How strong should your account password be? Here's what we learned

How strong should your account password be? Here's what we learned

Jeffrey Goldberg by Jeffrey Goldberg on

It’s been a while since we ran our challenge, How strong should your Master Password be?, in which we gave out prizes to the first people who could figure out the passwords in carefully constructed challenges.

The challenges were designed to simulate the threat to a user who has had their 1Password data stolen from their own machines (1Password data captured from our servers are protected by your Secret Key and so aren’t subject to this sort of attack). After paying out a total of $30,720 USD, we have a better picture.

The short answer is that it costs the password cracker about $6 USD for every 2³² (4.3 billion) guesses of a 1Password account password. An attacker, on average, only needs to try half of all the possible passwords, and had we not provided hints, it would have cost the attackers $4,300 USD to crack the three-word passwords in our challenge.

This figure of $6 USD per 2³² guesses allows us to calculate the cracking costs for any known password strength. Given that passwords created by the 1Password password generator, have precisely known strengths – unlike human-created ones – we know a four-word password created by our generator would cost about $76 million USD to crack. A four-word password that uses one randomly capitalized word, and randomly chosen numbers as separators between the words, raises the cost to about $100 billion USD. There are more examples listed toward the end of this article.

At the risk of tiresome repetition, let me repeat two important things:

  1. This kind of guessing attack is only possible if the attacker obtains your encrypted data from your device. Thanks to the Secret Key, what is stored on our servers cannot be attacked this way.
  2. The cracking cost is based on our use of 100,000 rounds of PBKDF2-H256 for processing account passwords. You shouldn’t assume passwords used elsewhere are protected the same way.

Setting the prize (wrong)

I initially underestimated both the amount of effort needed to crack the passwords and the amount of prize money needed to incentivize serious attempts. This underestimation resulted in the need to double the initial prize offering twice, and share a few hints. This was good news, as it means that 1Password account passwords are well protected, even on the users' own devices. Again, this kind of guessing attack isn’t possible for data captured from us, as your account password gets blended with your Secret Key by the 1Password app.

My miscalculation did mean that the contest ran much longer than originally expected, and we ended up quadrupling the prizes. But this is excellent news. It means that good-enough account passwords are within human reach. The even better news is that the additional cost didn’t come from my salary! Perhaps some day I’ll go over exactly how I underestimated the cost of the project in a future, more technical blog post that covers the pricing of GPUs over the years, opportunity costs, and risk and uncertainty pricing. But don’t hold your breath considering that what you are reading now is long delayed.

What you should do

Our general advice about account password choice hasn’t changed, but I’m repeating it here because your account password (along with our slow hashing) is your only defense if your 1Password data is captured from your own device. Neither two-factor authentication (2FA) nor your Secret Key can protect you in that particular case. Your Secret Key will protect you if data is stolen from us, but if data is stolen from your own system, we have to assume the attacker gets the Secret Key with it.

How you balance these four key points with your specific needs, habits, and use cases is something you’ll have to decide for yourself.

1. It must be used only as your 1Password account password

In the small handful of cases where we learned that someone’s 1Password data was compromised, we discovered that the victim reused their account password for a less secure service, or had deliberately shared their credentials with someone only to regret it later. You may, however, opt to use the same account passwords for multiple 1Password accounts.

2. It should be the strongest that you can reliably and comfortably use

You need to find the balance that works for you. Your account password needs to be something that you can reliably use several times a day on multiple devices. Keep in mind that the more you use it, the easier it will become to type and remember. Even if you set up biometric unlock, 1Password will occasionally prompt you for your account password to ensure you don’t forget it.

3. Randomly created passwords are much stronger than human-created ones

I encourage you to use our password generator to create your account password. Even with the same requirements, human-created passwords are much easier for attackers to guess than randomly-created passwords.

A human tasked with creating, say, a 10-character password with numbers and mixed-case letters is more likely to create a password like Iloveyou12 than they are to create Wa7RoWTC18. Both meet the technical requirements, but humans do not pick uniformly from the set of about 420 quadrillion passwords that meet those requirements. That is some of those 420 quadrillion passwords are more likely to be picked than others. A good password generator does pick uniformly, meaning that each of those 420 quadrillion ten-character passwords is as likely to be picked as any other. Attackers very much tune which guesses they try first based on their extensive knowledge of human password choice.

