iMore’s editors have decided: 1Password for iOS is the iPad Utility of the Year

Yes, it’s easy for us to say the new 1Password for iOS is awesome; it’s our baby! And sure, there are plenty of second opinions stacking up. Now we have our first award!

iMore has announced its 2012 Editors Choice Awards, calling it for everything from devices, to apps, to stories, and even accessories. A lot of great stuff made their list, and we were super excited to see 1Password named iPad Utility of the Year! Thanks to Rene Ritchie and the iMore staff for such kind words!

If you still haven’t picked up iMore’s iPad Utility of the Year, or what we would call An All-Around Awesome Password and Identity Manager for iPhone and iPad, now is the perfect time to do it because 1Password for iOS is still on sale for over 50% off! But run, don’t walk—when 2012 ends in a couple days, so does our sale!

1Password 4 for iOS in the press

The reviews are in… and in, and in, and in! After over a year of hard work, 1Password 4 for iOS is now in the App Store and, in the words of Macworld, “practically flawless.”

Plus, until the end of 2012, it’s on sale for just $7.99 as a universal app for both iPhone and iPad—that’s over 50% off! Of course, we could give you over 20 reasons to love the new 1Password for iOS, but we’ll let the press have their say:

  • Matthew Panzarino of The Next Web, who did a great interview with our co-founder, Dave Teare, for the release: “This really is the best version of 1Password yet.”
  • Jeff Gamet of The Mac Observer: “1Password 4 is simply a must have app for every iPhone and iPad owner that’s moved beyond keeping passwords on a Post-It note — which should be you.”
  • Federico Viticci of MacStories: “With a cleaner, more powerful, and consistent experience, 1Password 4 is a great update.”
  • Geoffrey Goetz of GigaOM: “AgileBits has taken user feedback to heart and really enhanced an already great product.”
  • Glenn Fleishman of TidBITS: “I find 1Password 4 a substantial improvement.”
  • Christine Chan of AppAdvice: “If you haven’t experienced 1Password yet, then there’s no better time than now.”

I could go on, and on, and on, but I think you get the point. We love 1Password 4 for iOS, the press loves it, and we truly believe you’ll love it too, especially since it’s still over 50% off through the end of 2012!

Doing the two-step until the end of time

Enigma machineIn my discussion of Dropbox’s new two-step authentication, I skimped on the cryptography. Because we had to move quickly, I wanted to focus at the time just on our recommendations, so I told a few fibs about how the way the six digit codes “get” to your phone. Now I want to explain how it really works.

Not only that, but I will sneak in a little introduction to Message Authentication Codes (MAC), which plays a major role in our newest version of the 1Password data format. This topic is also worth revisiting because our new release, 1Password4 for iOS, works well with Dropbox’s two-step verification.

Speaking of, let’s start with Dropbox’s two-step authentication system. I did try to warn readers that I was being less than forthcoming about the full truth when I suggested that a six digit code is sent from Dropbox (or Google) to your phone:

There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies.

Even my word “protocol” could be confusing, as it might imply some network activity. The magic of the system is that anything using this type of Time-based One Time Password (TOTP) tool will compute the same six digit code at a particular time with the initial set-up secret. Dropbox’s login system will calculate the six digit code on its own; and a tool that you use, such as Google Authenticator, will also calculate the six digit code on its own. No network connection is needed after the first time setup.  In my example below, I’ll use Google Authenticator, but it isn’t the only TOTP tool out there.

Initial set up

When you first set up something like the Google Authenticator you scan in a QR code. It might look something like this:Sample QR code for setting up authenticator

The code contains a label that will typically be “Dropbox:your-email@example.com”, and it contains a secret that is randomly generated and unique for each account. The secret might look like “MQZDKZRZGBRWMMZXMI4TCMZUMYYDKYTC”. Putting this inside of a QR code just saves you a lot of typing. If you don’t have a camera that can be used to scan the code, there is even a link for getting the information that you should type in. Scanning this in is the only time that information will be transmitted (in this case, transmitted via your phone’s camera) from Dropbox to Google Authenticator.

Google Authenticator on your phone will keep a copy of the secret, and so will the Dropbox servers. That shared secret allows both Google Authenticator and Dropbox to calculate the same six digit codes when needed.

