Toward Better Master Passwords

1Password is great for generating strong random passwords for sites without you ever having to memorize (or even see) those passwords. But there are a few passwords that we all do need to remember. I have a small number (I wish I could say just one) high security passwords that I need to remember. One, of course, is my 1Password master password.

Your 1Password master password is extremely important. Although we take steps to thwart automated password crackers you should still use a strong, memorable master password. Password cracking tools are becoming more powerful every year, and too much is at stake in your 1Password data. Given the strength of the encryption we use, your master password is likely to be the weakest link in your 1Password security. Don’t be too scared of that. Given how strong everything else is, it would be practically impossible to use and remember a master password that is actually stronger than 1Password’s encryption.

This is going to be a very long blog post, so I’d like to start out with a few points to keep in mind

  1. We are not seeking perfection. Instead we need to find ways to improve master passwords if they aren’t currently very strong.
  2. Many of the schemes that people (including myself) have proposed in the past suffer from a major flaw.
  3. No matter what you read here, always keep in mind that a master password that you can’t type or remember is terrible choice of master password.
  4. This discussion applies only to 1Password data on the desktops or stored in the cloud. Master passwords for 1Password on iOS do not need to be as strong as master passwords on the desktops. [Update: Since 1Password 4 for iOS was introduced in December 2012, the same Master Password is used on all of your devices.]

Change a weak master password, otherwise leave it be

Change master password window

We’ve all been told to change passwords on a regular basis, and there are still some circumstances under which that remains reasonable advice. But it is not a good idea with 1Password master passwords. Ideally you should pick a good master password at the outset and never change it.

Passwords in need of changing

Everybody knows to avoid short, common passwords or dictionary words (in any language). The world’s most common password, 123456, is, of course, terrible. But even things like Sally4th or like Molly&Patty2 (the names of my dogs) are not really strong enough for something as important as your 1Password data. The latter is just of the form NAME & NAME DIGITS which password guessing programs do get around to checking.

You can change your master password in 1Password by going to Preferences > Security and clicking on the “Change Master Password” button.

After you change your master password

It is extremely important that you learn your new master password, and you learn it through practice.
Go to the Security preference pane again and set “Auto-Lock” on and to a short time. Maybe just 5 or 10 minutes. This will mean that you will have to type in your master password more frequently, but that will help you learn it. After a few days, you can then set the Auto-lock time back to something less annoying.

Also – and this may sound like heresy even though it is sound security advice – when you change your master password, you can write it down on a slip of paper and put it in your wallet. Once you no longer need to refer to it, you can destroy the piece of paper.

A walk through of a password creation system

The challenge that we face is to have master passwords that not going to be guessed by password cracking programs, yet we mere mortals are capable of remembering and typing without it being a burden.

What makes this a particular challenge is the fact that the bad guys know at least as much about how people pick passwords as we do. They are not only reading the same password picking advice that gets posted in places like this, but they have studied millions of stolen passwords.

Here is an important principle that we need to keep in mind:

The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

Don’t worry if this principle doesn’t make sense yet. It will should start to after I walk through an example.

I have two dogs: Molly and Patty. Suppose I wanted to make a master password from that and came up with Ihave2dogs:Molly&Patty. With that as an example, I’ll work through why that isn’t as good as it might first appear. (It looks good at first because it is long, has mixed case, and has punctuation.)

Use spaces to make things easier for you

1Password master passwords can include spaces. So you can make things easier to type and remember by using spaces (even though it adds little to the actual security). So our first improvement will be to change this to I have 2 dogs: Molly & Patty

Don’t tell the the truth

If your master password is to be based on something meaningful, remember that there are more ways to lie than to tell the truth. There are more ways for me to lie about my pets than tell the truth, and so I should use a lie. So let’s try, I have 3 bats: Larry, Moe & Curly.

Don’t make sense

There are more ways for a sentence to not make sense than to make sense. So let’s change my three bats to thirty-five bats, but still list three: I have 35 bats: Larry, Moe & Curly

Avoid predictable phrases

For those of us of a certain age and steeped in American culture, once we begin a list of names with “Larry…” following it with “Moe and Curly” is very predictable. So even though the Moe & Curly add 11 characters to the password, those 11 characters are so predictable that they add very little actual strength. Even though it is shorter, using I have 35 bats: Larry & Amy is actually stronger than I have 35 bats: Larry, Moe & Curly.

