How strong should your Master Password be? For World Password Day we’d like to know

Just how strong should a 1Password Master Password be? We recommend that Master Passwords be generated using our wordlist generator using passwords that are four words long. This gets you something like “napery turnip speed adept”.

Among other things, this gives you the chance to learn new words. My dictionary has now informed me that “napery” means household linens such as table cloths and napkins. But let me move on from obscure vocabulary to asking about Master Password strength: What we know about Master Password strength, what we would like to know about it, and how can we get expert password crackers to help us learn?

That’s why we are announcing a password cracking challenge to be managed by Bugcrowd with cash money rewards. First prize earns $8192, second prize is half of that, and third prize is half again. The race will beginhas begun at noon Eastern Time on World Password Day, May 3, 2018. For those who want to jump right to the contest details, without reading the rest of this, you can head right over to our Bugcrowd brief or to our description. The challenge hashes/keys are now available.

1st prize: $4096. 2nd: $2048. 3rd: $1024.

What is your Master Password for?

Your Master Password is your defense against someone who manages to steal your encrypted 1Password data from your own machines. Your data on our machines is also protected by your Secret Key, making Master Password guessing futile. Unlike a human usable password, your Secret Key is completely unguessable, and that is what makes what is stored on uncrackable.

Sample Secret Key

But your Secret Key does not protect you if data is stolen from your own devices because your Secret Key is stored on your own devices. Likewise, our Multi-Factor Authentication only defends against attempts to connect to our systems. MFA doesn’t protect you from data acquired from your own machines. So when it comes to keeping 1Password data stored on your own machine from prying eyes, your Master Password is your defense. It needs to be as strong as you can reasonably use and it must be unique.

Consider Molly (a not all that bright dog), who has a Master Password of “RabbitHunter#1”. She also has some very important Login items, such as her PawPal account within 1Password. Now suppose that Mr Talk (the neighbor’s cat) has contrived to steal data off of Molly’s laptop, including her encrypted 1Password data.

Mr Talk will set up automated password guessing software to make many thousands of guesses per second. We can slow that down with PBKDF2, but Mr Talk is doing everything on his own machines and is not connecting to any of our systems. That is why MFA doesn’t do Molly any good in these circumstances. Now if Mr Talk has some expertise in password cracking and is willing to dedicate some computer power to this, he might be able to crack that Master Password within a few hours or maybe it would take a week. However long that is is how much time Molly has to change her PawPal password and other passwords that she keeps in 1Password.

Let’s suppose that Mr Talk got Patty’s data as well. But Patty (a clever dog) used our Strong Password Generator and ended up with a Master Password of “saddle harass mod gunk”. Even if Mr Talk dedicated enormous amounts of computer resources to this, it would take decades or centuries to crack that. So Patty remains safe because she used a strong, randomly generated Master Password.

Again, for Mr Talk to have a whisker of a chance of cracking any of these passwords, he’d need to get data directly from Patty and Molly’s system, which will also provide Mr Talk with their Secret Keys. Mr Talk would not be able to launch such an attack from data acquired from our systems.

Reducing the guesswork by measuring the guessing work

How did I come up with saying “hours to a week” for Molly’s and “decades to centuries” for Patty’s? I did so with a lot of guesswork. But we’d like to improve on that guess work, and the way to do that is to invite (incentivize) expert crackers to try to crack passwords and find out just how much work they have to put into it.

Now if my guess about decades is anywhere on target for the four word password, that is simply too large of a challenge. So we are presenting a number of keys derived from three word passwords from our password generator. We are also posting all the details about how they were generated and the wordlist used.)

We are also simplifying some of the odd details of our key derivation function to focus solely on the 100,000 rounds of PBKDF2-HMAC-SHA256. This will make it easier for participants to get set up without really affecting the result of what we are trying to measure with this exercise.

We want winners

We want people to win the prizes, and we want people going into this to know that we want people to win. Otherwise we wouldn’t get participants to put in the effort that we are trying to measure.

So let me remind everyone again, the challenges that we have created here do not have the protection of the Secret Key and they are using Master Passwords that are at the weaker end of what we recommend. This contest simulates attacking only one single component of 1Password security.

