Storage of Master Password on iOS Devices

2»

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Thank you for doing this terrific testing and clear articulate of various assumptions.

    Assumptions: Any "low security (4-digit pin-protected)" password created on the desktop client, is stored in the desktop client keychain encrypted only with the desktop master password and not recoverable without it. Only when decrypted with the master password and synced to an iPhone it is stored on the iPhone encrypted with the 4-digit pin.
    [...]
    This works for me, so if my assumption is true there can be only one conclusion:
    1Password on iPhone has access to my desktop master password when only supplied with my 4-digit pin.

    If I'm wrong, please explain why.


    Low security items are encrypted with a separate key. That is, your desktop Master Password is used to decrypted a 1024 byte (not bit) chunk of data. From that decrypted chunk of data, two AES keys are derived. One is the high-level, SL5, key; and the other is the low-level, SL3, key.

    1Password on iPhone may be storing the SL3 key, which would enable it to perform this translation. Again, I need to do some digging to check. One thing to keep in mind is that the SL3 and the SL5 keys are technically equally strong. They are both random 128-bit AES keys. The difference is in how we treat them. That is the distinction between the keys is that we will have the SL3 available in times or places where we won't have the SL5 get decrypted.

    Again, I am not certain whether this is one of those cases.

    Cheers,

    -j
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    And returning to the question of whether we should continue to enable different Master Passwords on iOS than on the desktop.

    sddawson wrote:

    I think we are in almost complete agreement. Jeff is, like you, concerned that always requiring the master password to be entered on an iPhone will ultimately result on weaker passwords that are easier to enter. Personally, I use Diceware-generated passwords, and I find these pretty easy to enter even on an iPhone. And I'm not using to 1P on the iPhone that often anyway.

    One of the advantages of diceware-like passwords is that they are much easier to type on the iPhone. You don't need to switch between different keyboards for digits and symbols. We obviously don't enable auto-correct for password entry, but if we were able to without leaking password information, then that would also be another advantage to using diceware-like passwords.

    If we do move to "same master password everywhere", then we will be recommending this approach even more.


    It could be argued, though, that because the iPhone is always with you it is more likely to be lost or stolen (probably especially lost). Too easy to leave it somewhere, have it drop between the cushions of a chair etc. I do agree that even then it would be very hard to jailbreak the phone and get at the keychain, and then to get at the passwords. But if that's a hole that can be plugged, I'd like it plugged!

    You are absolutely correct that iPhones get stolen much more commonly. However it is harder to extract 1Password data from an iPhone than from elsewhere. Jailbreaking is easy, but getting past the device passcode is much harder. Quite simply when a thief finds that the phone is passcode locked, they will just wipe the thing.

    Also, we need to keep in mind that the data encrypted with your desktop master password is stored "in the cloud". So even though iPhones do get stolen, it is reasonable to assume that 1Password data as stored on the desktop and cloud is more likely to be acquired.

    I really appreciate this discussion as the questions raised here are also the subject of some internal discussion as well. One additional disadvantage with the current system is that there are multiple ways in to someone's data. Having two distinct passwords that will each, by themselves, unlock the data is something that we should try to avoid where possible. Every bit of complexity while we are handling keys (such as during the translation process) provides scope for error.

    But as noted, forcing the same master password on iOS as on the Desktop will result in some users picking weaker passwords. As is typical, security "trade-offs" are often between different security concerns.

    Cheers,

    -j
  • jhollington
    jhollington
    Community Member
    edited August 2012
    jpgoldberg wrote:

    You are absolutely correct that iPhones get stolen much more commonly. However it is harder to extract 1Password data from an iPhone than from elsewhere. Jailbreaking is easy, but getting past the device passcode is much harder. Quite simply when a thief finds that the phone is passcode locked, they will just wipe the thing.

    That's exactly my thinking, as I've stated already. Most thieves aren't stealing iPhones for identity theft purposes -- they just want the hardware -- while hackers trying to get into a Dropbox account are doing so exactly for the information stored in there, including 1Password data.