Along the same lines, the “e” after “I hav” isn’t doing much good either. Because it is easily guessable from the rest of the password it isn’t actually adding much strength. There is nothing wrong with that “e”, but I’m mentioning it to help illustrate the point that the number of ways things can be different is often more important than length itself.

Avoid secrets or things that are personally meaningful

The more personally meaningful something is to you the fewer alternatives there are. There are more things that don’t have personal meaning to you than do.

In particular avoid personal secrets. Twice in my life when I’ve been asked to find weak passwords where I worked, I had the embarrassing task of telling my friends and colleagues to change passwords that also revealed their secret crushes. Also there may be a time when you actually do need to reveal your master password to a loved one. When I spot passwords like IloveUVicky along with the owner’s email address among 26000 email addresses and password exposed from a pornography site, I certainly hope that this won’t cause too much trouble for the owner.

Obvious punctuation is obvious

Capitalizing the beginnings of words or changing “for” to “4” really doesn’t add much security. Remember, if you can think to do this, the people who write password cracking systems have already done the same. Unfortunately adding punctuation in truly random manner makes the password too hard to remember. Certainly add the obvious punctuation, but recognize that it doesn’t strengthen your password as much as it might appear.

What we’ve learned from this example

At every stage in working though this example, we made some real improvements. Remember that we are not trying to reach perfection here; we are looking instead to create better master passwords that remain usable. Do not create trouble for yourself by picking a master password that is too difficult to type or too hard to remember.

But we have also learned that human behavior really isn’t very random. The schemes we come up with can be coded into password cracking systems. A good master password is not just limited by what a human can remember, but it is also limited by what a human can create. We can get digits and punctuation into passwords easily enough, but our selection methods involve a lot of predictability. Human behavior is more predictable than we like to imagine. That predictability can be exploited in password guessing programs.

Roll the dice to avoid predictability

dice

If people are so predictable, how can we create memorable passwords that aren’t predictable? It turns out that Arnold Reinhold published a solution to this back in 1995 to help people create strong and memorable pass phrases for PGP. It’s called Diceware.

Because words have meaning, we can remember a sequence of words even if it doesn’t create a meaningful statement. And because there are many more words than there are individual characters, selecting a random sequence of five or so words provides a hard to crack password.

Reinhold produced a list of 7776 short words or sequences (that is 65 for people who care about such things). A word can be selected from the list by rolling five dice (or rolling one die 5 times). Here is a small excerpt from the English Diceware Word List.

  35443  knew
  35444  knick
  35445  knife
  35446  knit
  35451  knob
  35452  knock

If you roll your dice and get the sequence 3 – 5 – 4 – 5 – 1, then your Diceword would be “knob”. Another five rolls of the dice will get your next word. If you rolled 3 – 2 – 6 – 5 – 6 then your next word would be “hike”.

The great thing about Diceware is that we know exactly how secure it is even assuming that the attacker knows the system used. The security comes from the genuine randomness of rolling the dice.  Using four or five words should be sufficient against the plausible attacks over the next few years given observed speed of password crackers. [Updated October 2, 2013]

For those who really want to use this system and get the most security out of it, you should combine Diceware with your own private system. Create a short random password, including digits and symbols and use that in place of one of the dicewords in your final password. So going back to my dogs, Molly and Patty, I might create a weak password like 2dM&P, and suppose my rolls of the dice gets me cleft cam synod lacy, I could then create a master password like cleft 2dM&P cam synod lacy, which would be a very good master password. With repetition, it is something that you can learn to type quickly.

In Conclusion

I would like to remind you of some crucial points I made near the top:

  • We are working toward better passwords, not perfect ones. You should take only as much advice from this as you are comfortable with and no more. Remembering and typing in your master password should not become a chore.
  • If you do change your master password, practice with it regularly so that you don’t forget it. Don’t be afraid to write it down on a piece of paper for a while if you keep it in a safe place.
  • The kinds of master passwords that you need depend on who may try to break it. Even though a typical criminal may have access to sophisticated cracking tools, it is unlikely that they will dedicate hours – much less days, weeks, years or decades – to your particular data.

Related (later) articles

  • This article was followed up by a geek edition which discussed an XKCD comic and some of the mathematical concepts behind this.
  • Once the password cracking tool, John the Ripper, was adapted for taking a shot at 1Password Master Passwords, we looked at how well 1Password with these sorts of Master Passwords hold up
  • In April 2013, hashcat achieved remarkable speeds (300,000 guesses per second) against the 1Password 3 data format, suggesting that a password of 4 or 5 diceware words should be used with 1Password 3.
24 replies
  1. Richard Theriault
    Richard Theriault says:

    Jeff, this is yet another reason why Agile rocks! I’ve saved this post as a PDF so it won’t get lost in the spate of email — and so that I’ll actually READ and USE it.

