
    Community Member
    edited January 2023

    Obviously if someone hands over their secrets, they cannot be saved by math.

    Your are talking about User's side.

    If you've read the 1Password team's statement here, https://1password.community/discussion/136293/1p-pbkdf2-iterations-are-less-than-recommended-by-owasp-please-do-better#latest
    1Password team has increased the number of iterations used in their password-hashing algorithm, and that this suggests they do not truly believe their system is 100% secure.it would be more secure to store only part of a password on a server, with the rest being stored locally.

    Wise people don't invest all their money in a single company.

  • MrC
    MrC
    Volunteer Moderator

    that this suggests they do not truly believe their system is 100% secure

    No, it just means they've decided to update the iteration count in the interim before changing derivation functions, and to likely simply make people feel better by taking the high ground here.

    You should abandon this concept of 100%, and focus instead on likelihoods and probabilities. It is not possible to prove the 100% idea, as that takes an infinite amount of time with infinite resources.

  • Tertius3
    Tertius3
    Community Member
    edited January 2023

    I guess 1Password increased the iterations to silence voices like these in the referenced forum thread, and to not get any similar media coverage. Marketing pressure. Not to increase security. Slightly increasing the security is a byproduct of this decision.

    The focus and solution to the issue of ever increasing computing (cracking) power is a new key derivation function, not increasing iterations.

  • lesster
    lesster
    Community Member

    In the LastPass case, thieves stole a backup of their archive of everyone's data. Regardless of the encryption methods used, the attackers can simply try every possible password on every account in that archive, forever, until they get into some of them.

    Worse yet, changing your LP pw now doesn't help, they're working with that backup, which has whatever pw each account had when it was taken. The only recourse is to change all the important passwords stored in there, making that backup irrelevant.

    The only real prevention strategy would have been to prevent the initial theft. It's not incremental increases in encryption strength.

    That's where LP completely failed. They've had 8 security incidents, going back to 2011, according to Wikipedia.

  • Brrry
    Brrry
    Community Member

    Oh come on. Lastpass has the most users, making them a top target. The reason I'm using 1password is because they charge higher and there is no free plan, which makes it difficult for them to gain subscribers.

  • lesster
    lesster
    Community Member
    edited January 2023

    So what you're saying is that any password manager will get hacked of they have enough users to become an attractive target? Hope you're wrong, along other reasons because 1P isn't exactly a micro upstart nobody's heard of.

    Also, it is possible for a service to have made better or worse architectural decision, and have a more or less effective organizational and cultural approach to keeping user data safe.

  • Brrry
    Brrry
    Community Member
    edited January 2023

    While credit cards can be easily replaced and often insured in case of theft, personal information such as your identity, medical history, personal secrets and home address cannot be easily changed if compromised. Even if a password or combination of secret keys is strong, if someone gains access to your personal information, it is only a matter of time before it is compromised. This is especially true as technology and hacking methods continue to evolve over time.
    Even companies like 1Password are not immune to mistakes or potential breaches, whether it be through human error or an inside job. It's important for companies to constantly review and improve their security measures to protect their customers' information.

    Your responses seem closed-minded and arrogant as if you think highly of yourself. It's important to be humble and open to other perspectives, and to acknowledge the limitations or potential weaknesses of one's own knowledge or abilities.

    IF you read the "terms of service" of 1Password, you will see that, like many other companies, they limit their liability and may not be held responsible for any harm or damage caused to customers in the event of a security incident or data breach. In simpler terms, it means that they also acknowledge that they cannot guarantee the complete safety and security of customer's information

    It can be confusing when some people comment as if they have inside knowledge of a company's strategy against data breaches, but in reality they are only relying on the company's marketing and public statements. This can lead to misunderstandings about the true level of protection provided by the company.

  • lesster
    lesster
    Community Member

    I agree with everything you said about the real level of protection a password manager can provide. We just have to choose one as best we can, based on the information we have, or decide not to use one at all because we don't trust that info.

    Beyond that, I'm not sure what the practical implications of this discussion are.

    Best to you.

This discussion has been closed.