Increasing Master Password length with each wrong attempt
Just pondering a feature idea for master password convenience vs. strength.
Could I have a master password of say 30 characters, but I'm only required to type the first 10 to open the vault. However, for every incorrect attempt an additional character is required.
Would this allow some convenience/speed of access, but thwart a brute force attack?
This maybe a ridiculous idea — I look forward to having it picked apart!
Jim
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
This isn't a direct answer to your question, but something like this is available already for the iOS application. It allows you to enable Touch ID if the device is capable, or set a PIN if it isn't. One wrong attempt and you are then required to enter your master password. The master password is also required after a device is restarted.
0 -
Could I have a master password of say 30 characters, but I'm only required to type the first 10 to open the vault. However, for every incorrect attempt an additional character is required.
@jdc: No. Since your data is encrypted using your Master Password, 'changing' (or only requiring part of it) as you describe it would mean one of two things:
- The 'short' version of your Master Password is the real one, with the longer version being 'dummy' data (since it wouldn't be possible to decrypt successfully using two different inputs).
- The 'long' Master Password is your real one, but 1Password stores the latter part of it so that you only have to enter a portion...which means it may be possible for someone to gain access to the stored portion, and therefore make it so they only have to guess the rest — effectively weakening your security in a couple key ways.
It isn't a ridiculous idea at all. If it were possible, that would be pretty cool. But since 1Password uses encryption to protect your data (which in turn is based on solid mathematics), it could not be done in a way that doesn't negate the security. This is similar to how US law enforcement agencies want to use cryptography for their own purposes, but have backdoor access to everyone else's data: you just can't have it both ways. I hope this helps! :)
0