Secret key, amount of entropy and future

oschif
oschif
Community Member

Hello,
I have read that secret key is 128bits of entropy.

Wouldn't it be good idea to increase number of entropy to 256bit or more to future proof security of our vaults?

Lets say 1Password gets breached this year. Our vaults are in the open forever from now on. So what about 20 years in the future? Will 128bit of entropy still be enough and impossible to crack? How much entropy do we need to be safe for out lifetimes considering technology improvements?

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • sol42
    sol42
    Community Member
    edited January 2023

    As someone whose (now former) LastPass vault is now in the open forever I will second this suggestion.

  • Hello @oschif and @sol42! 👋

    Thank you for the feedback! 1Password uses 256-bit AES encryption to protect your data: About the 1Password security model

    The Secret Key itself is a 34 character string with 128 bits of entropy. However it's combined with your account password to create the private key that encrypts and protects your data. The resulting combination will have an entropy that combines the entropy of both the Secret Key and the account password. You can increase this combined entropy by making sure that you use a good and secure account password.

    You can read more about the Secret Key here: Secret Key - What Is It And How Does It Protect Users?

    Let me know if you have any questions. 🙂

    -Dave

  • oschif
    oschif
    Community Member

    @Dave_1P
    Well, to be honest, I expected some kind of reasoning why do you consider current security safe enough for next 20+ years.
    I see that in case of increasing number of iterations you explain that it would increase time of vault decryption and that you research methods of increasing security.
    https://1password.community/discussion/comment/673384/#Comment_673384

    But I don't see that you would consider longer secret key, so that's why I asked about it.

  • Dave_1P
    edited January 2023

    @oschif

    The Secret Key for your 1Password account, generated to have 128 bits of entropy, is already designed to protect your data against even the most cutting edge of GPU-accelerated cracking tools, brute forcing the Secret Key is infeasible. Using classical computers, brute forcing a 128-bit value is essentially impossible. Some upper-end estimates put the time required to brute force such a key as longer than the time the earth has remaining.

    Now, theoretical quantum computers add some complications to this but the story is still largely the same: barring some giant breakthrough in physics, that fundamentally changes what quantum computers are capable of, it's unlikely that quantum computers will be capable of performing an attack on a 128-bit Secret Key in any meaningful time period. I spoke to our security team about this and they said that: "Based on the most recent research, there’s no indication that increasing entropy of the secret key would provide any material benefit."

    So to circle back to your original question:

    So what about 20 years in the future? Will 128bit of entropy still be enough and impossible to crack? How much entropy do we need to be safe for out lifetimes considering technology improvements?

    The Secret Key's 128 bits of entropy, combined with the ~40-50 bits of entropy from a good account password, are more than enough to protect your data for your lifetime.

    -Dave

  • Ben
    Ben
    edited January 2023

    I would quickly add: technology is an ever-changing landscape. We continue to monitor the threats that are out there and adjust accordingly. We've built our service based on the dangers and constraints that exist today (and what we anticipate existing tomorrow), but if the landscape shifts, we can & will as well.

    There isn't a knee-jerk reaction for us to change our security based on what happened at LastPass. We had already anticipated the possibility of what happened there happening to us and built accordingly. We have protections in place against that sort of threat. That isn't to say that there may not be incremental improvements in the short term, but there isn't a mad rush to make significant changes because we're already protected.

    This article provides a deep-dive on the subject:

    Not in a million years: It can take far less to crack a LastPass password

    Ben

  • oschif
    oschif
    Community Member
    edited January 2023

    Thank you very much for answering.
    I understand now that your security model is secure enough for foreseeable future and there is no immediate need for making radical changes.
    Helped me to feel safe using 1Password.

  • You're most welcome, @oschif. 😃 If we can be of further assistance, please don't hesitate to contact us.

    Ben

  • Brrry
    Brrry
    Community Member

    would quickly add: technology is an ever-changing landscape. We continue to monitor the threats that are out there and adjust accordingly. We've built our service based on the dangers and constraints that exist today (and what we anticipate existing tomorrow), but if the landscape shifts, we can & will as well.

    Just a reminder to the 1Password team: clients don't only store passwords in their vault that can easily be changed. Upgrading the system won't change the information that may have already been obtained by someone else. This is why many people are questioning, "Aren't password managers like putting all your eggs in one basket?" or prefer to use a password managers that save their data locally.

  • Brrry
    Brrry
    Community Member
    edited January 2023

    Yes 1password is not and has never been a static product. But what someone got our vault today? Yes we already changed our password by then but what about personal info that we cannot change?

  • @Brrry

    Although we have excellent security systems to prevent a breach, 1Password is designed to still protect your data even if the encrypted vaults were to be obtained by an attacker. The difference between the services whose data breeches you may have read about in the news and 1Password is the end-to-end encryption that 1Password uses. Other services either store their information in the cloud unencrypted or encrypted using a key that they control. With 1Password all of your information is stored encrypted using your own private keys that are derived from two secrets that only you know: your 1Password account password and your Secret Key.

    This means that no one but you can decrypt your information. Even if 1Password was hacked the hackers would only find encrypted gibberish that means nothing without your 1Password account password and Secret Key.

    The Secret Key is a big factor that differentiates 1Password from other services and makes the decryption of vaults virtually impossible. You can read more about this protection here: Secret Key - What Is It And How Does It Protect Users?

    I hope that helps! 🙂

    -Dave

This discussion has been closed.