Questions about iCloud sync security and master password length

Options
nathanwauk
nathanwauk
Community Member
edited September 2018 in Mac

I was recently the victim of a security attack in which someone got AT&T to switch my account to their SIM card and then they used my phone number as 2FA to reset a lot of my passwords. It was quite frightening seeing emails come in that my passwords were being reset and I could do nothing about it until finding a way to contact AT&T and disable my account. Fortunately they did not get any money. And did not get the password to my Apple ID so were not able to access to my iCloud account. But I am still living on my toes and quite nervous.

I know the 1Password file is encrypted and so I assume that to unlock it, they would have to download it and try to brute force crack it on their own computer. I have sometimes heard encryption security strength be described in terms of how many years a PC would take to guess it. My current master password is 12 randomly generated characters that I have memorized and written down nowhere.

My questions are:

1) Should my password be longer?

2) If I were to find out that my iCloud was accessed and they downloaded the file, what should be my immediate plan of action?

3) What are the differences in security if I use iCloud to sync vs using the 1Password server / 1Password account?

Thanks!

Nathan


1Password Version: 6.8.8
Extension Version: Not Provided
OS Version: OS X 10.13.6
Sync Type: iCloud

Comments

  • danco
    danco
    Volunteer Moderator
    Options

    I'm just a user, so feel free to ignore my views.

    I wouldn't be happy with a master password of 12 random characters memorised and not written down anywhere. There's too great a risk of memory failure, and you can't recover from a loss of a master password. If you have a safe deposit box (which seems commoner in the USA than in the UK) keep a copy there. Or decide on some other way to be able to recover it if necessary. Myself I originally had a 19 character password, which I later changed to 28 characters, but it was something meaningful to me, which makes it easier to remember.

  • Donaldd
    Donaldd
    Community Member
    Options

    I'm a user as well but I'd like to share my own experience. 8-) IMO, 12 random characters are not only difficult to remember but also not strong enough, and it makes changing the password far more painful than a pronounceable passphrase with 5 to 6 random words.

    So...

    1) You may need to change the password from random characters to some random words (e.g. generated by 1Password)

    2) if your iCloud account was breached by someone, you should change your password for iCloud, and consider enable 2FA for your Apple ID and don't forget to generate a Recovery Key:
    https://support.apple.com/en-us/HT208072
    Don't worry about your 1Password vault stored on iCloud, it is protected by strong encryption :)

    3)Compared to the standalone license (iCloud Sync), 1Password membership has following benefits in security (copied from https://support.1password.com/why-membership/ ):
    1. Get every update at no additional cost. (Which means you could always have the latest security-related features)
    2. Sync and backup automatically without any additional setup. (Which is crucial when iCloud is not accessible.)
    3. Benefit from multi-factor security with your Secret Key and two-factor authentication. ( So you don't need to worry about if the problem you faced happened again as SMS is not a 2FA in 1Password membership)

    For more detailed information about 1Password membership security, I think the whitepaper is a good place:
    https://1password.com/files/1Password for Teams White Paper.pdf

    Donald

  • Lars
    Lars
    1Password Alumni
    Options

    Welcome to the forum, @nathanwauk! What a terrible, frightening experience. I'm so sorry you had to deal with that. When it comes to encryption, the actual encryption algorithm itself (AES) is the battle-tested standard of the world right now; hackers of both white and black hat variety and every shade in between have been banging on it for close to two decades, without making a dent. Which means that the assault will always be on the user's password, not on the actual algorithm itself.

    What's comfortable for you to remember (not to mention type in) is a matter of personal situation and personal preference. If you're someone with a documented history of memory problems, you might not want to try a long, random password. On the other end of that spectrum, we have a few people here at 1Password who choose a password of anywhere between 40 and 65 or so randomly-generated characters. They're certainly less easy/convenient to type out on a frequent basis, especially on small virtual keyboards on a phone, but they're also inarguably more secure than a ten or twelve-character password.

    As @Donaldd suggests, "real words" of the sort generated by diceware or the wordlist generator in 1Password may be much easier for some people to remember...or they may not. I can't really guide you in terms of what will be "best" for you, because I don't know many details about you: your threat model (both real and perceived), your facility with memory, several other things. So here are some general guideposts:

    1. When new users sign up for a 1password.com account currently, we require a Master Password of ten or more characters. Anything less will be rejected as too short.
    2. If you look at password entropy (which can be measured/expressed in bits), a password of about 23 characters (alpha/numeric with symbols) will equate (depending on specific character set used) to about 128 bits of entropy. That's quite a lot (this older post of mine will give you an idea of just how much).
    3. Always, always write your Master Password down somewhere and keep it secure. I've had to answer way too many emails from grieving widows whose husband just passed away having never told the wife what his Master Password was...and in it is everything from the bank account details to...well, you get the idea. In 1password.com accounts, the Emergency Kit has a spot to write down your Master Password, but even in standalone setups, if you are incapacitated and no one else can access your 1Password data, things could get anywhere from inconvenient to disastrous, fast. Don't actually tell anyone your Master Password, but definitely do write it down and keep it safe. Maybe in a safety deposit box, maybe with a trusted lawyer with instructions to disclose it to specific people on your death or incapacitation. Doing this also will help YOU in the even that you forget your own Master Password.

    We've actually got a good guide for choosing a strong Master Password, if you want to glean some ideas from that, as well. And feel free to ask us any questions, as you go along. Hope this helps! :)

  • Lars
    Lars
    1Password Alumni
    Options

    Sorry for the follow-up here. I realized that I got caught up in the finer details of Master Password creation and forgot to specifically address your larger concerns regarding iCloud security. If someone's already gotten into your iCloud account, then they could have had the full run of the place, including potentially downloading your 1Password data file. However, 1Password was designed with worst-case scenarios in mind, so that even if iCloud were "cracked" (i.e. someone found out a way to bypass Apple's security) or your account details were stolen by someone, your 1Password data would be secure because it does not depend on those mechanisms for its security. Your data in "the cloud" - whether iCloud or Dropbox or our own 1password.com - is never in anything but encrypted form, which means that at a bare minimum, a thief who made off with your data file would need your Master Password to unlock/use it. Otherwise, it's just gibberish ciphertext.

    In 1password.com accounts, however, we have an additional security measure that's possible because we wrote the server and the sync mechanism: the Secret Key. It strengthens your password by the aforementioned 128 bits, which is useful if the remote data store on our servers was ever compromised. An attacker would need not only your Master Password but also your Secret Key, which is randomly generated on your own device and never transmitted to us in any form.

  • nathanwauk
    nathanwauk
    Community Member
    Options

    Thanks, all of you for your feedback and advice. I really appreciate the detailed responses and explanations. Some really good food for thought. I think it's time for a new password and I'll definitely write it down somewhere. It's also encouraging to know about the master password file security in the event of iCloud being accessed. Again, I really appreciate the time you took to respond to my questions. Thank you!

  • :+1: Best of luck, and if we can be of further assistance, please don’t hesitate to contact us.

    Ben

This discussion has been closed.