So please take a look at Toward Better Master Passwords if you haven’t already looked at that.
#John the ripper how to how to#
There is a great deal of advice on the ‘net about how to pick a good password that you can remember, but much of that advice fails to take into account the flexibility of password cracking tools. 1Password means that your various login passwords don’t need to be anything that you need to remember (and so it is easy for those to be strong and unique), but your 1Password Master Password is something that needs to be strong, unique, easy to remember, and reasonable to type. We have also been encouraging people to use good Master Passwords for their 1Password data. Plus, last year we increased the number of PBKDF2 iterations that many versions of 1Password use when creating a new data file.
We’ve written more about how PBKDF2 works in Peanut Butter Keeps Dogs Friendly, too. But for an automated password cracking system, it dramatically reduces the number of possible passwords it can guess in a day. So you might have to wait half a second or so after entering your master password for 1Password to actually be able to unlock your data, but that is barely noticeable to someone using the system. PBKDF2 means that a computer has to do many complicated and slow computations to derive an encryption key from a password. When we introduced the 1Password data format in 2008, we knew that we needed to design it to defend against crackers, so we used PBKDF2 in the process of getting from Master Password to encryption key. We have been operating under the assumption that these sorts of tools already existed, even if they hadn’t been made publicly available. Other than repeating the fact that 1Password users should have a unique, strong, and memorable Master Password, there is nothing that we need to do with 1Password in response to the new components of John the Ripper. When you have encrypted data, there is nothing stopping a person or a computer from trying to guess the password. Let me stress again that the existence of a password cracking tool does not reflect any kind of weakness in the system it is attacking. One converts the relevant part of the Agile Keychain Format into an appropriate input file, and the second part allows John the Ripper to test against that input file in a way that allows it to recognize a successful guess. The modifications to John the Ripper for 1Password involve two components. John the Ripper expects the data that it works with to be in particular formats. More recently (July 25) we see the development of tools specifically designed for making John the Ripper work with 1Password’s Agile Keychain Format. The news is that the most popular and sophisticated open source password cracking tools available, John the Ripper, is now being adapted toward cracking password managers Master Passwords. They are just programs that try millions or billions of different passwords until they either find one that works or the person running the program gives up. Password crackers don’t break the cryptography or exploit bugs or design weaknesses.
We also have been advising people to make sure that their 1Password Master Passwords are strong, unique, and memorable. What we can do (and have done) is make any password guessing program work extra hard, so that it can only guess thousands of passwords per second instead of many millions per second. We’ve always known that that there is nothing we can do prevent someone developing an automated Master Password guessing tool that is tuned to 1Password data, and so we’ve designed our security around the assumption that such tools do exist. If you’ve been wondering why we’ve been devoting so much effort to this, well this is the article for you. And we’ve been strengthening those defenses as well. We’ve written many times about how 1Password defends against automated password guessing programs (password crackers). Is 1Password ready? Yes! We have been ready for a long time, but you need to do your part by having a good Master Password. John the Ripper, the pre-eminent password cracking tool, is getting ready to take on 1Password.
0 kommentar(er)
