Tap Magazine says 1Password Pro is “one of the Top 100 Apps everyone should install right now”

We don’t always wake up to an award on Friday.

But when we do, we’re glad the award is from Tap Magazine.

We were thrilled to hear this morning that Tap, the iPhone and iPad Magazine, has named 1Password Pro (our universal version for iPhone and iPad) as “one of the 100 apps that everyone with an iOS device should install right now.” I mean, we’ve kinda thought the same thing for a while now, but it’s always good to get a second opinion!

You can view our award listing at Tap Magazine’s site alongside some great company in our category, or pick up Tap’s new issue in stores or in their custom-built iPad and iPhone magazine app in, naturally, the App Store.

[Update: All is well again] PSA: Hold off for now on updating iPhone and iPad apps, including 1Password

[Update: Apple acknowledged and fixed the problem. You may once again resume your regularly scheduled updates and downloads.]

From rumblings in the community, it sounds like Apple’s App Store servers have a bug right now that causes newly installed apps or updates to irreversibly crash on startup, even if those apps worked perfectly before submitting to the store. The problem affects a wide number of apps from a whole bunch of developers, and Marco Arment has more details and a list of known affected apps.

We’re looking into the issue, and we assume Apple is too, though it has yet to comment on what’s going on. We’ve heard that Mac App Store updates are not affected, but you might as well be safe than sorry.

For now, it’s probably a good idea to hold off on installing updates for any apps, including ours. In the meantime, try going outside (if you aren’t in the middle of a nasty heat wave) or picking up a good book. We’ll let you know as soon as we hear more about what’s going on or when the problem is resolved.

Canada Day, Independence Day, and AgileBits 30 Percent Off Day! Erm… week!

AgileBits calls both Canada and the U.S. home (and other countries too!), so we have a couple of national celebrations coming up next week. But besides fireworks and traditional cuisine, we figured we could add something to the Canada Day and Independence Day festivities, so we’re having a sale!

Through July 8 (for you last-minute-ers, that’s 11:59pm two Sundays from now), all our products are 30 percent off! This goes for 1Password in the Mac App Store, 1Password Pro for iPhone and iPad, 1Password for WindowsKnox for Mac, and everything from our own web store.

Enjoy the festivities next week. But whether you’re celebrating a national holiday or not, enjoy 30 percent off of 1Password and Knox!

1Password for Mac and iOS on sale to celebrate WWDC 2012!

Today kicks off Apple’s World Wide Developer Conference in San Francisco, and some of the AgileBits team is out there to partake of Apple’s engineering knowledge and make sure the local bars are properly stocked. But we figured we should celebrate Apple’s event with you too, so for a limited time, 1Password for Mac and 1Password Pro for iOS are on sale!

“How much on sale,” you ask? “For how long,” you wonder? Well: they’re both 20 percent off through Saturday, June 16, so when it’s gone, it’s gone. But don’t forget: no matter when you buy (or bought) 1Password for Mac in the Mac App Store, you get a free upgrade to 1Password 4 for Mac when we release it!

In other words: 1Password for Mac is just $39.99 in the Mac App Store, and 1Password Pro (the universal one for iPhone and iPad), is just $11.99 in the App Store. But only until the 16th. Whether you’ve been waiting to pick up 1Password or you know someone who could really use a copy, this is the perfect way to get on board.

1Password 3.6.5 for iOS is out with PBKDF2 goodness!

1Password Pro icon1Password for iPhone, 1Password for iPad, and 1Password Pro (for both iPhone and iPad) have just been updated to version 3.6.5. All of the changes are behind the scenes, but they include a great security enhancement to how your Master Password is protected. Different versions may become available at different times in different locations, so if your free update isn’t ready for download just yet, try again in a little bit.

In addition to the security enhancements discussed below, there are a few bug fixes, more syncing in the background, and some images tailored for the Retina display in the new iPad. If you just want the cliffnotes, here we go:

★ Improved security. Now using 10,000 PBKDF2 iterations to protect the encryption key.
★ Dropbox authentication tokens are now stored in the system keychain.
★ Better support for iPad retina display.
★ Improved Login filling.
☂ Bug fixes.

But if you want to learn a little more about what we’re doing under the hood to protect your 1Password data, venture on.