Knowing your system is a good thing

It’s been nearly seven years since we helped revive the notion of wordlist-based passwords with our article Toward Better Master Passwords. And one of the many virtues of generated passwords is that they remain strong even if the attacker knows how they were generated. So with that in mind, we are also publishing the source used to generate the challenges.

How long until we have answers?

If we knew how much effort it takes to crack a three word password, we wouldn’t be giving away money to find out, would we? We also don’t know what kinds of resources people will throw at the problem. If people or teams dedicate fleets of hashing rigs at the problem they will find things more quickly than someone who just uses a couple of more ordinary computers.

Mining rig

Money is time

It may be more useful to ask about the cost of cracking a password versus how much time it takes. In any particular cracking attempt there will be some combination of fixed costs and variable costs ranging from developing the expertise and equipment depreciation to the cost of the electricity used to run and cool the machines. We want to develop an estimate that considers the total cost. So we hope that the challenge takes long enough that the results will show a useful mixture of fixed and variable costs.

We’ve also structured the contest as a race. The first to find a password will earn $8192, while the second place prize is $2048 and the the third place prize is $1024.

My own wild guess is that it could take anywhere between $250 and $2000 worth of effort to crack one of these three word passwords from our list, and so we’re offering a first prize that is double the higher end guess. This way it should be worth their time to switch some of their coin mining rigs over to password cracking.

What now?

If you would like to participate, head over to Bugcrowd for the official rules and to get set up with them if you are not already a Bugcrowd researcher, as all submissions will go through them. Details can also be found in our crackme challenge Github repository.

If you’d like to just follow along at home before and after the starting gun on World Password Day, keep following us on Twitter, Facebook, or your favorite place to do such things. And if you would like to discuss things further, just join us in our discussion forums. We’ve set up a specific discussion in our Lounge for this discussion.

14 replies
    • Kate Sebald
      Kate Sebald says:

      Hey, Yalu! I hope you don’t mind my popping in here for Jeffrey. He’s doing a lot of coordinating for this, so we’re all trying to help him out where we can. We’re waiting on BugCrowd to make that page public still, which is why we included a (perhaps too easy to miss) parenthetical for now that it’s not yet live. Of course, I can totally understand being super excited and clicking anyway. I’d probably have done the same. 😉 Hang tight and we’ll update the link text as soon as the page is active and available to everyone. 🙂

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thanks Yalu. And thanks Kate for filling in for me while I was on the phone.

      It’s always hard to coordinate release of posts, and so we ended up a bit ahead of bugcrowd. If there is further holdup, I’ll edit our post to remove those links until there is something to link to.

  1. BiL Castine
    BiL Castine says:

    Hah! Love your creative blog posts, probably the most engaging security blog I’ve read. I do however object to the typecasting of cats. 😿

  2. Sam
    Sam says:

    There are 6,157,668,625,289 possible passwords if they come from that AgileBits file. With 100,000 iterations I’ve calculated it would take over 40 years to iterate the entire list on my hardware. Not sure how anyone is going to get this without getting insanely lucky or spending thousands of dollars on hardware.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      You and me both, Sam. It would certainly be ridiculous to try to crack these on the hardware that I have at my finger tips.

      But some people have highly specialized hardware and software for going at these things.
      Indeed, as I just posted in our forums, there’s at least one contestant who looks like they should hit a result after a matter of weeks. There may also be teams of such people working on it, who distribute the work.

      We are interested in knowing how hard/expensive this is for people who have expertise and specialized resources. So while that might exclude a lot of people from meaningfully participating, it will help us get the data that we need.

      Cheers, -j

  3. Jeffrey Goldberg
    Jeffrey Goldberg says:

    On June 11 we doubled the prizes for this cracking competition.

    • The top prize is now $8192.
    • Second place is 4096
    • Third place is 2048
    • and we’ve introduced a fourth place with a prize of 1024USD.

    Why are we doubling the prizes?

    Well it looks like my initial guess about how hard it is to crack these was too pessimistic (from the defender’s point of view). It’s been more than a month since launch, and we still don’t have any submissions.

    But we want this to be a winnable challenge, so we need to make sure that the incentives work for participants. We also want it to be worth the resources that people have dedicated to cracking. If it turns out that someone spends a few thousand dollars in electricity to crack these, we want to reward them fairly.

    It’s not surprising that my initial guess was off in one direction or the other. We are running this challenge exactly so that we can improve our estimates. And we did prepare for this situation. In our original announcement we said

    If no correct submission has been submitted within one month, we may increasing the prizes. However, such an increase and the timing of it (if it occurs) will be unpredictable. Do not delay a submission in the hope of an increased prize.

    As always, details and update will be posted in our discussion forums: We have a specific topic set up for this.

  4. Anton
    Anton says:

    If I know in advance that most of the 1Password user will use a wordlist password (maybe because of this guide). Why should I do a full brute-force instead of a dictionary scanning?

    “RabbitHunter#1” – 14 symbols long. Let’s assume that there could be 64 different symbols. This leads us to “64!/(64-14)!” attempts.

    “saddle harass mod gunk” – 4 positions of 1M words, which leads us to “1M!/(1M-4)!” attempts.

    If i put this into a calculator, I get
    4,171,978,146,589,489,255,219,200 vs.
    _,999,994,000,010,999,994,000,000 attempts.

    Which means that a wordlist password is 4 times weaker than a 14-symbol password, when an attacker knows password’s type.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thanks for asking, Anton.

      There are a few things I would like to address, where I think you may be making some unfounded (though not uncommon) assumptions.

      Crackers aren’t brutes

      I appreciate your calculations how hard it is to crack RabbitHunter#1, but your result isn’t really relevant.
      This is because people who crack human generated passwords don’t try every possible combination of letters, symbols, and digits.

      Attackers know that people like putting digts at the end. They know that people like capitalize at at word boundaries. They know that people like to combine words when making creating passwords. They know all this and much much more. Indeed, criminals involved in password cracking probably know more about human password creation choice than anyone else.

      People who attempt to crack passwords build all of that knowledge into their systems. They know to try to most likely passwords first. (There are some clever optimizations that can lead to some limited exceptions, but broadly speaking, they design their systems to try to most likely first.)

      Consider the password P@ssw0rd123. Eleven characters, mixed case, letters, digits and symbols. If people engaged in password cracking did things the way you expected, then that would be a very strong password. But we know that that is a terrible password. It appears more than 1000 times in the Have I Been Pwned password breach database.

      The strength of a password isn’t in how many letters, symbols, and digits are in the password. Instead it is in how likely any generated password is. Attackers go after the most likely passwords first.

      Assume the attacker knows the generation scheme

      You are absolutely correct that when you have reason to believe that someone created three word passphrase with our generator that you would look at only such combinations. As I said above, attackers use everything they can know or reasonably guess about how a password was generated in tuning their attack. Take another look at the section “Knowing our system is a good thing” section of the blog post.

      We want to find out what kind of effort to needs to go into cracking these where the attacker knows everything about the system that generated them. We know precisely how many possible passwords there are, 6156660823552; and we know that they are uniformly distributed (so that no possible password is more likely than any other possible password).

      Something I like to call a “Kantian principle of password creation” is that password creation scheme must remain strong even if everyone uses it.

      Anyway, please do look at the article I linked to Toward Better Master Passwords and its followup Better Master Passwords: The geed edition. I think that these will help clarify some of the points here.

      Minor math error

      Your math is a bit off on the four word example. If there were 1 million words (there are far fewer) then the number of possibilities would be 1 million to the 4th power. This is just a tiny bit more than what you calculated. You appear to assume that items are chosen from the list without replacement. That is, you’ve assumed that “saddle” couldn’t appear twice in the same generated password. We have no such restriction.

      The number of words on the list is 18328. So the number of possibilities for a four word password is approximately 1017. My initial estimate, when we first launched the contest, is that that would take tens of millions of dollars worth of effort to crack. So we just used three word passwords. Given what we’ve learned so far, I would increase my cracking cost estimate by 8, and say that a four word password would take more than 100 million dollars of work to crack.

  5. LogoVenture
    LogoVenture says:

    I heard 1Password first time and I am really happy that I have find this blog because it was really annoying while enter credentials. Thanks and I will definitely use it.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you. I am sure that you will find it great to have something that both makes things easier and more secure.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.