    Further, the fact is that while iPhones do get lost more often, there are also users like myself who are extremely careful with mobile devices. I've never forgotten my iPhone anywhere, or even let it out of my sight or off my person when I'm not in an otherwise reasonably secure location (home, staying in a hotel room, etc). I also take the rather pragmatic approach that the data is far more valuable than the hardware, and would remote-wipe my iPhone immediately if I ever had any concern about it falling into the wrong hands, effectively sacrificing any hope of recovering the hardware, but ensuring the confidentiality of my data. I take the same approach with my MacBook Air and iMac, which also use full-disk encryption.

    Besides, the worst-case scenario if I were to lose my iPhone is that I change all of my critical passwords. My 1Password data is still accessible elsewhere, and I already maintain a folder in 1Password of the "high security" passwords that should be changed immediately in the event of any possible compromises (the same passwords which are each changed on a rolling 30-day cycle as well, in fact). If I were to lose my iPhone I would do this out of principle regardless of how secure I feel 1Password is, rendering most of this conversation completely academic.

    Also, we need to keep in mind that the data encrypted with your desktop master password is stored "in the cloud". So even though iPhones do get stolen, it is reasonable to assume that 1Password data as stored on the desktop and cloud is more likely to be acquired.

    Yup. All we have to do is look at Dropbox's foible with open authentication last year. Even with their new two-factor authentication, there's no guarantee that such a "fail open" scenario couldn't ever recur, since its entire authentication system is programmatic rather than cryptographic -- if the code decides it doesn't need a password to get in, everything in your Dropbox is wide open.

    I really appreciate this discussion as the questions raised here are also the subject of some internal discussion as well. One additional disadvantage with the current system is that there are multiple ways in to someone's data. Having two distinct passwords that will each, by themselves, unlock the data is something that we should try to avoid where possible. Every bit of complexity while we are handling keys (such as during the translation process) provides scope for error.

    My vote, for whatever small part its worth, is that 1Password continues to offer a PIN option, allowing users to decide what level of security they're comfortable with on their mobile devices. I do agree that, as we've discussed elsewhere, the two-tiered authentication is largely unnecessary, but I think this could effectively be replaced by offering users a choice of a PIN (or "simple passcode") or more complex alphanumeric passcode in much the same way that iOS itself does. Users who are extremely security conscious about their mobile device would then be free to choose the more secure password option.

    Getting back to the original topic, however, the one thing I'm still not clear on is whether the "main" Master Password that is stored on the iPhone is secondarily encrypted in any way using the 1Password app PIN? I get that it uses the Data Protection APIs by virtue of being in the keychain, and is therefore encrypted at the iOS level using the device passcode, but is there any additional encryption added by the 1Password app? It seems that it would make sense to do this as an additional layer of security, since I can't see any reason why the Master Password would ever need to be available "in the clear" unless the 1Password app was actually unlocked first.
  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Getting back to the original topic, however, the one thing I'm still not clear on is whether the "main" Master Password that is stored on the iPhone is secondarily encrypted in any way using the 1Password app PIN? I get that it uses the Data Protection APIs by virtue of being in the keychain, and is therefore encrypted at the iOS level using the device passcode, but is there any additional encryption added by the 1Password app?


    I'm hesitant to call it "encrypted", but it is heavily obfuscated using various cryptographic tools. "Security through obscurity" is not really something to boast of, and all of the warnings about it apply. But we have added such obfuscation as an additional layer for exactly the reasons you suggest.

    Cheers,

    -j
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2012
    rapidaux wrote:

    It's impossible for anyone other than the developers of 1Password to verify that this is indeed the case.

    That is true. But if this is a bug, we will say so and fix it.

    We've acknowledged and fixed security problems in the past, and doubtless we will have to in the future. It would be a particularly embarrassing bug if that is what it turns out to be.
    Partly because the "translation" you refer to is going on in the background and is not seen by the user,

    I've been struggling to design a test available to everyone to show what really (or what I think really) is going on. One possibility, in principle, is to use something like iExplorer to examine the contents of your phone's file system at a point where syncing or translations is "staged".

    and partly because How 1Password touch Syncs Securely states that all three passwords are required in order to sync with Dropbox:

    Once I am fully confident that I know what is going on, I will correct that document.

    Cheers,

    -j
  • sddawson
    sddawson
    Community Member
    [font=helvetica, arial, sans-serif]Most thieves aren't stealing iPhones for identity theft purposes[/font]


    It's the "most" that worries me! Maybe stealing phones for identity theft will become a new industry (and they won't give you a chance to do a remote wipe). Anyway, I agree that much of this discussion is academic, but it's fun! I don't envy Agilebits trying to come up with something that pleases everybody. At least we've all had our 2c worth, and they clearly listen, unlike a lot of other software companies.
  • [Deleted User]
    [Deleted User]
    Community Member
    The user and all related content has been deleted.
  • jhollington
    jhollington
    Community Member
    rapidaux wrote:

    I'm not prepared to make that assumption, the technology to brute-force an iPhone passcode is available today and given the value of the information we now store on smartphones it's use is only going to become more widespread.

    Certainly that's a risk -- I said "most" not "all." Security is entirely about threat assessment and risk management. At this point in time, I do believe it's far more likely that a stolen iPhone will simply be recycled for the stolen hardware. Ergo, I'm perfectly comfortable making the assumption that if my iPhone were ever lost or stolen, chances are quite high that it will have been wiped before I can even locate or remote wipe it myself.

    However, I'm also not prepared to take any chances -- hence my comment above about changing all of my critical passwords if there's even the slightest chance they've been compromised. While I realize that not everybody would have the convenience of doing so in a timely manner, I'm quite confident that I would have sufficient Internet access available in all of the places I normally go. Further, while the brute-force technology is available, it's far from instantaneous, making it even more likely that my critical, high-security passwords could easily be changed before any of that data would be exposed.

    I also trust all of my important passwords to my own memory -- things like my Dropbox password and even my two-factor authentication recovery code. In fact, my Dropbox, Google and primary online banking passwords aren't even stored in 1Password, as I have no need to store passwords that I can easily remember (although granted, I have a perhaps unique ability to remember long and complex random strings of characters). Further, since Google Authenticator is an unsecured app that runs on my iPhone, it just didn't seem to make sense to store both factors in the same place -- encrypted or not. (then again, by a similar token, my RSA SecurID and Yubikey are both on my keyring, so I guess I just need to hope that I never lose both my iPhone and my keys at the same time :) ).

    You would not be able to use remote wipe if the person who stole your iPhone immediately turned it off and only turned it on again in a place with no network reception. Remote wipe is not something I would depend on.

    Of course. In fact, all they would have to do is remove the SIM card. However, that kind of a "targeted" theft is only one of several possibilities. Losing the iPhone, or losing a piece of baggage or clothing that includes the iPhone is just as likely -- if not moreso. My wife forgot her purse in a coffee shop and I immediately remote-wiped her iPhone as soon as we realized that even though we were only a couple of blocks away when she realized it. Easier to restore from a backup than to take the risk of waiting to do a remote wipe.

    I don't believe it is widely known among 1Password users that when Dropbox syncing is enabled the 1Password master password is nullified, only the device passcode protects the passwords stored in 1Password. Further, AgileBits is misleading their customers by assuring them their passwords are safe when they aren't (see my earlier posts).

    Perhaps because folks haven't really thought this through. It's always been pretty obvious to me that the data on the iOS side is only protected by the local passcodes on the device, since clearly the master password only needs to be entered for synchronization purposes. While most people may not be giving this as much thought as we do, I suspect those who aren't really considering it don't even necessarily care or understand what it is that the master password does even on the desktop. To many casual users, a password is simply a password and there's this "encryption thing" that's supposed to keep stuff secure.
  • sddawson
    sddawson
    Community Member
    [font=helvetica, arial, sans-serif]Perhaps because folks haven't really thought this through. It's always been pretty obvious to me that the data on the iOS side is only protected by the local passcodes on the device, since clearly the master password only needs to be entered for synchronization purposes. While most people may not be giving this as much thought as we do, I suspect those who aren't really considering it don't even necessarily care or understand what it is that the master password [/font]does[font=helvetica, arial, sans-serif] even on the desktop. To many casual users, a password is simply a password and there's this "encryption thing" that's supposed to keep stuff secure.[/font]