10000 PBKDF2 iterations

Your Master Password on your device is now protected with 10,000 iterations of PBKDF2. What this means is that if an attacker were somehow to get hold of your encrypted 1Password data from your phone (not an easy thing to do if you take proper precautions), it will be even harder for them to run automatic password guessing software against your master password. PBKDF2 makes the mathematical process of checking whether a Master Password is correct much longer and more difficult.

Your secrets are very well encrypted and protected by your Master Password, but these new measures strengthen that protection. You can read about PBKDF2 in an old article, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too to get more details as it applies to 1Password on the desktop; the same ideas work on iOS devices.

Why change things now?

We’ve long considered using PBKDF2 in 1Password for iOS. The advantages of using it are clear: It provides substantial additional resistance to attacks by password guessing software if your encrypted data falls into the wrong hands. There are a few reasons why now was the right time.

We have faster devices

The principle reason this didn’t come sooner is that, with PBKDF2, unlocking your 1Password data on older devices will take noticeably longer and will consume more power than not using PBKDF2. People running 1Password on first generation iPhones will now have an unlocking delay that may last up to a couple of seconds, and a delay of about one second on the iPhone 3G and on the  first generation iPod touch. Delays should not be particularly noticeable on newer devices, and the vast majority of our customers now use 1Password for iOS on said newer devices.

A great feature of iOS 5 and OS X 10.7 is that the number of PBKDF2 iterations can be calibrated to the particular device. We will be making use of that in 1Password 4 for iOS, and we already make use of that in 1Password 3.9 on Lion.

Finding the right implementation

A lesser reason is that the development toolkits for iOS 3 don’t include functions for performing PBKDF2. We try to work with established tool kits as much as possible. iOS 4 (and particularly iOS 5) contain built-in features that make it easier to write programs that perform complicated encryption functions.

That said, we are still able to bring PBKDF2 to 1Password running on iOS 3. Yes, it will be slow and power hungry on older devices, but it is possible because we found a way to take the PBKDF2 function from the OpenSSL libraries and incorporate it into our code. So even though this isn’t in the Apple supplied SDK for iOS 3, we are able to use a well tested and reviewed implementation.

Changes in the threat landscape

There has also been a change in the threat landscape since we first developed 1Password 3 for iOS. There are several “forensic” tool kits on the market for breaking into iOS devices. As new ways in which data can be taken from iOS devices come to light, we need to provide even better protection against off-line attacks on your 1Password data.

It is probably far less likely that that someone will capture your encrypted 1Password data from your iOS device than your 1Password data from your computer. A stolen computer, unless you use FileVault or some other disk encryption, means that your 1Password data will be available to who ever gets a hold of your disk. This is why we built PBKDF2 into 1Password on the desktop a long time ago.

But it is also the case that most people use better Master Passwords on their desktop systems than on their mobile devices. And so, in the less likely event that the data gets captured from an iOS device, the master password could do with extra protection. If everyone had sufficiently strong Master Passwords, PBKDF2 wouldn’t be necessary. But let’s face it: a very strong Master Password on an iPhone is a Master Password that won’t get used much.

Elcomsoft analysis

Although we have long been aware of the benefits of using PBKDF2, a recent report (PDF) by researchers at Elcomsoft highlighted how quickly a master password could be cracked without the additional protection of PBKDF2. We discussed that report in a recent blog post, “Strong Security Requires Strong Passwords“.

Other security improvements

Dropbox OAuth tokens

1Password stores your Dropbox username and password very securely on iOS for automatic syncing, but it hasn’t been quite as careful with the OAuth tokens used when connecting with Dropbox. If this data is copied and used on another device, it would grant access from that other device to a Dropbox account. We have fixed this in 1Password 3.6.5 for iOS.

We’ve discussed this issue extensively in a recent blog post: OAuth, Dropbox, and your 1Password data.

Padding, integrity, and standards

We try to stick to standards when it comes to encryption and protocols, but even well established standards can later be discovered to be flawed. There turns out to be a design problem with the padding scheme used as parts of the PKCS standards. Introducing PBKDF2 (also defined in the same set of standards) gets around the problem.

I won’t go into much detail, but here is a little background into the issue. An encryption algorithm like AES works on a block of data at a time. In the case of AES the blocks are 16 bytes (128-bits) long. Because the data to be encrypted won’t always be a multiple of 16 bytes, some extra data gets added to the end to “pad” it out to a multiple of 16 bytes. The details of the padding scheme have to include some clever tricks so that when the data in decrypted, the decryption process can recognize where the pad begins, so it knows what to remove.

