Don't limit generated password length or complexity

Currently the password generator limits the length to 50 characters, and the maximum number of combined letters and symbols to 10 each. These are artificial restrictions which reduce the entropy of the generated password, and should be removed.

I should be able to generate passwords that are 100, 200, or -- for kicks and giggles -- 10,000 characters long if I want to. 50 characters is not a enough.
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/

The number of digits and symbols should be chosen randomly, and should not be limited.

If an attacker knows that a target uses 1Password, and can assume that they generate the most secure password possible giving these restrictions, then they now know that the password is 50 characters long, and that it contains 30 letters, 10 numbers and 10 symbols. This significantly reduces the time it would take to crack, and should be considered a security bug.

KeePass currently does a much better job of this, and 1Password could learn some lessons from it.

Comments

  • khad
    khad
    1Password Alumni

    I've seen some questions about passwords that are stored within 1Password. A 23 character password from 1Password's Strong Password Generator is already 128-bits. Hashcat isn't going to find those. As for your Master Password, I don't think anything has really changed from our post in April. But I think @jpgoldberg is working on a new post to confirm for folks that nothing has really changed. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited May 2014

    Hi @iandunn,

    I understand your concern with anything that looks like an arbitrary restriction that might be limiting security. And it is great that you are keeping an eye on this. But it is also useful to actually check the math. So let's take a look at some numbers.

    A password generated by our strong password generator, limited to upper and lowercase letters only, will have more than 128 bits of entropy. At 45 characters, it has more than 256 bits. This means that a 23 character password random password already is stronger than the 128 bit AES key that protects in in the Agile Keychain Format and a 45 character password is stronger than the 256 bit AES key that is used to protect it in 1Password 4.

    To give you an idea of cracking time for an 128 bit key (or password of that strength) we are talking in terms of trillions of times the age of the universe. The chances of cracking a random 23 character password (or 128 bit key) within the age of the universe using a billion supercomputers is so small that there there is no meaningful security gain in making it any larger. Take a look at Guess why we are moving to 256 bits, which talks more about this, though its focus is on key size and not password length.

    You are also correct that having the strong password generator pick a fixed number of digits and symbols (instead of any) has a price in entropy. But again, if you actually do the math on it, that cost is so small as to not make a real difference in the crackability of password generated by the Strong Password Generator.

    All of this applies only to passwords that people don't have to remember. Passwords that people have to remember (such as 1Password Master Password) will be much further limited, and so a different approach needs to be taken. For that please take a look at Toward Better Master Passwords and the various followup articles to that. I believe that with some practice, people can reasonably use and remember and type password with about 60 bits.

    Please take a look at those and let me know what you think.

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • iandunn
    iandunn
    Community Member

    I was skeptical, so I took a shot at doing the math myself.

    If we know that there are 50 characters, and that the set contains 66 characters (26 letters, 30 symbols and 10 numbers), then there are 9.48848285e+90 possible permutations. Divide that by 350,000,000,000 guesses per second[1], and you wind up with 9.42185965091e+49 years to crack it.

    So, yeah... I stand corrected ;)

    Thanks for your thoughtful response.

    [1] http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

  • Megan
    Megan
    1Password Alumni

    Hi @iandunn,

    Thanks for taking the time to check our math! We're glad to hear that you're thinking seriously about the security of your data. We'd be more than happy to answer any other questions you might have.

    Cheers,

    Megan O'Brien, Support Sorceress :)

This discussion has been closed.