    Perhaps this sums up our differences of opinion. You are quite happy with the status quo because you understand how things work, and can live with the risks. I'm pretty happy with the way things work too, but would like to see them improved. But I am worried about the vast majority of 1P users who have absolutely no idea of the risks they are taking. I would bet that that vast majority don't even have an unlock passcode on their device, and trust that 1P is still secure because of the (probably weak) master passwords they have. But it's not their fault that they don't understand the risks. They don't follow RSS feeds or 1P on Twitter. I'd love to see Agilebits do some more expansive education in this area (and not just 1P related). I would urge them to produce a single, concise, easy to understand document that contains best practices for their users, and make sure it gets distributed to all their users, either via email or some other means. Maybe the document could be highlighted in 1P update notices or something like that.
  • jhollington
    jhollington
    Community Member
    sddawson wrote:
    I'd love to see Agilebits do some more expansive education in this area (and not just 1P related). I would urge them to produce a single, concise, easy to understand document that contains best practices for their users, and make sure it gets distributed to all their users, either via email or some other means. Maybe the document could be highlighted in 1P update notices or something like that.

    Actually, on this point we're both entirely in agreement -- users should be as informed as possible as to the risks they're dealing with, although at the same time I'd imagine that the vast majority of users have come from a world where they were using some really simple, weak password for everything in the first place, so arguably they're light years ahead of that even if they're not following any kind of best practices for using 1Password :)

    In all seriousness, though, I do agree completely that it would be great to see a set of best practices made available for 1Password users. However, I think my biggest point in this thread is that -- once properly informed -- users should be able to implement 1Password at whatever security level they're comfortable with. I am not in favour of complex technical solutions that try to force enhanced security upon end users. For instance, as I already said I would rather abandon 1Password entirely than have to key in a 30+ character Master Password on my iPhone each time I wanted to use the app. That's my own opinion, of course, and other users would either choose a much weaker master password (which is a more serious risk, IMHO), or be content to type in long, complex passwords on their iPhone keyboard.

    The technical answer to this needs to be somewhere in the middle, and I would vote simply to have 1Password handle the PIN/password system the same way iOS itself does -- setting a four-character numeric password brings up the numeric keypad for easy entry while any longer passwords (or even four-character alphanumeric passwords) would bring up the standard text entry keyboard. Obviously this assumes that Agile is going to move forward with consolidating the low/high security password system that currently exists in 1Password, which they've said elsewhere is coming at some point in the future.

    Obviously any issues around storing the "main" master password when it doesn't need to be should also be addressed, but I'm assuming that's already a given and therefore not a point that's under debate as far as I'm concerned.
  • sddawson
    sddawson
    Community Member
    Summed up well. I guess I can live with having a separate device master password - after all, I can always make that the same as the desktop one if I like. Plus, have the option to be prompted to sync and being able to enter passwords manually, rather than having them stored at all. Not sure about the PIN issue. I believe the main reason to have that is easy access to low security 1P entries, but it's also handy to have 1P always ask for the PIN when you switch to it, but have the device master password on a longer timeout, like a minute, so you can quickly switch backwards and forwards between 1P and another app. I hope Agilebits runs their thoughts past us when the time comes.
  • sddawson
    sddawson
    Community Member
    For Jeff - where did we go with this issue? Was it ever decided that there was a bug in how 1P remembered the master password? I'm hopeful that V4 will address this issue once and for all though.
  • [Deleted User]
    [Deleted User]
    Community Member
    The user and all related content has been deleted.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    We never (well, hardly ever) talk about the details of products until they are delivered. But I do think that contributors to this discussion will be pleased by what they find in 1Password 4 in iOS.

    Cryptically yours,


    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com
  • sddawson
    sddawson
    Community Member
    It certainly looks like V4's password handling will fix this issue. But we are still curious as to whether V3 has a security exposure with regard to the storage of a master password even though the user requested that it not be stored. I think you said, Jeff, that you would be checking with the developers and would let us know whether there was a bug there.
This discussion has been closed.