Toward better Master Passwords

SECURITY

Jeffrey Goldberg by Jeffrey Goldberg

1Password is great for generating strong, random passwords for sites without you ever having to memorize (or even see) those passwords. But there are a few passwords that we all do need to remember. I have a small number of high security passwords — I wish I could say just one – that I need to remember. One, of course, is my 1Password Master Password.

Your Master Password is extremely important. Although we take steps to thwart automated password crackers, you should still use a strong, memorable Master Password. Password cracking tools are becoming more powerful every year, and too much is at stake in your 1Password data. Given the strength of the encryption we use, your Master Password is likely to be the weakest link in your 1Password security. Don’t be too scared of that. Given how strong everything else is, it would be practically impossible to use and remember a Master Password that is actually stronger than the encryption in 1Password.

Some things we’ll be highlighting in this article:

  • We aren’t seeking perfection. Instead we need to find ways to improve Master Passwords if they aren’t currently very strong.
  • Many of the schemes that people (including myself) have proposed in the past suffer from a major flaw.
  • No matter what you read here, always keep in mind that a Master Password that you can’t type or remember is terrible choice of Master Password.

Change a weak Master Password, otherwise leave it be

We’ve all been told to change passwords on a regular basis, and there are still some circumstances under which that remains reasonable advice. But it’s not a good idea to regularly change your Master Password. Ideally, you should pick a good Master Password at the outset and never change it.

For an idea of just how insecure a weak or bad password can really be, take a moment to watch this video with John Oliver and Edward Snowden talking about password security.


Passwords in need of changing

Everybody knows to avoid short, common passwords or dictionary words of any language. The world’s most common password, 123456, is, of course, terrible. But even things like Sally4th or like Molly&Patty2 (which are the names of my dogs) are not really strong enough for something as important as your 1Password data. The latter is just of the form NAME & NAME DIGITS which password guessing programs will eventually get around to checking.

If your password is weak or falls into one of the common password pitfalls, it’s time to change it to something more secure. Learn how to change your Master Password.

After you change your Master Password

It’s extremely important that you memorize your new Master Password, and the best way to do that is through practice.

In order to practice your Master Password, you can change the adjust how long 1Password stays unlocked. If you set a short time of just 5 or 10 minutes, you’ll have to enter your Master Password more frequently, but that will help you learn it.

After a few days when you feel more confident in typing it quickly, you can then adjust your auto-lock settings to something less annoying.

Also – and this may sound like heresy even though it is sound security advice – when you change your Master Password, you can write it down on a slip of paper and put it in your wallet. After you no longer need to refer to it, you can destroy the piece of paper.

A walkthrough of a password creation system

The challenge that we face is to have Master Passwords that are not going to be guessed by password cracking programs, yet ones that we mere mortals are capable of remembering and typing without it being a burden.

What makes this a particular challenge is the fact that the bad guys know at least as much about how people pick passwords as we do. They are not only reading the same password picking advice that gets posted in places like this, but they have studied millions of stolen passwords.

Here is an important principle that we need to keep in mind:

The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

Don’t worry if this principle doesn’t make sense yet, you’ll have a better understanding after I walk through an example.

I have two dogs: Molly and Patty. Let’s say I wanted to make a Master Password from that and came up with Ihave2dogs:Molly&Patty. It looks good at first because it is long, has mixed case, and has punctuation. But with that as an example, I’ll work through why it isn’t as good as it might first appear.

Use spaces to make things easier for you

Your Master Password can include spaces between words. So you can make things easier to type and remember by using spaces, even though it adds little to the actual security. Our first improvement to my password will be to change this to I have 2 dogs: Molly & Patty.

Don’t tell the truth

If your Master Password is to be based on something meaningful, remember that there are more ways to lie than to tell the truth. There are more ways for me to lie about my pets than tell the truth, and so I should use a lie to create my password. So let’s try, I have 3 bats: Larry, Moe & Curly.

Don’t make sense

There are more ways for a sentence to not make sense than to make sense. So let’s change my three bats to thirty-five bats, but still list three: I have 35 bats: Larry, Moe & Curly.

Avoid predictable phrases

For those of us of a certain age and steeped in American culture, once we begin a list of names with “Larry…” following it with “Moe and Curly” is very predictable. So even though the Moe & Curly adds 11 characters to the password, those 11 characters are so predictable that they add very little actual strength. Even though it is shorter, using I have 35 bats: Larry & Amy is actually stronger than I have 35 bats: Larry, Moe & Curly.

Along the same lines, the “e” after “I hav” isn’t doing much good either. Because it is easily guessable from the rest of the password it isn’t actually adding much strength. There is nothing wrong with that “e”, but I’m mentioning it to help illustrate the point that the number of ways things can be different is often more important than length itself.

Avoid secrets or things that are personally meaningful

The more personally meaningful something is to you the fewer alternatives there are. There are more things that don’t have personal meaning to you than do.