Counting on time

When you log into Dropbox with your username and password you will then be prompted for the six digit code if you have enabled two-step verification. You will then open Google Authenticator on your phone and you will see six digits. Those six digits are computed from a combination of the the shared secret and the current time. The current time is the number of seconds since the first instant of 1970. It is rounded down to the nearest half minute. This is why the number changes every thirty seconds.

Dropbox website prompting for security codeWhen you enter the six digit code during Dropbox’s login process, Dropbox will perform the same calculation. It has a copy of the secret that was first shared, and it too knows the current time. If what you enter matches what it has calculated, you’re in.

Your phone will not need any network connection as long as its clock is reasonably accurate. Fun fact: your phone actually makes minor adjustments to its clock pretty much every time it connects to any kind of network that allows it to check a time server on the internet. Today, most networked computers and devices know the current time to within less than one 10th of a second.

Because the code depends on both the time and on the shared secret, we end up with a different code during each 30 second period. This makes it a one time password.

Beyond the end of the world (January 19, 2038)

Ancient eunuchs foretold global catastrophe on January 19, 2038, as their long count calendar comes to an end and starts a new cycle from zero

—Anonymous

Aztec sun stone (replica)

Replica of the Aztec sun stone. This has nothing to to with Unix or Mayan time keeping.

The number of seconds since the very beginning of 1970, known as Unix time, is often maintained in a single variable in the computer’s operating system. When Unix was first designed, this number was stored in 32 bit variable. That means that the number could range from 0 to 232. Zero corresponds to the midnight January 1, 1970 (UTC). So what time does 232 correspond to? That will be 3:14:07 (UTC) on January 19, 2038. Bad things will happen then to computers that still are still using 32 bit integers to store Unix time.

So will Google Authenticator stop working in 2038? No, it should be fine. Even though iOS devices – based on 32-bit ARM chips – do just use 32 bit “long” integers, Google Authentication doesn’t rely on that. It uses NSDate to get Unix time on iOS.

Indeed, the actual standard defining TOTP states:

The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038.

Another wrinkle in time

Unix Time really is the number of seconds since the very beginning of 1970, but that number ignores leap seconds. Twisted clockLeap seconds are added (or subtracted) on occasion to account for the fact that the speed of the Earth’s rotation can change slightly due to earthquakes, other seismic activity, and even tidal activity (not only do I get to talk about a calendar system reaching its end and resetting, I get to talk about earthquakes and tidal waves in the same post!). A leap second was added at the end of June 2012, so noon (leap second adjusted) on July 1 was actually only 86399 seconds later (by Unix time) than June 30 instead of 86400 seconds later as you would normally get between two days.

The TOTP standard requires the use of Unix time, which is defined to ignore leap seconds. This way, everyone who follows the standard will be using the same clock and calendar. Also, keep in mind that Unix time isn’t just for Unix-based operating system like OS X, iOS, and Android. Windows has a similarly defined FILETIME, which differs in its start time and that it counts in nanoseconds instead of seconds, but it can be converted to Unix time easily enough for use in the TOTP protocol.

Time to meet MAC

Earlier, I said that the code, or one time password, is computed from the secret key and the time, but not just any old computation will do. For the system to work securely, we need the computation to meet some requirements which include:

  1. It must be easy to calculate the code from the key and the time, but it must be completely unfeasible to calculate the key from the code and the time.
  2. It must be unfeasible to predict without knowledge of the key what the code will be at some particular time even if you have observed what the code is at many other times.
  3. The calculation will always give the same result if given the same key and time (it is a function).

These look similar to some of the requirements we wanted for a good cryptographic hash function. And a cryptographic hash function will play a central role in how this is all done.

This also looks as if we are using a shared secret key to create a digital signature on the time. Digital signatures also involve hash functions. But “digital signature” isn’t really the right term here because those are based off of public/private key systems. With TOTP, we have a shared secret.

In place of a digital signature, we have a Message Authentication Code (MAC). This is not to be confused with “MAC” of “MAC address” that you see as hardware addresses for networking equipment, and certainly not to be confused with “Mac” (Apple’s family of computers) or “mac” (the mackintosh raincoat). Maybe this will help keep things clear:

A lowercase mac, for when you need wet wear
And an all-caps MAC is made by software
You’d be just as cool as the great Ry Cooder
If  you never confound these with a Mac computer

One of the ways to use a cryptographic hash to create a MAC is the HMAC. You will hear more about HMAC in the not-so-distant future.

Keeping time, time, time

One consequence of this sort of system is that it makes the computers’ knowledge of the time part of the security system. This isn’t anything new; this requirement has been part of the Kerberos system for decades. Indeed, one of my first roles in system administration was keeping clocks in sync with each other, specifically for Kerberos.

TARDIS

Unfortunately, this means that if someone can tamper with the time signals a computer receives from outside, then they can do damage to other aspects of security. We need systems to verify that the messages they get about the time are authentic, but the less-than-ideal state of secure time synchronization could be the subject for a new series of rant posts. Fortunately, I’ll spare you.

It is also not clear at this point what forms of time travel this or other security protocols can resist. I believe that there is a research paper in this question somewhere for an adventurous student and a flexible professor.

Six digits from 160 bits

Let’s now put all of these pieces together. Dropbox and Google Authenticator each have the shared secret from when you set up your two-step verification. And each know the correct time at the moment. So when each calculate the HMAC of the current time, using the shared secret as a key, they will calculate the same number. If they use SHA-1 for the hash function (as they do in the current system) the number that they calculate will 160 bits long, or roughly 48 digits. The final step is to compute a 6 digit number from that 160 bit number. But let’s save time and skip those final details.

Time for closing remarks

Dropbox’s two-step authentication is a great thing, and 1Password for iOS now works more smoothly with it. But it does the most good for people who are using weak or re-used passwords to log into Dropbox. Thankfully, 1Password users don’t really need to worry about that problem.

1Password for iOS Features: There and back again with the clipboard

The scene: you’re creating a new password for a Login or another app on your device.

The protagonist: you.

The antagonist: tapping too many times to create a password, copy it to the clipboard, and paste it somewhere else.

The solution: our new Copy to Clipboard option in 1Password for iOS!

Whenever you create a new password now, it will automatically be copied to your clipboard, ready and waiting to be pasted into a tab in the all-new Web Mode browser or another app. You can tap the “show password recipe” option while using the Strong Password Generator to see the “Copy to clipboard” option, among others, or even disable it. But the story’s not done, yet.

We wanted to ensure your new passwords don’t sit forever in your clipboard where you may accidentally paste them into a message or a tweet hours or days later. To solve this challenge, we gave 1Password for iOS a “clear clipboard” option (Settings > Security) for anything you copy out of 1Password for iOS, then turned it on out-of-the-box. The default is 90 seconds, but you can push that all the way up to five minutes or “never.”

This way you can create your new password, copy it to your clipboard literally without lifting a finger, paste it into your final destination, then sit back and let 1Password clear your clipboard for you, keeping that info safe and sound.

1Password for iOS—keeping your info safe since 2008, and now saving you even more extra taps since December 2012.

1Password for iOS: All the FAQs fit to print

You have questions about the new 1Password for iOS, we have answers. Frequently answered questions, to be exact.

What’s the big deal about 1Password 4 for iOS? How do I do [blank] with iCloud? How can I fix a problem with [blank]? You can find your answers to these questions, and many of these filled-in blanks, in our 1Password for iOS Frequently Asked Questions document.

While you’re there, be sure to do some window shopping at our other documents. We have all manner of user guides and tutorials for a whole bunch of stuff, and more on the way!

1Password for iOS Features: Categories are the new Wallet

There’s a lot of new stuff in the new 1Password for iOS—I mean, a lot—but one of the most important changes is the new Categories tab. We rounded up all the different types of stuff you keep safe and use in 1Password and made it all more flexible, not to mention easier on the eyes.

You can check out our user guide on the new Categories, but I’ll give you the cliff notes. Categories is the tab in Vault Mode where you create and organize all your stuff, including Logins, Secure Notes, Credit Cards, Identities, and more. It also includes everything that was in the Wallet tab in 1Password 3, like Rewards Programs, Bank Accounts, and Memberships.

From the Categories tab you can tap into any category and get down to business, but now you can also reorder them! Yes, another great addition to the new 1Password for iOS is the ability to reorder Categories however you want—simply tap the Edit button in the top titlebar, then drag Categories above or below each other. Maybe you really love Secure Notes and want them to be above Logins, or maybe you don’t plan on having to add or update your Identities anytime soon. Drag them around to your heart’s content, then tap Done.

The new Categories tab can be a big help, and you can learn more about it in our user guide. Plus, don’t forget to check out the new 1Password for iOS, now available in the App Store!

Say hello to the new 1Password for iOS

You may have seen the news and incredible reviews elsewhere, so we are absolutely delighted, thrilled, ecstatic, and, overjoyed to tell you that the new 1Password for iOS is here. In the App Store. Right now. If you’re curious about making the transition, we have a great new FAQ too.

What’s the big deal about the fourth edition of 1Password for iOS? In short, everything.

We spent more than a year thinking, designing, dreaming, drafting, listening, testing, and ultimately building. The new 1Password for iOS marks a new era for the most incredible password and identity manager for the iPhone and iPad which, in the words of Rene Ritchie at iMore, has been “redone from pixel to bit.”

We have an all-new interfaces for both iPhone and iPad that’s easier to use and even more beautiful; a full-featured Web Mode with tabbed browsing and form filling for Logins, Identities, and Credit Cards; iCloud sync; custom templates; Favorites for quick access to your most-used stuff… I could go on, or you could check it out in the App Store or go through just some of our best new stuff below:

  • 110% redesigned interface – It’s a whole new app for your iPhone, iPad, and iPod touch!
  • All-New Favorites section – You asked for quick access to your most used stuff, you got it!
  • All-New Web Mode – A full browser with tabbed browsing on iPhone and iPad, a URL bar—the works!
  • All-New Form Filling – Just like the Mac and PC versions, you now have Logins, Identities, and Credit Cards just a tap away in the all-new Web Mode
  • All-New Vault Mode – A redesigned place to organize your items by Categories, Favorites, Folders, and powerful search
  • Global Search – Search your entire Vault, Favorites, or a specific Category
  • iCloud sync support – 1Password sync: Not just for Dropbox anymore!
  • Folders – All the joy of folder organization from the desktop on your mobile device
  • Customize your items – Let each item be the unique snowflake that it was created to be.
  • Introducing Linked accounts – Multiple URLs can be associated with a single Login.
  • Action Bar — Swipe across an item to easily Smart Copy, Favorite, Open in Browser, or Delete.
  • View Attachments on iOS – Viewable on iOS, just like on the desktop!
  • Auto-Copy for passwords created with the Strong Password Generator (tap the “show password recipe” when using the SPG)
  • Supports 13 languages – English, French, Spanish, Italian, German, Russian, Korean, Japanese, Portuguese, Chinese (Simplified), Chinese (Traditional), Dutch, Norwegian
  • Demo Mode – Want to show off 1Password to a friend or post a screenshot, but don’t want to share your Vault with the world? Enable Demo Mode in Settings, lock 1Password, then type “demo” as your Master Password to make 1Password 4 for iOS load up a bunch of sample data instead of your personal Vault.
  • A brand new Quick Tour for new users. It’s much easier to get started with 1Password now.
  • PC-less sync setup – We now use iCloud and Dropbox’s new API to get you setup with sync, so you no longer need a Mac or PC to setup sync for your iPhone and iPad.
  • Better backups – Not only faster, but now it is a part of iTunes File Sharing feature in Settings > Sync.
  • Strong Password Generator is now included in all of your password fields—secure passwords everywhere.
  • Auto-Copy for passwords created with the Strong Password Generator (on by default, but tap the “show password recipe” when using the SPG to see it and other options)
  • Clear Clipboard – New in Settings, enabled by default, this option lets you clear your iOS clipboard at intervals of 30 seconds to five minutes. Great for preventing apps or websites from grabbing your passwords or other sensitive data.

We also streamlined 1Password for iOS to a single, new, universal app for iPhone, iPad, and iPod touch that requires iOS 6 and has a unified price of $17.99. But to celebrate a year of work and our best release to date, we’re holding a Launch Celebration and Upgrade Sale of just $7.99—over 50 percent off! Get it while the sale lasts, because we’re not sure yet when it’s going to end.

We’d like to thank our fearless developers, visionary designers, steadfast customer support team, and of course our incredible customers for making the new 1Password for iOS what it is today. We hope you love it, because this is just the beginning.

Coming Soon to an App Store near you

An unforgettable journey. An epic battle. A fellowship strengthened. Ancient truths protected by the one password you need to remember.

1Password 4 for iOS is coming.

Alan Turing’s contribution can’t be computed

Turing BombeAlan Turing was born a hundred years ago this year and his most important paper was published seventy-six years ago (November 1936). It is close to impossible to overstate the influence that Turing has had on the modern world. It is something well worth celebrating his life throughout this centennial year. Although any celebration must be tempered by reflection on the circumstances of his death, I would very much like to tell him that “it got better.”

Alan Turing: Enigma. Book coverSince others with better knowledge of history than I are writing this year about many aspects of Turing’s life and influence, I’ll discuss something that doesn’t make the rounds often: Alan Turing and randomness. Turing knew a great deal about randomness and talked about what kinds of things can and can’t be computed. If you would like to know why true randomness isn’t “computable”, please read on. Discussion of randomness in 1Password and cryptography will be in a later article.

The Millennium of the Algorithm

I like to call the second millennium “the millennium of the algorithm”.Al-Khwarizmi An algorithm is a finite list of step-by-step instructions that, if followed, will get you a result. When we learned how to add multi-digit numbers in grade school, we learned an algorithm. The same is true for multiplication and division. These algorithms for arithmetic were developed and described by Muḥammad ibn Mūsā al-Khwārizmī in about 825CE and translated to Latin in the 12th century. It is from al-Khwārizmī’s name that we get the word “algorithm”.  We also get the word “algebra” from the title of one of his books.

In the final century of the millennium, Alan Turing found a way to treat algorithms as mathematical objects. This involved inventing a computer programming language and describing a physical machine that it would run on. The particular machine wouldn’t be very practical because Turing needed it to be the simplest thing possible that would compute, in principle, anything that a more complicated physical device could do. It would have been horrendously inefficient if actually built.

LEGO Turing Machine from ecalpemos on Vimeo

The full title of Turing’s 1936 paper is “On computable numbers, with an application to the Entscheidungsproblem“, but I will only be talking about the “On computable numbers”. Although utterly fascinating and the goal of his paper, let’s set aside the Entscheidungsproblem for another post or perhaps a few beers.

Different kinds of numbers

There are lots of numbers between 0 and 1. We call all the numbers in that range real numbers. Among the real numbers are rational numbers (numbers that are a fraction of whole numbers) like 1/3, but there are also numbers that can’t be expressed as fractions of whole numbers, like the square root of 2. This fact about the square root of two was so disturbing to the Pythagoreans view of the universe that they attempted to keep it secret. Legend has it that the person who revealed the secret got tossed overboard and drowned as punishment. Anyway, numbers that can’t be expressed as ratios of whole numbers are called irrational numbers.

It turns out that there are as many even numbers as there are whole numbers. This is because for any whole number that you care to name, I can name an even number that matches it. If you say “33”, I’ll just say “66”. This may seem strange, but if we can find a way to pair up the members of one set (in this case whole numbers) with the members of another set (in this case even numbers), we say the sets are the same size. It actually gives us a useful way to talk about infinities.

Since there are as many whole numbers as even numbers, you might reasonably think at this point that all infinities are the same. You’d be wrong, but it  certainly wouldn’t be unreasonable to have that incorrect intuition. There are, in fact, more real (irrational) numbers than there are rational numbers. The proof of this is one of the most beautiful things ever invented, but I won’t go into it.

So we’ve got a different, bigger infinity of irrational numbers then we have of rational numbers. When a set has as many elements as there are counting numbers, we call that set “countable”. It’s infinite, but we can match up elements to the counting numbers. The counting numbers are countable as are the rational numbers. The set of real numbers, however, is not countable. This means that we cannot pair up each real number with some counting number.

How irrational can we get?

There are different types of irrational numbers. Things like the square root of 2 are called algebraic numbers for reasons I won’t explain. But there are irrational numbers that go beyond, or transcend, the algebraic numbers, and these are called transcendental numbers. The most famous transcendental number is π, the ratio of the circumference of a circle to its diameter. Of course, π has been known about for a very long time, but it was only proved to be transcendental in the 19th century. The trigonometric functions like sine and cosine typically yield transcendental results.

There are algorithms to compute any algebraic numbers (things like the square root of 2) to any precision that we need. There are also algorithms to calculate the kinds of transcendental numbers that we tend to use, like π or the sine of 10.

On Computable Numbers

Imagine a hotel – let’s call in the Hilbert Hotel – that has a countably infinite number of rooms, each of which is big enough for only one guest. Suppose you have every room filled, and a countably infinite number of new guests arrive. You can still fit them all in by having each current guest move to double their current room number. If Alice is staying in room 1, she will move to room 2. Barbara, who has been in room 2, will be moving to room 4. The guest in room 33 will be moving to room 66. After this move, then all of the odd numbered rooms will be vacant, and you can then give out those rooms to your new guest.

If you have an infinite number of guests who would like to stay, and you can find a way to assign each to her own room, then you have countably infinite guests. But if there is no way to give each guest her own room, then you have an uncountable number of guests.

By carefully defining what it means to compute something, Turing found a way to give every possible algorithm a room to itself in the Hilbert’s countably infinite hotel. This means that there are “only” a countable number of algorithms. At the same time, we know that there are uncountably many real numbers. There are real numbers for which there is no algorithm to produce it. Some things are uncomputable.

Annotated Turing book cover

Plenty of irrational numbers are computable. We do have algorithms for computing the square root of 2 or the sine of 50. Turing’s result here (remember, he actually just used all of this as a building block to settle a bigger question in mathematics) tells us, among other things, that that while there are countably infinite things that we can compute, there are uncountable infinite things that we can’t compute. The overwhelming portion of numbers are things that we can’t compute.

Computing Machines

Turing was able to define the notion of “computable” by imagining the most simple device with the most simple of mechanisms that could do everything that we think of as computation. But, there is some confusion about the term “Turing Machine”. Although it can be used to refer to the imaginary physical device described in “On Computable Numbers”, it often refers to a program for that device (Turing called his programs “machines”). There is a special kind of Turing Machine (program) which can read and execute any Turing Machine. We call such programs or systems Universal (Turing) Machine.

One important fact about a Turing Machine (the imaginary device or individual programs) is that it always produced the same result with the same input. The result of each step in an algorithm depends entirely on what it has to work with and the step itself. If an algorithm has a step that adds two digits the results must always be the same given the same starting digits.
Algorithms cannot have steps in them like “flip a coin, if it comes up heads do X, otherwise do Y.” There is no coin flipper inside a Turing Machine.

Pick a number, any number

If we pick a number at random from the real numbers between 0 and 1, it will almost certainly be a non-computable number,Dice as the overwhelming majority of numbers aren’t computable. So can we pick a random number that way? Not with a Turing Machine. Each step in an algorithm should get you to a single specific result based on where you start. True randomness is not computable.

Turing knew that Turing machines could not generate true randomness, and Turing knew a great deal about randomness. His 1934 King’s College (Cambridge) Fellowship Dissertation had been on one of the most fundamental theorems in statistics. His now famous work as a code breaker at Bletchley Park during the second world war involved an innovative application of Bayes’ Rule to cryptanalysis.

Mark IWhen Turing got to play with real early computers for his own academic interests, he knew that if he wanted anything with truly random numbers, it would have to go beyond the computable. He had a hardware random number generated included in the design of the Mark I at Manchester University in 1949. A paper by Martin Campbell-Kelly describes what was almost certainly the first attempt at a hardware random number generator in an electronic computer:

At the request of Turing an instruction to generate a random number from a noise source was provided. Unfortunately, the numbers turned out to be not particularly random, and debugging was difficult because programmes were not repeatable; consequently, the instruction eventually fell into disuse.

The lesson in all of this history and theory is that randomness has been a difficult problem since the very beginnings of computing.

More randomness to come

1Password, like pretty much all cryptographic software, needs cryptographically secure random numbers to do its stuff securely. What it means for a number  to be cryptographically secure, why 1Password needs such numbers, and where it gets those from will be the subject of a future article.

Further reading

If you would like to look to the past then I very strongly recommend Andrew Hodges’ Alan Turing: the enigma as the definitive biography, and for a remarkably accessible yet complete discussion of On Computable Numbers, I enthusiastically recommend Charles Petzold’s The Annotated Turing.

Hashing fast and slow: GPUs and 1Password

The net is atwitter with discussion of Jeremi Gosney’s specially crafted machine with 25 GPUs that can test hundreds of billions of passwords per second using hashcat, a password cracking system. Password crackers, like hashcat, look at the cryptographic hashes of user passwords and repeatedly make guesses to try to find a password that works. 1Password has been designed to resist automated password cracking attempts exactly because we anticipated developments like this.

Don’t get freaked out by the numbers

Windows XPFirst and foremost the reports of 348 billion passwords per second is specifically about passwords stored in the LM format used on Windows XP, exploiting the notorious design flaws and limitations LM hashes. (If you are still running Windows XP; and particularly if you are running NT, 2000 or 2003 domain controllers, please, please upgrade.) The hundreds of billions of  passwords per second reached against those hashes does not mean that passwords stored in other formats can be cracked that quickly.

By the way, this isn’t the only important news about password security to come out this year’s excellent Passwords12 conference. I couldn’t quite make it there this year, but I will talk about other developments from it in coming weeks. Today, all eyes are on GPUs guessing billions of passwords per second.

Slow and Fast Hashing

Typically when a password is “stored” on a system that you log into it is not the password itself, but instead it is a cryptographic hash of the password. I’ve written about some of the ways that password  can be hashed before. HashcatThese can roughly be divided into two categories: slow hashes and fast hashes. Slow hashes are specifically designed to slow down the kinds of attacks we are discussing.

Your 1Password Master Password is processed using the slow hashing system known as PBKDF2. 1Password’s use of PBKDF2 and your use of a good Master Password keep your data resistant from password crackers such as John the Ripper and hashcat if you chose a good Master Password.

Defending against future threats

There are several lessons from this. Gosney’s work does reflect real innovation and a breakthrough, but it isn’t an unexpected breakthrough. People who keep an eye on these things – and we do keep an eye on these things – expected something like this within the next couple of years.

We need to design systems that work against plausible future threats, not just against current threats. This is what we have always tried to do with 1Password.

Lessons and actions

  1. Your 1Password Master Password and your 1Password data remain safe, we designed the Agile Keychain format from the beginning to resist crackers like this. But it is also important for people to select strong, memorable, Master Passwords.
  2. It is more important than ever to have unique passwords for each site and service. As password cracking gets easier, the risks of using the same password on multiple sites increases. This is because if password hashes are stolen from one site, attackers have a better chance of discovering the password from the hash. Once they have that, they can try the same password on other sites.
  3. When using 1Password’s Strong Password Generator, try to create passwords that are at least 20 characters long.

Back to the Future

Gosney slow hash chartI’ve talked (well even boasted, I suppose) about how our earlier design decisions are protecting 1Password users today. But we have to look at what design decisions we make today will do for 1Password users half a decade from now.

Gosney’s machine can also be used against slow hashes, including PBKDF2 passwords. You can read more (and see cool pictures) of the design of Grosney’s hashcatting machine in the conference presentation slides (PDF).

Furthermore PBKDF2 was not designed to specifically impair parallel processing. But because GPUs have unusual and restricted ways of addressing memory, it is possible to design systems that make parallel processing using GPUs slower. This leaves a number of questions that we continue to look at.

  1. Do we need to change anything at all in anticipation of even more powerful machines tuned toward PBKDF2? (We don’t yet Password Based Key Derivation Function diagramhave estimates on how many passwords per second this system could try against a 1Password data file.)
  2. If we do need to change things, when do we need those changes need to be in place?
  3. Should we look at more parallel and GPU resistant alternatives to PBKDF2, such as scrypt?
  4. Should we look at tinkering with options within PBKDF2 to make it more resistant to GPUs working in parallel?

These are not new questions. We are always asking ourselves these and other questions in order to keep your 1Password data secure and protected, both now and in the future.

[Updated 2012-12-06 15:50 UTC. Updated to correctly explain that Gosney’s system is not limited to LM hashes. Thanks to Jeremi Grosney, Solar Designer, and others who pointed out my error. I have also taken the opportunity to add more clarifications and links to background throughout.]