    You guys are great! Perfect, no; super, yes.
    Thanks — Dick

  2. neonomad
    neonomad says:

    A well written and useful post.

    One thing you didn’t address is the usefulness of iPassword’s own password generator, either for creating or assessing the strength of master passwords.

    BTW, my master password is a [SNIPPED] 1P rates it as excellent, but what if crackers have access to dictionaries that 1P doesn’t?

    • Jeff
      Jeff says:

      Great questions. 1Password’s password generator is terrific for creating passwords that you don’t have to remember. You can experiment with the pronounceable generator to see if you can get something something in the excellent range that you can remember, but I think that may be a struggle. Still everyone’s memory is different, so see if that works for you.

      All password “strength” meters (including our own) suffer from the fact that they assume that if a password has digits and symbols in it that it is a random sequence of letters, digits and symbols. But password cracking tools know better. So our password strength meter is good for randomly generated passwords, but can be poor with respect to human generated ones (thought it does check for common English words).

      Password cracking tools do use dictionaries from a number of languages, including Klingon (something that geeks like to use for passwords).

      I’m sorry to say this but your password was probably just fine until you posted what you did. But now that you have told the world what your scheme is, someone who knows a bit about you can fine tune a password cracking tool using the information you posted. That

      But don’t fret too much. Even that pessimistic statement needs to be modified by considering who would be trying to attack your data. If your 1Password data were to fall into the hands of bad guys, would they be willing to research you in particular? If not, then your disclosure isn’t so serious. But if you would be specifically targeted, then you have said too much.

      Cheers,

      -j

      • neonomad
        neonomad says:

        “I’m sorry to say this but your password was probably just fine until you posted what you did.”

        Good point… I tried to be subtle, but looking more closely, I can see the holes I left.

        Under the circumstances, would you please delete my post?

        Thanks!

        • Jeff
          Jeff says:

          I’ve edited your post to omit the bits that described your scheme in too much detail. If you would prefer to have the whole thing removed, I can do that too.

          Cheers,

          -j

  3. Chris
    Chris says:

    Master passwords for 1Password on iOS do not need to be as strong as master passwords on the desktops.

    Why is this if the iOS password protects the same data as on desktops?

    • Jeff
      Jeff says:

      Great question, Chris!

      Any password cracker that goes against your data on iOS has to actually run on the iPhone or iPad that the data is on. (Some of the details behind why this is the case are in an earlier blog post on iOS security.)

      But for your data stored in the cloud or on the desktops, if an attacker gets a hold of it, they can run the attack on the hardware of their choice, which can included parallel processers.

      So that is the essential difference.

      I hope that helps.

      Cheers,

      -j

    • Jeff
      Jeff says:

      Hi Bill.

      I’m really glad you pointed this out as it gives me the opportunity to respond. My post is, to a certain extent, a criticism of Haystack-like recommendations.

      The Haystack scheme makes two substantial errors. It fails to recognize that password cracking systems can be easily modified to take it into account. Password cracking systems are easy to customize for different “rules sets” and dictionaries.

      It also fails to follow through on their own (very good) metaphor of a “haystack”.
      The size of the haystack is not all of the ways to get something 20 characters long with letters, digits, and symbols. But the size of the haystack is how many different passwords the haystack system can come up with.

      Suppose that we had a stupid scheme in which you flipped a coin. If it came up heads you used the password l&JXcpakQM8jOjYhb2y"N and if it came up tails you would use the password .mVqm|Yv7NMfipFHqK6fg. Each of those passwords looks very strong, but because the system only gives you two possibilities it is a terrible system.

      Some people who I have a great deal of respect for have endorsed Haystack, but like so many people (including myself before I started studying what cryptographers have written on the matter) they haven’t fully taken the notion of the size of the “haystack” as being the number of things that their scheme can generate.

      Cheers,

      -j

      • Bill
        Bill says:

        I believe Steve’s main point is that an attacker gets no feedback whatsoever from a failed attempt. Therefore, the entropy of the password doesn’t matter very much unless the attacker has some means other than brute force (i.e., guessing). As long as the base password is reasonably strong in the sense of not being in the dictionary and not easily guessed, the non-random padding Steve recommends vastly increases the strength since without a means of guessing the padding system being used, the attacker is reduced to brute force without feedback and entropy isn’t that important.

