Elcomsoft claims capability to break 1Password
Elcomsoft is a Russian company that supplies expensive forensic software for government agencies and other criminals. In this blog post, they claim that breaking into 1Password is a piece of cake for their "Elcomsoft Distributed Password Recovery" tool. Have you guys seen this? Any comments?
1Password Version: 6.8.1
Extension Version: Not Provided
OS Version: OS X 10.12.6
Sync Type: None
Comments
-
Down in the comments for the blog post, Elcomsoft admits that their brute force approach only works against weak passwords. I assume you agree? False alarm, sorry.
0 -
@jerryr56 - Yep, we saw it back when it first came out in August of last year. This isn't the first time they've tried to crack into 1Password keychains. Last time they tried it, this was their conclusion on Twitter.
This time around, as you can see in the comments the back-and-forth between the article's author and our Chief Defender Against the Dark Arts, Jeff Goldberg, they apparently got hold of a copy of an older Agile Keychain that did not have as many rounds of PBKDF2 as all current versions do. Bottom line: your data is quite safe, provided you choose a good Master Password. If you'd prefer the singing version of how to choose a good Master Password, well, we’ve got you covered there as well. Let us know if you have any questions!
0 -
Unfortunately I think, there is no way of testing master passwords before use, is there? No strength indicators etc.
0 -
@wkleem - we don't have a password-strength meter for creating your Master Password, but we've written multiple documents over the years on how to choose a good Master Password. We've even got the singing version. :)
0 -
Understood. Thanks for the feedback. :)
Ben
0 -
I noticed that document too and was completely overwhelmed and thought what the ....
Fortunately things where not as I horribly as I thought.
After using the search button there where lots of topic on elcomsoft and the real deal regarding 1PW and I'm now looking at the article https://blog-cdn.agilebits.com/wp-content/uploads/2013/04/README.txt and definitely give it a go on this weekend.
Not to say my 1PW generated 6 word code is not safe, but I want to make it as difficult as possible within the range of what I can remember.
Although I have problems due to English not being my home language understanding the technical side of it I can understand that 1PW is one awesome program and very safe (what a relieve :-)
Thanks for the extensive info you people give and standing by your product.0 -
@Jo_ann77 - you're quite welcome! Let us know if you run into any difficulty while getting set up. I might also recommend https://support.1password.com to you; it's a wonderful resource where you can find step-by-step how-to guides for most anything you want to do in 1Password. :)
0 -
Hi Lars,
Interesting that i saw the article few days ago as well. As discussed here, it's just another classic brute force attack. Which is not a weakness per se in the 1password app, a weakness on how you choose the master password.BTW, the windows desktop and chrome extension does not show the master password strength, but the web interface on my.1password.com does show the the password strength bar graph which is green. Eyeballing mine is like 70 or 80% good.
Am I reading it correctly or configured it incorrectly where I should not be storing it there as per best practices? I'm mildly novice in 1password as an FYI. Thanks.
Regards,
Balrog0 -
They did a follow up to that post almost immediately after some pushback (the link is at the top) with new errors and how their original data set went wrong.
https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/
1Password's numbers are at the bottom of the passwords/per second list now.. way lower
0 -
Thanks, @AlwaysSortaCurious -- you're quite right. If you'd like a more visual representation of what it looks like to crack a password by brute force, @balrog, the chart in this post will give you an idea. Feel free to ask any questions you have! :)
0 -
Thanks. That a fun entropy chart. Yeah, math is fun like that. I often don’t bother with special characters anymore (20 random alphanumeric beats 18 full keyboard every time and generally causes less agita with password rules and it’s easy to add a cap or special if needed rather than remove here and there the violators, so happy enough with max alphanumeric).
It’s fun to see the numbers if anyone cares to figure it out. Special chars are not as special as they seem when you can make a password a couple of character longer.
0 -
It’s fun to see the numbers if anyone cares to figure it out. Special chars are not as special as they seem when you can make a password a couple of character longer.
Exactly right. The power of exponential growth.
I find it fascinating how much of that kind of thing is counter-intuitive though. It's difficult to fault someone for thinking otherwise.
Rick
0 -
66,483,264,000,000,000,000 Length: 10 Chars: 96 (full keyboard printable)
3,226,266,800,000,000,000,000 Length: 12 Chars: 62 (aphanumeric upper/lower)Unless I screwed up somewhere, that 2-character difference makes a couple of significant zeros with just 10 and 12 character passwords, go longer, oh me oh my.
66.5 quintillion vs 3.2 sextillion.
0 -
@balrog: We meet again. :naughty:
BTW, the windows desktop and chrome extension does not show the master password strength, but the web interface on my.1password.com does show the the password strength bar graph which is green. Eyeballing mine is like 70 or 80% good.
I think it makes sense for the web interface to show you password strength when creating a Master Password, but since that isn't something that can be done in the extension (or app, when we're talking about a 1Password.com account) I think it makes sense to not have that there. But let me know if you meant something else.
Am I reading it correctly or configured it incorrectly where I should not be storing it there as per best practices? I'm mildly novice in 1password as an FYI. Thanks.
If you mean storing your Master Password (and other account credentials) in a Login item in your 1Password.com account, there's nothing wrong with that. After all, an attacker would already need those to get in to view that item. Cheers! :)
0 -
@AlwaysSortaCurious: I think even with a rounding error or two you'd be okay. ;)
@balrog: And, relevant to both of you,
Interesting that i saw the article few days ago as well. As discussed here, it's just another classic brute force attack. Which is not a weakness per se in the 1password app, a weakness on how you choose the master password.
It's worth pointing out that the chart Lars linked to is not specific to 1Password, but applies generally to brute force methods of guessing passwords, to a website, for example. With 1Password, it's even harder since each guess requires some real computational work, thanks to PBKDF2 iterations being complex operations designed to slow down an attacker. :sunglasses:
0 -
Hi Brenty,
Thanks for the explanation and the link. Refreshing for a forum where the the support people knows very well (and more) their product.0
