Security: Master Password Change and Dropbox History
Comments
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
The new Cloud Keychain solves this?
0 -
I don't think there is anything to "solve" since it is an intentional part of the design of the data format, so I don't believe the Cloud Keychain changes anything in this regard (just like a new version of GPG won't change the fundamental model it is based on). However, I'll double-check with Jeff to confirm.
0 -
Ok, thanks.
0 -
Hi all,
The new Cloud Keychain Format has the same properties as the Agile Keychain Format in this respect. So the answer is "no". We did not come up with a way to re-encrypt all the data with fresh keys during a Master Password change.
I hope you will forgive me for repeating that our design "solves" a number of security problems that might not be obvious. Here are a few:
There is a limited amount of data that should be encrypted under the same key.
Now 1Password databases aren't getting that big (yet), when you have a structure that allows people to add an unlimited amount of data, you need to use multiple keys.
To get the full strength of 128 bit (or 256 bit) keys, those keys should be generated completely at random.
To have a system where only the minimum amount of data necessary is decrypted at any single time requires separate keys for each item.
Changing the Master Password should not be a process that takes many minutes during which a power failure or computer crash might leave data unusable.
But this does leave the problem that a Master Password change does not have the effect that it might seem.
For me the real problem is how to do have something that is simple and straightforward to use, without people needing to study the details, that works in a way so that it makes it easy for people to behave securely and hard to behave insecurely. This really is the overriding goal of what we do here. As a consequence, 1Password presents itself to people as much much simpler than it really is. In 99.44% of that cases that is a very good thing. But there are still those small number of cases where what is presented to people by 1Password can be misleading in an way that can lead them astray.
And there is another problem. The problem is that sometimes we do have to make tradeoffs of defending against one kind of threat versus another. Although I acknowledge the downside of the choice that we've made here, it was not a tough decision. The security benefits of our design choice are overwhelming.
I'd love to have a system that did everything, including conforming to intuitions about changing Master Passwords. We'll keep exploring ideas, but we require that any such system do more good than harm.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0