The problem is that the padding scheme has also been used as an integrity check. That is, it provides a signal to the one decrypting the message whether the data has been modified. Padding is not well suited to that purpose, but that usage means that under certain circumstances it can be used to very quickly verify whether something has been decrypted correctly. The attacker is saved an extra decryption trial in testing whether they have “guessed” the right password.

The simple solution is to make use of cryptographically appropriate integrity checks, Message Authentication Codes (MACs) after encrypting the data. That is, the integrity check is performed on the encrypted data instead of on the plaintext. By using PBKDF2 we are forcing an attacker to go through a large number of extra steps with each “guess”, overwhelming any advantage an attacker might gain through the PKCS padding problem.

Processes and products

All this allows me to bring up a point that we’ve made before but will continue to make: Security is a process, not a product. One aspect of this is that a tool that your security depends on is never “done”. This is not the first security improvement we’ve made over the years, and it certainly won’t be the last. But process isn’t only in updating product. Process is about how people do things. That includes our own testing procedures, and it also includes always working to understand how people use 1Password so that we can continue in our effort to make the easy thing to do also the secure thing to do for people.

[Update April 11: Several people, including Quirks In Tech, have correctly pointed out that I should have been much more explicit in this post about the role that the Elcomsoft report played in our decision to start using PBKDF2. Earlier drafts of this included an extensive section on exactly that, but it got lost as I tried to cut this down to size. I've added a short section back into this post. -jeff]

OAuth, Dropbox, and your 1Password data

1Password in DropboxA number of iOS apps, including 1Password, have a security problem in how they handle OAuth tokens. 1Password 3.6.5, which was submitted to Apple several days ago, fixes this. This will be a free update for all owners of 1Password for iPhone, 1Password for iPad, and 1Password Pro (for iPhone and iPad). We can’t predict how long Apple’s approval process will take, but the update should be available soon, if it isn’t already by the time you read this.

Because of this bug, someone who gains physical access to your device may be able to copy authentication tokens off of it, then install those tokens on their own device to access your Dropbox data. It is not entirely clear at the moment under what circumstances an attacker will also need the device passcode. It appears that if the device has previously been synced with the computer the passcode isn’t required. In any case it is important to protect your iPhone, iPad, or iPod Touch protected with a good passcode.

We have been extremely careful in how we store your Dropbox username and password for automatic syncing, but like many others, we didn’t take the appropriate precautions when it came to OAuth tokens. These tokens allow quick connection to Dropbox (Facebook and other services also use OAuth). Of course, any 1Password data that an attacker fetches from your Dropbox account is still encrypted by 1Password.

In 1Password 3.6.5, which we submitted to Apple at the beginning of the week, we store OAuth tokens securely in the iOS keychain, where they are properly encrypted and cannot be copied to other devices. However, if other apps that use Dropbox have the same problem (and it looks pretty common), then OAuth tokens can be copied from those apps as well.

The OAuth problem

The problem of how OAuth tokens are stored was first discussed Tuesday (April 3) by Gareth Wright reporting on the Facebook iOS app.OAuth logo Since then, it became clear that the Dropbox app itself has the same problem. Presumably there are many other apps that connect to services like Facebook or Dropbox that are unfortunately in the same boat.

Dropbox have told The Next Web that:

[Our] Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same.

Facebook’s initial statements have been less clear, but no doubt they will be submitting a fix soon.

For one of the best discussions of this whole thing, please see the report and analysis by The Next Web.

What this means for you and your 1Password data

1Password Pro iconThis design problem, both in versions of 1Password prior to 3.6.5 and in other apps, means that it is easier for an attacker to get hold of and manipulate your 1Password data stored on Dropbox than we had anticipated. I used to say that it was far more likely that someone could get hold of your 1Password data by stealing your Desktop computer than by getting it off of Dropbox. I certainly have to revise that assessment.

The good news is that your usernames and passwords  (along with notes and attachments) are well encrypted. Even if someone gains full control of your Dropbox account they will not be able to get at the secrets encrypted in your 1Password data. We have also been busily working on an updated version of our data format that is even better suited for life in the cloud.

You can also manage which devices are allowed to connect to Dropbox. That is, you can instruct Dropbox to reject certain OAuth tokens and also view the the last few times each authorized device has connected.

To manage your Dropbox devices, log in to your Dropbox account with a web browser, and under your account name, go to Settings and then “My Computers”. If you suspect that an OAuth token has been stolen, you can unlink the computer or device. After that you will need to relink the computer or device to your Dropbox account using your Dropbox username and password.

Alternatives to Dropbox

Every time there is a security issue with Dropbox, people rightfully suggest that we offer alternative syncing mechanisms. At this point, there is nothing that I’m in a position to say beyond what we’ve said earlier in “Dropbox Terms“. There are developments, but nothing I am even willing to hint at just yet.

More security changes to come in 3.6.5

The changes coming in 3.6.5 are all about security and bug fixes. Please see “1Password 3.6.5 for iOS is out with PBKDF2 goodness!” for details.

Appendix: When is a passcode required for this attack?

When an iOS device is connected to a computer that it hasn’t connected to previously, the user will be prompted to enter the passcode on the iOS device. After that first connection, the computer will store some keys that will allow it to unlock the iOS device for future connections.

So once you have unlocked your iPhone for a particular computer, when you plug it in later, you do not need to unlock it for the file system on the device to bevisible to tools like iExporer. This is presumably why initial reports of this issue claimed that no device passcode was necessary to extract the files containing the OAuth tokens.

There is, unfortunately, one further complication. iTunes will automatically unlock the device for any user account on the same computer that the device has previously been unlocked on. That is, if Alice and Bob both have user accounts on the same Mac, and Alice has at one point entered the her passcode on her iPad to allow syncing, then Bob will be able to gain access to most of Alice’s iPad simply by using iTunes in his account on the Mac. What is worse is that Bob’s account on the computer can also be a guest account, and he will still have access.

All of the testing I have done has been with iTunes 10.6.1 on Mac OS X 10.7.3 (Lion). I have not tested this with iTunes on Microsoft operating systems.

What is worrisome here is that exactly the same people (co-workers, family members) who have the easiest access to your iOS devices are very likely to have some account on the same computer that you have used.

Still, passcodes do matter so please remember that a good device passcode is a good idea.

Data protection classes

As of 1Password 3.6.5 we put the OAuth information into the iOS keychain using the “ThisDeviceOnly” data protection class that will not allow the OAuth token to be copied from the device unencrypted. There is a bit of terminological muddle in that “ThisDeviceOnly” and “ProtectionComplete” mean the same thing except that the former is used with keychain items and the latter used with files. I prefer the term “non-migratable” to cover both.

The application property lists files, plists, contain app preference settings, and this plists do not have the non-migratable restriction on them; they are fully accessible once the device has been unlocked. Note that data with the non-migratable restriction  cannot be restored from an iTunes or iCloud backup to a different device. So if you replace your iPhone or iPad, you will need to re-enter your Dropbox credentials to reestablish automatic syncing.

Please join the discussion of this on our forums.

The ABCs of XRY: Not so simple passcodes

1Password Pro iconWhen talking about reports of tools that break into iPhones, it is very important to remember that the seller may be inclined to overemphasize its capabilities. It is also wise to keep in mind that the more sensational claims are the ones that tend to be picked up, and perhaps amplified, by the press. In this light, let’s talk about Micro Systemation’s XRY, a cracking/forensics tool for extracting data from iOS and Android devices.

XRY, despite its recent press attention, does not appear to represent anything new. Everything that we said in Lost iPhone? Safe passwords! still holds true. Your 1Password data remains encrypted. That is, even if an attacker gets through all of the the iOS security, including capture of the device passcode, he or she would still have to break your 1Password Master Password to get at your 1Password data.

XRY logo

News of XRY has been circulating since Andy Greenberg of Forbes drew attention to it and to Micro Systemation’s video demonstration. The demo shows discovery of an iPhone’s passcode in a matter of second. This should naturally cause concern for everyone who cares about their privacy.

But I’m going to try to sort out what the real concerns are, and what you can do to to better protect yourself.

Cracking passcodes

Elcomsoft logEven though your 1Password data remains protected, tools like XRY or Elcomsoft’s iOS forensic toolkit do represent a threat to the secrecy of other data stored on your device.  Furthermore, most people will have weaker 1Password Master Passwords on their phones than they will on their desktop systems. This means that we do need to be a bit more concerned about what happens if people steal your encrypted 1Password data from your iOS device than if they steal your encrypted 1Password data from your desktop or Dropbox. Therefore it is worth spending a bit of time talking about device passcodes and the security of your iOS device in general.

