Is agilekeychain harder to crack since I updated 7 character master password to 8 word passphrase?

enriquejp

I have had my 1password synced via Dropbox for many years. I just updated my Master Password from a weak 7 character password to a Diceware 8 word passphrase. Does this make my agilekeychain harder to crack now? I'm envisioning a scenario where Dropbox is hacked and a bad actor has my agilekeychain to work on in a brute force manner.

---

1Password Version: 4.4.3
Extension Version: 4.3.1
OS Version: 10.9.5
Sync Type: DropBox

littlebobbytables

Hi @enriquejp,

Let's say you randomly generated your 7 character password from a full set of allowable characters, that would give you roughly 46 bits of entropy. Your 8 word Diceware passphrase has an entropy of 103 bits. One site I found contrasted the two by saying your 7 character password would take a fraction of a second to defeat while your 8 word Diceware passphrase would take 11,782,543 years (give or take a few).

I'd say your new Master Password is pretty strong, even taking into account any moderate margins of error that this random site I used has.

There is something to be aware of though and that is the vault's encryption keys (what your Master Password encrypts) have not changed. What it means is if somebody has access to your old .agilekeychain then they could break that Master Password. To generate new encryption keys means exporting your vault and starting over. Given your cause for posting I'm including how to do this below.

General Warning to all users. This is an advanced topic and you had better know exactly what you're doing. Your data is at risk if you don't.

Exporting your vault(s) to start over in 1Password for Mac

It is assumed the that primary Mac will have a complete set of up-to-date vaults, so nothing held only on another device. If this is not the case please do not follow these steps.

1. First we want to disable any current syncing and remove the sync data. In 1Password 4 for Mac you will want to activate each vault in turn followed by entering 1Password's preferences and switching to the Sync tab. It will say Syncing with XXXX if you're syncing this particular vault. Click the Change Syncing… button. A confirmation window will pop up. Tick the Delete data from XXXX checkbox as you want the old sync data removed and confirm you want to disable syncing by clicking the Disable Sync button. Close 1Password’s preference window and switch to you next vault. Repeat to disable sync for each vault.
2. With sync disabled on all vaults and the sync data removed, open up 1Password for Mac and use the File > Export > All Items... on each vault you have (the command is only applied to the active vault). It is important the file format is set to 1Password Interchangeable Format (.1pif). This will result in a .1pif folder per vault.
3. Follow the steps in our How do I start over with an empty vault? guide.
4. Follow the steps in our Running 1Password for the first time guide and create a new primary vault.
5. From your primary vault create as many new secondary vaults as you require using 1Password > New Vault...
6. With each vault active, import the .1pif file for that vault using File > Import... option. Selecting the .1pif folder (not the contents) will enable the Open button.
7. With all .1pif files imported, check your vaults to ensure everything looks good.
8. If all is correct you will want to securely delete the .1pif folders created in step 2 as the data is unencrypted and so not safe to keep long term. You can delete the folders dragged to your desktop in step 3. although if you want to keep them for a little longer it isn't as bad because they are at least encrypted (although using your older encryption keys).
9. Re-enable syncing for each vault that requires it. This sync data, be it iCloud or one of our own formats, .agilekeychain and .opvault, will use the new encryption keys.
10. You would then need to follow the How do I start over with an empty vault? guide for all the other Macs and then follow the Finding existing 1Password data during setup guide. For iOS devices you would use our How do I start over with an empty vault? guide and then the Existing 1Password user guide. If you have a vault that is unique to only a single device do not wipe it unless you are sure the vault is synced and so retrievable after the wipe.

That would result in fresh vaults on all devices using the new sync data with the new encryption keys.

Please take the time to read all the steps thoroughly and make sure you feel happy about what it all entails. Any questions do please, please ask.

devibimal

@littlebobbytables - I'm now using opvault on win8.1 after I exported agilekeychain and recreated a new vault in win 8. The said vault is also synced with iPad and iPhone using wifi. Initially, I was using 8 character long password. At the end when all was working well I changed password to 10 character on windows machine. That indeed I had to sync with iPad and iPhone.

The question is do I have have to export and import my vault to take advantage of longer password in Windows for new encrypting n keys to take effect and if so how is the attachment export handled? I am hoping I don't have to as it was onerous itself to get things working as I like after exporting from iPhone/iPad and stop using Dropbox.

Thank you.

littlebobbytables

Hi @devibimal,

As the encryption keys don't change, if somebody can gain access to an old copy of your vault and they can brute force the old password they gain your encryption keys. If they can do that they have access to your current vault despite the hardened Master Password. Let's say that at one point you never synced your OPVault, it was only ever stored on your Windows machine. You then changed your Master Password for a stronger one and only then did you move the OPVault to Dropbox. That's fine as Dropbox never had a copy of the keys encrypted with the weaker Master Password.

So if the change to your Master Password was because the old one was weak and at risk from a brute force attempt and an old copy possibly lies on Dropbox's servers then I would say the export/import route would be advisable. That way you can be sure that only your strong Master Password can decrypt the vault's encryption keys.

To export/import on Windows (which safely handles attachments) I would do the following.

1. Launch 1Password for Windows.
2. Select the File > Export... drop down menu option.
3. Switch the Format type from Comma-Delimited Text (CSV) to 1Password Interchange Format (.1PIF) and verify that the All Items radio button is the one selected. Click the OK button.
4. Supply a filename and save to your Desktop for ease of access later.
5. Click OK in the confirmation window.
6. You should receive a confirmation message saying "You have exported X item(s)."
7. Quit 1Password for Windows using the File > Exit menu option.
8. Move your existing OPVault out of Dropbox. Let Dropbox synchronise this change.
9. Launch 1Password for Windows.
10. Either select the File > New 1Password Vault... menu option or if 1Password asks if you wish to create a new vault do so.
11. Make sure to select the OPVault format in the Save as type menu and create a new vault in the same Dropbox location as before.
12. Complete the new vault creation by entering your Master Password etc. when requested.
13. Use the File > Import... menu option, select the .1pif file on your Desktop and click the Open button.
14. The first confirmation message will ask if you wish to import a certain item. For speed click the Yes to All button.
15. A second confirmation message may appear, saying you have an existing item and do you wish to replace? Click the No to All button.

That should repopulate this new vault (with the new encryption keys) with the entire contents of your old vault including attachments.

Now your iOS devices should complain. The easiest route is to start over and then follow our Existing 1Password user guide. Everywhere will then be using these new encryption keys.

Going forward, say you decide this Master Password is a bit of a pain for whatever reason and you need to change it for an equally strong, but for whatever reason easier to use Master Password. If the strength of the two passwords is essentially the same then there is no gain to doing any of the above again. It's only if you're going from a significantly weaker Master Password to a stronger one and you have concerns over you vault's contents that you would go through these steps.

Does that help at all? Please do ask any questions you have and we'll do our best to respond.

devibimal

Thanks a lot for a quick response @littlebobbytables.

In my case I took agilekeychain from Dropbox created using iPad, opened it on windows and exported all items. Removed all traces from Dropbox as I prefer not to use it though convenient. I may be too paranoid about security. The only thing I did was after the original opvault was created I changed the password that is 2 characters longer.

From the explanation I don't see any gain in export import routine as there is no agilekeychain or even opvault anywhere but my desktop andmipad/iphone.

Now that I know attachments are handled properly, I may do export import but my understanding is that I'm not gaining or losing anything if i don't do this.

littlebobbytables

Hi @devibimal,

I apologise, I thought you'd gone from a 6 character to an 8 word passphrase. If you've increased the character count by 2 then all of that is probably overkill and as you've surmised, if the new OPVault hasn't been on Dropbox then the risk is extremely minimal.

Worst case we've had a good discussion about the merits of such an approach and what would be needed (as well as how to ensure everything is transferred across).

If you have any further questions at all please do ask :smile:

enriquejp

@littlebobbytables thanks for the thorough answer. I'll follow through on your suggestion. Thanks.

Drew_AG

On behalf of littlebobbytables, you're very welcome! If you run into any trouble with that or have any questions, just let us know - we're here for you! :)