In particular avoid personal secrets. Twice in my life, when I’ve been asked to find weak passwords where I worked, I had the embarrassing task of telling my friends and colleagues to change passwords that also revealed their secret crushes. Also, there may be a time when you actually do need to reveal your Master Password to a loved one. When I spot passwords like IloveUVicky along with the owner’s email address among 26,000 email addresses and passwords exposed from a pornography site, I certainly hope that this won’t cause too much trouble for the owner.

Obvious punctuation is obvious

Capitalizing the beginnings of words or changing “for” to “4” really doesn’t add much security. Remember, if you can think to do this, the people who write password cracking systems have already done the same. Unfortunately adding punctuation in truly random manner makes the password too hard to remember. Certainly add the obvious punctuation, but recognize that it doesn’t strengthen your password as much as it might appear.

What we’ve learned

At every stage in working though this example, we made some real improvements. Remember that we’re not trying to reach perfection here. We’re looking instead to create better Master Passwords that remain usable. Don’t create trouble for yourself by picking a Master Password that’s too difficult to type or too hard to remember.

But we’ve also learned that human behavior really isn’t very random. The schemes we come up with can be coded into password cracking systems. A good Master Password isn’t just limited by what a human can remember, but it’s also limited by what a human can create. We can get digits and punctuation into passwords easily enough, but our selection methods involve a lot of predictability. Human behavior is more predictable than we like to imagine. That predictability can be exploited in password guessing programs.

Roll the dice to avoid predictability

If people are so predictable, how can we create memorable passwords that aren’t predictable? It turns out that Arnold Reinhold published a solution to this back in 1995 to help people create strong and memorable pass phrases for PGP. It’s called Diceware.

Because words have meaning, we can remember a sequence of words even if it doesn’t create a meaningful statement. And because there are many more words than there are individual characters, selecting a random sequence of five or so words provides a hard to crack password.

Reinhold produced a list of 7776 short words or sequences (that is 65 for people who care about such things). A word can be selected from the list by rolling five dice (or rolling one die five times). Here’s a small excerpt from the English Diceware Word List:

35443 knew
35444 knick
35445 knife
35446 knit
35451 knob
35452 knock

If you roll your dice and get the sequence 3 – 5 – 4 – 5 – 1, then your Diceword would be “knob”. Another five rolls of the dice will get your next word. If you rolled 3 – 2 – 6 – 5 – 6 then your next word would be “hike”.

The great thing about Diceware is that we know exactly how secure it is even assuming that the attacker knows the system used. The security comes from the genuine randomness of rolling the dice. Using four or five words for your Master Password should be sufficient against the plausible attacks over the next few years given the current observed speed of password crackers.

For those who really want to use this system and get the most security out of it, you should combine Diceware with your own private system. Create a short random password, including digits and symbols and use that in place of one of the Dicewords in your final password. So going back to my dogs, Molly and Patty, I might create a weak password like 2dM&P, and suppose my rolls of the dice gets me cleft cam synod lacy, I could then create a Master Password like cleft 2dM&P cam synod lacy, which would be a very good Master Password. With repetition, it’s something that you can learn to type quickly.

What’s a Secret Key?

Your Secret Key keeps your 1Password account safe by giving you an additional level of security on top of your Master Password. Your Secret Key is an auto-generated combination of 34 letters and numbers which are separated by dashes. This key is stored on all devices you’ve used to sign in to your account as well as in the Emergency Kit you downloaded when you signed up. Your Secret Key is designed to work in tandem with your Master Password, which only you know, in order to fully to encrypt your data and keep it safe.

As I mentioned earlier in this article, it’s practically impossible to use and remember a Master Password that is stronger than the encryption in 1Password. This is where your Secret Key comes in. It doesn’t need to be memorized, so it can be much stronger. The Secret Key that is generated by the system has 128 bits of entropy, which makes it nearly impossible to guess no matter how much money or computing power an attacker may have at their disposal.

No one has access to your 1Password data without your Secret Key, even if they manage to crack your Master Password. However, since no one has access to this key, even us, if you lose it you can lose access to your 1Password account. Keep it secret, but keep it safe.

In conclusion

I would like to remind you of some crucial points I made near the top:

  • We’re working toward better passwords, not perfect ones. You should take only as much advice from this as you are comfortable with and no more. Remembering and typing in your Master Password should not become a chore.
  • If you do change your Master Password, practice with it regularly so that you don’t forget it. Don’t be afraid to write it down on a piece of paper for a while if you keep it in a safe place.
  • The kind of Master Password that you need will depend on who may try to break it. Even though a typical criminal may have access to sophisticated cracking tools, it is unlikely that they will dedicate hours – much less days, weeks, years, or decades – to your particular data.
  • Don’t lose your Secret Key. We can’t recover it, so if you lose it you can lose access to your entire 1Password account.

Jeffrey Goldberg

Defender Against the Dark Arts

Jeffrey Goldberg - Defender Against the Dark Arts Jeffrey Goldberg - Defender Against the Dark Arts

Join in the conversation on Twitter

Continue Reading