Note that when I talk about your “device passcode” I’m talking about the passcode that is used to unlock your iPhone, iPad or iPod touch in the first place (assuming you set one, of course). I am not talking about your 1Password unlock code or master password. Those are different things. The tools described are all about breaking the device passcode and what can be done once that is available.

First, these tools jailbreak the device. This allows the user to then run a brute force attack on the device passcode. That attack must be run on the phone itself because it is tied to a unique device key. You may think that running through all of the passcodes, 0000—9999 would just take a fraction of a second, and under normal circumstances you would be absolutely correct. But Apple has protected the passcode with PBKDF2, which forces each trial to perform thousands of complex computations. Although things will differ from device to device, Apple appears to have tuned things so that it takes about one quarter of a second to process a single guess.

Without having hands on experience with XRY I can’t be absolutely certain of this, but I strongly suspect that the reason that it was able to discover the passcode so quickly in the demonstration was because the passcode was “0000”. That is, “0000” may be the first passcode it tried. At four guesses per second, it would take about 40 minutes to try all possibilities, with an average break time of 20 minutes. As we’ve seen, sometimes it can hit upon the correct guess quickly, but in other cases it may take the full 40 minutes.

Not so simple passcodes

Settings screen to turn Simple Passcode OffTwenty minutes to break into your device is still too quick for many of us to be comfortable with. Fortunately it is easy to set a longer passcode on your device. Launch the Settings app and go to General > Passcode Lock. You will be asked to re-enter your passcode at this point; after all, you wouldn’t want anyone who picks up your unlocked phone to be able to fiddle with its security settings. Once you’ve done that, you will have a screen with lots of options. One is called “Simple Passcode”—switch that to “Off” (the Simple Passcode means using a simple 4-digit number). Once you switch Simple Passcode to “Off” you can have longer and more complex passcodes.

Passcode entry for all numeric codeLet’s suppose that you wanted to use a six digit passcode. It would take almost three days to attempt all one million possible six digit passcodes. The average crack time would be half that, at about 35 hours. All the while, the phone needs to be attached to the attacker’s computer. For an eight digit passcode, it would take on average about four and a half months to crack. Each additional digit multiplies the attack time by ten.

If you want to use just lowercase letters and the space key, then with a five letter passcode it would take about three weeks to guess, and for six lowercase letters it would take about a year and a half on average. Each additional letter (or space) multiplies the crack time by 27.

The table below gives some sample average crack times. Assuming that your passcode is random, I count 27 possible lowercase “letters” (26 letters, plus the spacebar) and 53 mixed case “letters” (52 letters, plus the space bar).  Although we don’t know how XRY guesses, Elcomsoft has previously advertised that when confronted with a non-simple passcode, their system will try some commonly used non-simple passwords first.

[Click for HTML version of this data table]

So what kind of passcode is right for me?

When trying to figure out what the best kind of passcode works for you, there are a couple of things to keep in mind. The first one is that for someone to launch this attack they need to be in full possession of your phone during the whole time. The attacker can’t just grab your phone briefly and then do the rest of the attack later. So you need to think realistically about how much time and effort someone would put into getting at your data.

Also remember that this is just to get at your device’s passcode. It is not about your 1Password data which is protected separately in a number of ways, including your Master Password.

You must consider how easy the passcode is for you to enter. One very convenient feature of iOS is that if your passcode is digits only, you will be presented with a numeric keypad, making it much easier and quicker to enter. Likewise, if you keep your passphrase to lowercase letters only, you don’t have to shift keyboards. The passcode that I’ve personally been using falls into the ‘months to crack’ category. Your choice may be different.

What about 1Password data?

Your 1Password data is protected by several layers, the device passcode is only one of them. iOS prevents one application from seeing the data belonging to another application on the device. This can also be a layer of defense, but it is not one which will withstand most jailbreaks.

So finally we come to your 1Password Master Password for the data on your device. This is the final layer of protection. Note that if you use a 4-digit 1Password unlock code, it is just a convenience feature to allow you to do some things within 1Password without having to enter your full Master Password; it is not intended to be a meaningful layer of security.

