Master Password - updated advice?
Hello,
I think it's time I changed/upgraded my master password. There's been an increasing amount of news around about passwords!
Is your June 2011 blog post still the best current advice?
http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
And who does one believe when "testing" the strength of a password? Some strength testing websites give a low rating to a long password generated using diceware.
What's the current thinking on all this?
Thanks!
Comments
-
There has been some discussion in a few threads about this, and I see that Jeff updated the blog post last month to revise downward the recommended number of dicewords in a passphrase. Note that the advice for choosing master passwords that appears in 1Password 4’s first-run prompts and the "new vault" prompts is extremely sub-optimal. It is geared toward newbies but even so will probably be revised, as it violates several of the principles discussed in the Toward Better Master Passwords blog post.
0 -
@goldensyrup, you should never enter your Master Password anywhere but the 1Password Master Password prompt. For your own protection, please do not ever type it into a "password testing" website.
On top of that, most of those password strength meters are not very helpful since they often just base the rating on a brute force attack. One of the better ones is zxcvbn, but again, please do not type your actual Master Password anywhere but in 1Password (including the zxcvbn tool unless you are running it yourself on your own system). :)
For more information on the math behind Diceware in order to understand why it is a secure option, please be sure to read the follow-up posts listed at the end of the blog post you linked above:
- This article was followed up by a geek edition which discussed an XKCD comic and some of the mathematical concepts behind this.
- Once the password cracking tool, John the Ripper, was adapted for taking a shot at 1Password Master Passwords, we looked at how well 1Password with these sorts of Master Passwords hold up
- In April 2013, hashcat achieved remarkable speeds (300,000 guesses per second) against the 1Password 3 data format, suggesting that a password of 4 or 5 diceware words should be used with 1Password 3.
0