        If everyone started using the same padding scheme, it is true that password crackers would adapt to it. But of course that’s not what Steve’s recommending. You have to come up with your own. The example you gave of a coin flip password doesn’t apply either, I think, unless, once again, the attacker knows what system you’re using. If he doesn’t, and he can’t easily guess it, he’s back to brute force and those are pretty good passwords. Even better if padded!

  4. Jeff
    Jeff says:

    Hi Bill,

    It is certainly possible that I’ve misunderstood the intent of the haystack scheme, but let’s contrast what I’ve recommend here. In both cases you have your own not particularly strong password and you add to it. In my case what you add is truly random (generated by rolling dice), while with haystack what you add is a repeated short pattern. A repeated short pattern is a poor source of entropy. Entropy is not a property of an individual password, but it is a property of the system which generated it.

    You are certainly correct that if haystack doesn’t become popular enough then it is unlikely that crackers would specifically design for it. But if we are going to advocate a system, it should be a system that still maintains strength even if widely adopted. Diceware + private scheme does maintain its strength. I don’t believe that that would be the case for haystack.

    The fact of the matter is that password cracking systems may try every possibility up to, say, 10 characters, but after that they guess based on the kinds of systems that people have used in the past. Password cracking programs are not naïve.

    There was a time when people would keep secret what encryption system they were using along with keeping the key secret. But over the past century people have come to accept Kerchoff’s Principle, which, paraphrased for this context, says that your system should remain secure even if the attacker knows it as well as you do.

    I’m fudging on this a bit, as I’m recommending that you do something private and then add that on top of Diceware.

    Putting things in terms of buzzwords, my overall post can be summarized as saying (1) Apply Kerchoff’s Principle to password generation schemes, and (2) understand that entropy is a property of the generation scheme (as my extreme example of the coin flip was intended to show).

    You are correct that because “close doesn’t count” in password cracking (except in the movies, where you see them progressively figure out more and more of the key) that the haystack scheme is stronger than it might initially appear, but its over all entropy is astronomically less than claimed on the site.

    Cheers,

    -j

  5. Andy Crouch
    Andy Crouch says:

    I’m wondering what you think about one of the most striking vulnerabilities for many of us: any attacker who has unfettered access to your computer can test every text string found on your hard drive as a password. Very, very few passwords used by people in the real world would survive this attack, and it’s actually probably a more likely case than the attacker having access to a master password written down on paper.

    My master password is quite easy for me to remember (and also for my wife, who will need it in the event of my demise), albeit partly because it does incorporate some personally meaningful information. But I don’t believe anyone short of the CIA, NSA, or Russian mafia will ever be able to reconstruct that information plus the way I’ve encoded it (using several of the techniques you mention)—and if they are ever trying to crack my 1Password file I figure I’ll have bigger things to worry about. More important to me is that it is nowhere to be found on my computer and the only place I ever type it is on 1Password’s unlock screen. So I’m pretty sure my 1Password file will never be hacked by guessing the password, and I trust you guys with the rest. :)

    • Jeff
      Jeff says:

      Hi Andy,

      I’m delighted to hear that you have a good master password.

      You are correct that some malware searches compromised computers for passwords. This is because far too many people manage their passwords by having a word processor or spread sheet file in which they store their passwords. As far as I am concerned “far too many” means any number greater than 0. 1Password’s users won’t be doing that, but people do come up with their own password management schemes these are routinely attacked. This, by the way, is why 1Password has to work extra-hard filling some bank sites. Banks try to thwart anything that looks like “pasting” into the password field because they don’t want their customers to just store their passwords in a Word file.

      Cheers,

      -

  6. Lon Koenig
    Lon Koenig says:

    Most password tests are atomic. Even algorithms that try patterns like you’ve described as not very strong cannot break down individual words. I’m not a huge fan of haystacks, but the math is clear: even if the “needle” is trivial, using a large haystack makes the search space huge and infeasible for brute force attack.

    Your comments on choosing actual words are good though. That helps prevent engineered or human-powered attacks.

    • Jeff
      Jeff says:

      Hi Lon,

      You are absolutely correct that the password tests are atomic. The result of a guess is the same whether it is “close” or “far” from the correct password.

      The math is indeed clear that what matters is the size of the “haystack” someone is looking at. But where I disagree with much of the advice out there is how we calculate the size of that haystack. My point is that its size is based on the number of alternative results that a password generation scheme can produce. Human predictability limits most schemes.

      I’ve discussed this more in my discussion with Bill in these comments.

