Master password strength

On this URL: https://support.1password.com/strong-master-password/ you state the following:

"Your Master Password doesn’t have to meet any “password requirements”. If you’re not comfortable using numbers, symbols, or capital letters, don’t."

You lied. I am forced to make a password that's at least 10 characters in length. That's you password requirement. Because that master password never gets transmitted, I should be able to use a password that's only 1 character if I want to. Forcing users into a 10 character password is evil.

Plus, you lied to us. How can I trust you again?


1Password Version: 7.3.1
Extension Version: Not Provided
OS Version: 10.14.6
Sync Type: Not Provided
Referrer: forum-search:master password

Comments

  • MeekMeek

    Team Member

    Hi @jyork23,

    You're right - we should clarify that in the support page. I will talk with our docs team about making that happen.

    While you're correct that your Master Password is never sent to the server, it is used in conjunction with your Secret Key to encrypt your data. If you were to use a Master Password of 1 character, your Secret Key would help strengthen that encryption on our server so that if we were ever breached your data would still be safe. However, if someone gained physical access to your device, the Secret Key is stored locally on that device (this is why you only need to enter it the first time you sign in on a new device). As such, it is only your Master Password that is protecting your data locally on your device - this is why we have a requirement of at least 10 characters, to protect your local data.

    Thank you for pointing out this discrepancy in the support article, we'll get that fixed up!

  • khadkhad Social Choreographer

    Team Member

    Hello again @jyork23,

    Just wanted to follow up on this and let you know that I’ve corrected that paragraph. The original didn’t say anything about length, but I can understand the confusion. What was written there wasn’t conveying what we intended. This is what we meant when we wrote it, and the article has been updated to reflect that:

    Your Master Password doesn’t have to meet any specific requirements for numbers, symbols, or capital letters. If you’re not comfortable using them, don’t.

    We regret the error. Thanks for reporting it.

    Have a great rest of your week!

    —khad


    Khad Young
    Documentation and User Assistance Lead, 1Password
    https://support.1password.com/

  • I still do not understand why a master password needs to be 10 characters. My old one was 8. No password is completely safe.

  • brentybrenty

    Team Member

    We didn't use to enforce a minimum length for the Master Password. It was less of a concern when we started 1Password because people were using 1Password only on their devices locally, and the amount of power available to throw into brute force attacks paled in comparison to what we now have in our pockets, on our wrists, and even in many refrigerators (cloud computing was not a thing). But in 2019 10 characters is the bare minimum in order to ensure your data can withstand a local attack for any amount of time. And since we host 1Password users' encrypted data on our server now, we've also added the protection of the Secret Key so that an attacker cannot perform a brute force attack against a user's Master Password if data is stolen from us. Without the Secret Key, we'd need to enforce a much, much higher Master Password minimum length, as the only protection you'd have against an attack on us would be a long, random password... So if you think 10 characters is long, you may want to look again at the Secret Key. ;)

This discussion has been closed.