Put simply: you should use the longest master password on your device that you are comfortable typing regularly. If it is a real chore to type, you won’t use 1Password enough to get its security benefits. Because typing on a desktop system, an iPhone, and an iPad are very different experiences, we have set things up so that you can have a different Master Password for each. The Master Password that I use on Mac and Windows is complex enough to be entirely unusable on an iPhone. This means, however, that my Master Password on my iPhone and iPad are substantially weaker than what I use on the desktops, which brings us back to why I am concerned with overall security of iOS devices.

As we’ve often said before, security is a process, not a product. So look for further security enhancements in 1Password for iOS in the not too distant future. As usual, I don’t want to say anything more specific until this is delivered.

Other claims in reports about XRY

One the the most frightening paragraphs from the Forbes article on the XRY demo reads:

As the video shows, […] XRY can quickly crack an iOS or Android phone’s passcode, dump its data to a PC, decrypt it, and display information like the user’s GPS location, files, call logs, contacts, messages, even a log of its keystrokes.

While it is true that the demonstration video suggests that XRY can do most of that, I am far from convinced that it it actually exhibits those capabilities, at least not as stated in those words.

I have no hands-on experience with XRY or any information that isn’t publicly listed on the Micro Systemation website, so my comments here are necessarily speculative.

“Quickly crack passcodes”

As discussed above, there is absolutely no indication from the video that XRY can do much better than four guesses per second when cracking passcodes. It would be a truly major break(through) if they either found a way to defeat PBKDF2 (in which case it wouldn’t just be phones that they could go after) or discovered a way to perform these passcode trials off-line. Such breakthroughs would be widely trumpeted, and they would have been able to perform a very different demonstration. The fact that their target passcode was “0000” only reinforces my view that there is no breakthrough.

Note that they might be able to get a slightly better crack rate on an iPhone 4, running iOS 4. But iOS 5 contains mechanisms to set the PBKDF2 iterations appropriately for the hardware it is running on. It’s worth noting that they used iOS 4 on an iPhone 4 in their demonstration.

“Display user’s GPS location”

In the video we are told that they found some “google maps data”. Whether or not this is a place that the phone has been is left entirely unclear.  Because there were only a couple of such data items listed, I am skeptical that it does represent actual phone locations. There also was a bit of a kerfuffle about a year ago when it was believed that Apple tracks an iPhone’s location. As it turned out, that wasn’t quite what was going on. It doesn’t appear from the video that the location data they are getting is anything like what is in the location cache database.

“dump files”

The video shows the inspection of a file called “keychain-2.db”, which seems scary enough, but there is no reason to believe that data within that file can be decrypted.  However, with a sufficiently jailbroken device with the passcode in hand, it is plausible that the information in there can be decrypted. They then go on to “the log file” and show that the device passcode is in it. What may not be immediately clear is that this is log file is created from their own password cracking process.

The log file that is being read there was actually created by XRY itself. There will, of course, be sensitive data (such as contact information) available to them after a cracking the passcode, but the demonstration does not illustrate those examples.

“logs of its keystrokes”

I am not certain where the impression of a keystroke logger comes from. I saw no implication of that from the video. Perhaps it is the discovery of a swipe pattern on the Android 2.3.3 (Gingerbread) system that was shown. Note that there have been two major releases of Android (Honeycomb and Ice Cream Sandwich) since the version used in the demonstration.

A large grain of salt

I am not in any way disputing that tools like XRY and the Elcomsoft toolkit can be useful for law enforcement. And I am certainly not suggesting that these shouldn’t be worrying to anyone concerned about their data and privacy. My point is simply that sensational claims about security issues need to be examined carefully. The more we examine some of the claims about XRY, the less frightening they become.

In sum

This was a long article, so I’d like to highlight a few main points

  1. Press reports based on marketing videos are not the most reliable way to to understand security threats.
  2. XRY, in particular, illustrates no threat that we haven’t addressed before. In particular, your 1Password data on your phone is encrypted and protected by your 1Password master password even if your phone becomes entirely compromised.
  3. It is probably time to move beyond simple 4-digit pass codes for your iOS device. If you use a longer sequences of digits, it will still be quick and easy to enter.
  4. For advice on what to do if your iThingy gets stolen, please see an earlier post that includes such advice.

By adopting reasonable security practices, such as using 1Password and moving beyond a 4-digit device passcode, we can enjoy on the benefits of our mobile devices without having to live in fear of what happens to our data if someone gets a hold of the device.

Update: Micro Systemation have removed their demonstration video from YouTube. Also someone more familiar with the jailbreaking technology has reported on this and points out that the tools at XRY uses do not work with the iPhone 4S, the iPad 2, or the new iPad. It also confirms my view of the password cracking time.

One phish, two phish; old phish, new phish

The easiest way to discover someone’s password is to ask them for it.
—Folk wisdom in the security business

There are many ways to trick people into revealing their passwords, but one of the most commonly attempted is phishing. If you can lure people to a website that looks like Paypal’s, but is actually under your control, then you can often steal their usernames and password to Paypal. This is one of the reasons why so many sites of this nature warn users to pay close attention to the URL in the location bar. “paypal.com” is not the same as “paypalc.om”.

When location bars can’t be trusted

The information in the location bar is one of the defenses against phishing, but David Vieira-Kurz of Majorsecurity discovered a bug in AppleWebkit on the iPhone, iPad, and iPod Touch that gets around this defense. AppleWebkit is the technology that underlies not only Mobile Safari but pretty much every app that has a built in web browser. This bug allows a malicious website to place a false URL in the location bar of the browser. Now is probably a good time to point out that 1Password on your iOS device protects you against this, and I’ll get into the how and why below.

Mobile Safari majorsecurity demo

Mobile Safari incorrectly displays this as being from apple.com

Majorsecurity has set up a page to demonstrate this bug. If you visit that with Mobile Safari and tap the Demo button you will see a page that looks like Apple’s homepage and will falsely contain www.apple.com in the location bar. I haven’t investigated how this trick would interact with the website authentication provided by SSL/TLS (when you connect to a secure “https” site), but as people don’t always check whether they are connected to an https site, this new bug could definitely lead to more successful phishing.

1Password’s phishing defense

Login for majorsecurity.net

1Password provides defense against phishing by carefully checking the domain to which the browser is connected. So it will only report a match for your Login for, say, Paypal when you really are visiting a site in the paypal.com domain. As a quick demonstration of this, I’d like to show that 1Password on my iPhone correctly recognizes the Majorsecurity demonstration as being on majorsecurity.net and not as the apple.com site it masquerades as.

I already have a number of Logins for the domain apple.com, but I created a new Login for majorsecurity.net. The username and password I set up for that are “foo” and “bar”. (I think you will understand if I’m not going to tell you my username and password at Apple.com.)

1Pt at majorsecurity.net demo

1Password correctly sees this as majorsecurity.net

When I go to Majorsecurity’s demonstration page using 1Password on my iPhone, then tap their “demo” button, I am brought to a page that looks very much like Apple’s homepage. (Majorsecurity puts a little warning text in there to help you see that it is actually not Apple’s real home page.) And when I tap the 1Password globe to bring up the credential for the site, 1Password correctly gives me the username and password I’ve set up for majorsecurity.net; it does not bring up any of my apple.com Logins. 1Password knows what site I’m talking to despite the tricks that the site uses.

Ask and you shall receive

As you can see, 1Password makes it harder for you to fall victim to a phishing attack, but it can’t, for example, prevent you from revealing your passwords over the phone or in other ways.

Let me tell you about my own deviousness. Sometimes when I talk about password security to a group of people, I offer a challenge that I will be able to discover a password of their choosing. When I get a volunteer, I ask them to write the password down on a piece of paper, fold the paper and bring it to me. For a little while I go through a show of fiddling with my laptop, and I definitely ask them to use a password that doesn’t reveal a personal secret. (A surprising number of passwords people pick are things like “ILoveJenny”.) Finally, after enough mumbo-jumbo, I simply read the password that the victim so conveniently wrote down and gave to me. This is when I announce that the easiest way to discover someone’s password is to ask them for it.

Strong Security Requires Strong Passwords

Elcomsoft just published a very informative review of the state of the mobile password manager landscape. They investigated the defences applications provide and how long it would take to discover someone’s Master Password. In their findings, they found that if on iPhone or iPad your 1Password Master Password contained only numbers and was 12 digits long, then it could be found in one day, assuming the attacker got ahold of your device or a copy of your data file.

Note that this discovery time is for passwords that only use digits. As Dmitry and Andrey pointed out, this would be equivalent to a 6 character password (lowercase and uppercase characters, digits, as well as symbols):

To quickly convert this value to a comparable length of a password composed of random ASCII characters one can simply divide the former number by two (since number of ASCII characters is 95 ≈ 102).

