Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wonder what algorithm 1Password uses, and how it would fare, compared to the other options.


It encrypts all your passwords using AES with a 128 bit key derived from your master password (PBKDF2) [1].

This is very different to what the article is talking about, since it encrypts your passwords, but the article talks about hashing which is one-way.

[1] http://help.agilebits.com/1Password3/agile_keychain_design.h...


The problem with PBKDF2 however is that if you pick a weak password it's useless. It would be better if they included an option for a key as well like other password safes do.


"The problem with INSERT-SOMETHING however is that if you pick a weak password it's useless"

When is this not the case?


When you have a key as well.


> It would be better if they included an option for a key as well like other password safes do.

I would love to see research about the use of keys and passphrases. Especially, do people who have a key then chose a weaker master password?


If you are genuinely interested in testing your 1Password keychain, the Jumbo builds of JTR include support for the agilekeychain, and some branches (Magnum Jumbo for example) offer OpenCL support for even faster attacks.

I tried it against mine, and was significantly disappointed in how quickly even my laptop could attack it. I promptly increased the complexity of my master password.


What was it before (key length)? And what is it now?


It used to be random alphanumeric, eight characters. JTR tore through that. It's now ~15 random characters, not all ASCII.

Possibly worse, 1Password used to have a mistake in their key generation algorithm that means you could verify a password without the time-consuming key stretching, effectively making it thousands of times faster to crack. JTR doesn't use that method though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: