1Password Proves It Can Stand Up To Password Crackers

1Password Proves It Can Stand Up To Password Crackers

1Password goes head-to-head with a password cracker and shows why complex passwords are important.

1Password by AgileBits is a an incredible tool for keeping your data safe. More than just a password manager, 1Password allows you to encrypt and organize a wide range of data (website passwords, non-web digital accounts, credit/debit card numbers and financial account details, software licenses, and files containing confidential information.

Those features are all well and good, but the biggest feature is 1Password’s ability to keep all that data secure in the face of brute force attacks – the kind of attacks where a piece of software simply tries combination after combination of possible passwords. Password cracking software that rely on such attacks can easily try thousands of potential passwords each second.

To find out whether or not 1Password can withstand such attacks, AgileBits tested one 1Password against John the Ripper, one of the most well-known password cracking tools.

AgileBits recently detailed much of the investigation and background information on its blog including the fact that John the Ripper and other password cracking tools can be fine-tuned to attack specific encryption tools like 1Password.

The key concept here is that these tools attack the master password that users set when they configure 1Password. Breaking the encryption mechanisms and decrypting data isn’t a viable attack option against high-level encryption technology like that employed by 1Password or Apple’s FileVault. The primary vulnerability in secure systems like 1Password is the credentials that allow the owner (or authorized individuals) of the data to unlock the system. In the case of 1Password that means the master password (in other systems it could be user account and password, two-factor authentication that involves a physical or data token that needs to be presented with a password, or even biometric data like a finger print).

It’s that point of entry that AgileBits tested and studied John the Ripper against. Ultimately, given enough time, John the Ripper will eventually crack any master password. The best that 1Password can do is to build complex calculations into the system – calculations that must be performed with each password attempt. That may not sound like much, but it does work – provided the master password is long enough and random enough.

Both of those are important pieces of the solution. The longer the password, the more guesses a cracking tool needs make to get the right password. If you layer on thousands or tens of thousands of complex calculations that need to be performed for each guess, it becomes plausible to stop the attack – or more accurately slow it down the point of effectively stopping by making the cracking tool take days, weeks, years, centuries, or even millennia before every possible combination is tried.

Applying that concept to everyday use, AgileBits suggests that you use multi-word passwords and the words are truly random (rolling dice to select words is one truly random suggesting the company makes). As you can see in the tablet below, a seven word passwords would take trillions of years. Even a four-word password would be sufficient as it would take decades or centuries to crack.

1Password Proves It Can Stand Up To Password Crackers

AgileBits shows how length of passwords and thousands of calculations can slow password crackers enough to effectively stop them.

  • Alfred2612

    Thing is, the password has it’s days numbered, at least when it comes to use with encrypted data. With the likes of Facebook or other web services, they can easily just be locked when 3 wrong login attempts have been made, or whatever. Make the person wait 15 mins before trying again. Simple enough.

    However, when you have password encrypted data in the hands of someone who wants to crack it open, and when quantum computing (eventually) comes along, even a ridiculously long password will take just a few hours to crack with a brute force attack.

    Another solution will need to be designed other than passwords.

About the author

Ryan FaasRyan Faas is a technology journalist and consultant living in upstate New York who has written extensively about Apple, business and enterprise IT, and the mobile industry. In addition to writing for Cult of Mac, he is a contributor to Computerworld, InformIT, and Peachpit Press. In a previous existence he was a healthcare IT director as well as a systems and network administrator. Follow Ryan on Twitter and Google +

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , , , , , , |