Is this something we need to worry about; hashcat adding cracking support for 1Password [No]
A colleague of mine brought this to my attention: http://www.rurapenthe.me/2013/04/cracking-1password-master-password-it.html
Can someone comment on this?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @mishtamesh,
No as in don't worry about it as a security issue but worry about the strength of your own master password as it should be very strong in the first place.
We built 1Password with the advance knowledge that in the future, someone will develop a tool to crack against 1Password files. Cracking doesn't mean the encryption is broken in a way that it'd allow anyone to simply get the master password in the first try, it just means that it can try to guess the potential master password many times per seconds. The big news in your link is that hashcat added support for both GPU and 1Password encryption files.
We've written a detailed post about this in our blog here: https://blog.agilebits.com/2013/04/16/1password-hashcat-strong-master-passwords/
0 -
Wonder if this is worth further comment.
0 -
Hi @toasted,
The article is related to the same news, it was published back in 2013, a few month after our blog post. Nothing has changed since then, the GPU and CPU cracking speed will increase by a factor each year due to the natural technology progress but we're not talking about cutting the cracking time from 1 billion year to seconds, we're talking from 10 billion to 9 billion and so on each year.
By that time, we would already be on improved algorithms that will increase the strength, like we did already with our OPvault format and further updates to AGK vault in the past. In other words, as computers naturally becomes more powerful, we bump up our algorithms to catch up with computers to maintain the same cracking time.
0 -
Thats good to know.
Thanks for your quick response.0 -
On behalf of MikeT, you are most welcome! It's also important to note that since 1Password is using industry standard (AES) encryption, you'll know if and when it is 'cracked'. It will be a problem for everyone. But the more likely scenario is that eventually technology will advance to the point where it will be trivial to brute force the encryption...but by that time we will all have moved to a more advanced crypo algorithm — or rather our children or grandchildren will have. :glasses:
0