      Cheers,

      -j

  7. 205guy
    205guy says:

    I didn’t read the Haystack link, but I did just read about the Enigma machine (on Wikipedia, I admit), and “repeated short patterns” in the message is how it was cracked.

    More seriously, I don’t understand why password guessing is a problem. It assumes the black hats have a password file to decrypt, how else do they get millions of guesses? Certainly not on live systems, I’d hope.

    • Jeff
      Jeff says:

      Hi!

      For the serious part of your question, you are absolutely right that an attacker can only attempt to run a password cracking system on your data if they first manage to get a hold of your data. But that can happen if your computer is stolen or if a sync service becomes compromised. Keeping your encrypted data out of the hands of the bad guys is one layer of security, but it can’t be the only layer. We want to make sure that no-one can get at your secrets even if they do capture your data file.

      The repeated patterns for padding with the Haystack scheme is a very different problem then the repetitions that were used to break Enigma. There were several ways that repetition was used. One was that the “message settings” (what we would call a “session key” in today’s argot) were repeated at the beginning of a message. What is really cool about this is that a team of Polish mathematicians were able to use that to figure out which rotors and rotor sequences were used for the message. There is a common misconception that an Enigma machine needed to be captured to work out its design, but in fact the same group of mathematicians were able to work it out based on intercepted messages.

      I could go on about this. In the picture at the head of our blog page, I’m they person with the “Bletchley Park Enigma” t-shirt. Indeed, I was the first webmaster for the Bletchley Park museum, back in the 1990s.

  8. helloIamAldo
    helloIamAldo says:

    Hi Jeff,

    Great article, it’s made me reconsider my own password security behaviour. I do have a tip of my own: use different languages! Especially if you know some obscure languages (or piglatin) it’s another way you can make your password less predictable while still allowing you to remember it.

    • Jeff
      Jeff says:

      Hi,

      Do keep in mind that any language for which there is an online dictionary, so it matters what you mean by “obscure”. I know some Hungarian, but it is spoken by 15 million people and anyone who knows me knows that I have some knowledge of it, and everyone knows that geeks like using Klingon. (I’m my day it was Elvish).

      But have done something similar in the past. Before I used 1Password, I had a bunch of passwords that were based on a word from Dyiari which probably comes in fairly high on the obscurity list. I am not saying that everyone needs to go to such extremes.

      Cheers,

      -j

  9. Ben Truyman
    Ben Truyman says:

    I prefer one of LastPass’ solutions to all of this: two-factor authentication. I’ve got a pretty gnarly master password already — but pair that with a Yubikey, you’ve got yourself a fairly well locked down password vault.

    Not to say that doesn’t come with some inconveniences.

    • Jeff
      Jeff says:

      Hi Ben,

      You may wish to join the discussion of this particular question on our forums. I’m travelling with erratic Internet access, so my participation there will be erratic over the next week at best. The short answer is that we are open to the idea and have been exploring this issue, but can make no promises.

      One thing to keep in mind is that there is a difference with how 1Password manages your data. An attacker needs to get hold of both your 1Password master password and your 1Password data file in order to get at anything. So in some sense (vague) 1Password is using something like two factor authentication. I don’t want to oversell that distinction because as we move more toward having things stored in the cloud, the threat of capturing the encrypted master password increases.

      Cheers,

      -j

  10. Adel Antado
    Adel Antado says:

    Life is a baance. I don’t think a password should be much stronger than needed. My aunt Lucy who gardens and emails friends about her roses doesn’t
    even need a password. Who would want to hack her account? Bernie Madoff however would probably need as complicated and as break-proof an eternity of computer driven password-generated codes.

    • Jeff
      Jeff says:

      You are absolutely correct, Adel. Everyone needs to look realistically at the threats they do and don’t face and make their own decisions about appropriate security behavior.

      But your Aunt Lucy is not just protecting the contents of her email with her email password, but she needs to be concerned about people impersonating her if they get into her email. I’m not sure if you are familiar with the “I’ve been mugged while travelling” scam. The attacker gets into the users email account and then sends out email to all of the contacts about being mugged in some location. Ultimately they are trying to get someone to send money by Western Union.

      Still, I don’t mean to quibble about the particular case. Your overall point is correct. Each individual is going to need to make a judgment for themselves

      Still one should err on the side of caution when making judgment for your needs and circumstances. Also look toward the future. Today Aunt Lucy may just be forwarding email about roses, but tomorrow she may be doing some online banking.

      Cheers,

      -j

Comments are closed.