The main reason the password can be determined so quickly is because 6 characters provide relatively few possible password combinations. To put this into perspective, here’s how the password length affects the discovery time:

Password Length Possible Combinations Discovery Time
6 956 1 day
7 957 3 months
8 958 24 years
9 959 2,348 years
10 9510 223, 152 years
11 9511 21, 199 centuries
12 9512 20 million centuries
13 9513 2 bln centuries
(42 times the age of the earth)

The discovery times are extrapolated from the numbers provided by Dmitry and Andrey in Table 2: Password recovery speeds and recoverable password lengths.

As you can see, it would take quite a while to discover a ten character password. Personally, I use a 13 character password as I have a lot of very sensitive data within 1Password and I want to ensure it remains safe, even if my iPhone was lost. It would take an attacker a very long time to iterate through all the possible combinations, and that is why the discovery time is so inconceivably huge.

With that said, as Dmitry and Andrey point out, 1Password could do more to slow the password discovery process, thereby making it take even longer. For example, on the desktop (both Windows and Mac), 1Password uses PBKDF2 to significantly slow down attackers. Currently this is not available on iOS as we needed to support older devices. The next major release of 1Password will only support iOS 5 and at that time we will be incorporating these additional defences.

You may be wondering why we think strengthening is required; after all, even a 10 character password would require hundreds of thousands of years to crack. The reason is 3 fold:

  1. Some users are using shorter passwords and we want to provide them as much protection as possible.
  2. All these numbers are based on the same hardware described by Dmitry and Andrey. Depending on the attacker’s resources, more powerful machines could be available.
  3. As time goes on, machines will continue to get faster.

To help guard against faster hardware and to strengthen shorter passwords, we are planning to update 1Password’s defences with several significant changes:

  1. 1Password 4 for iPhone will no longer allow items to be protected by just the PIN code. The PIN code was meant for less sensitive items and we always expected the Master Password protection to be enabled on important items. To simplify things, all items will be protected with the Master Password, just like on iPad, Mac, and Windows.
  2. In 1Password 4, we will be switching from 128 bit AES encryption keys to 256 bit.
  3. In 1Password 3 for iPad and iPhone, the password verification process will be significantly slowed down. Specifically, PBKDF2 will be added to iOS to match the Desktop versions. We will also remove the PKCS#7 padding mentioned by Dmitry and Andrey so attackers will be forced to perform two AES decryptions instead of just one.

Updates for 1Password 3 will be submitted to Apple within the next few weeks. Work on 1Password 4 is ongoing and it will be published later this year.

In sum, it is great that Elcomsoft took the time to analyse mobile password managers and draw attention to how critical password length is when protecting your data, and at how easy it is to “pick” a 4 digit PIN code. It’s important that everyone knows this.

What you can do today to ensure your data is protected is the same thing we have recommended all this time: use a Master Password on iPhone and iPad that is long enough to provide adequate protection for your needs. You can refer to the table above to determine the length of password that makes you feel most comfortable. Also, on iPhone, be sure to go through your items and ensure you have enabled Master Password protection.

For tips on how to pick or update to a good, strong Master Password, see our blog posts like Towards Better Master Passwords and its accompanying Geek Edition.

Lastly, all of the calculations assume the attacker has full access to your data. To protect against this, secure your iOS device with a passcode and if you are still backing up with iTunes, be sure to encrypt your backups.

Macworld names 1Password Pro among first inductees into new App Hall of Fame!

It’s not every day that an App Hall of Fame opens to celebrate the great things developers have created to wow customers, and it’s definitely not every day that one of your apps gets a place in such a hall.

But wouldn’t you know it, both of those things happened on the same day to 1Password Pro!

Macworld has cut the ribbon on its new App Hall of Fame, a place where its editors can highlight what they describe as “a class of perpetually top-notch apps.” The first batch of apps includes Instagram, Flipboard, InstapaperMLB.com At Bat, and our very own 1Password Pro for iPhone and iPad!

We are thrilled, honored, and humbled to get one of the first spots alongside such fantastic peers in Macworld’s new hall! We can’t wait to see who they nominate next, but in the meantime, we should get back to work on making sure 1Password Pro keeps earning “top-notch” status.