There really is no comparison between generated passwords and human-created ones. Literally. We have no reliable way to determine how strong human-created passwords are, so we can’t make a proper comparison between human-created ones and those created by our Strong Password Generator.1 What we do know is that human-created passwords do get successfully cracked, while machine-generated ones do not.

Although I will continue to preach the virtues of generated account passwords, your account password must be something you can reliably and comfortably use.

4. Have a backup

Print a paper copy of your Emergency Kit, record your password on the paper, and store it in a safe place. This is especially important after you’ve created your account password or changed it.

If you have a 1Password Families or 1Password Business membership, designated members of that account will be able to help you restore access to your data if you forget your account password or lose your Secret Key. If others in your family or team are relying on you to perform such a recovery, your Emergency Kit should be printed out and easily accessible in case of an emergency.

Money vs. Time

What we’ve learned through the cracking contest doesn’t change our advice, but it does allow us to put a price on cracking account passwords. I want to emphasize that we are not talking in terms of how long it would take an attacker to crack a password, but instead in terms of how much it would cost them in computing resources. What might take weeks for some attackers would take years for others.

Because one attacker might dedicate two GPUs for 16 weeks working on a 40-bit password, while another might dedicate eight GPUs over four weeks, a better representation of the work an attacker has to do is to put it in terms of money. We designed the cracking contest to find out how much effort it would take (while there was still some time pressure for them to do it).

Instead of saying “for a 40-bit password it is between four and 16 weeks depending on what hardware the attacker uses”, we say “for a 40-bit password, it takes about $770 USD of effort in capital costs and running costs”. Each additional bit doubles the cost, so if 40 bits takes $770 USD of effort, then 41 bits requires twice that, around $1,500 USD of effort; and 42 bits would double that again to about $3,000 USD.

Our contest was also designed to be hard enough to attract experts. Experts have the tools, experience, and knowledge to crack things most efficiently. Some people new to password cracking vastly overestimated how much it would cost because they were looking at approaches that experts wouldn’t use.

So, with our of $6 USD for 2³² guesses given the password hashing scheme we use (100,000 iterations PBKDF2-H256), I present the following table.

Cracking cost for different generation schemes

One of the very cool things about our password generator is that we can compute the strength of a generated password precisely from settings given to the generator. Unlike human-created passwords, we don’t have to look at the actual password and make estimates. If we combine the strength with our estimated cracking cost of $6 USD for every 2³² guesses, we can look at how different kinds of passwords from our generator would fare under the attack conditions from the contest.

The column headed “generator settings” describes the instructions to our password generator, though not all of these options may be available to users in all 1Password clients.

  • Wordlist (labeled “word”) passwords. These are made up of words picked randomly from a list of about 18,000 English language words less than nine characters long. These can have a constant separator between words, randomly chosen digits, or randomly chosen digits and symbols. One word may be randomly chosen to be made uppercase.
  • Default Smart password. These are like the wordlist passwords, but instead of English words they use groups of three letters. One of the five groups is capitalized, and the groups are separated by digits and symbols. There are about 9650 possible groups.
  • characters (labeled “char”) that are made up of things like letters and digits. These may be lowercase only, requiring uppercase letters, or requiring digits.

Note, as always, that human created passwords will be far weaker than those created by our password generator. What we list here are the strengths of generated passwords.

Generator settingsBitsCost (USD)Example
3 word, constant separator42.454,200prithee-insured-buoyant
8 char, uppercase, lowercase, digits45.6238,0008NhJqHPY
3 word, digit separator48.06200,000swatch2forte1dill
9 char, uppercase, lowercase, digits51.512,200,000siFc96vGw
4 word, constant separator56.6076,000,000align-caught-boycott-delete
10 char, uppercase, lowercase, digits57.37130,000,000rmrgKDAyeY
4 word, constant separator, capitalize one58.60310,000,000purdue-fondue-mull-SAUL
4 word, digit separator, capitalize one67.02100 billionthesis7wizen9eclipse2BOATMEN
12 char, uppercase, lowercase67.02100 billionfFgJxymYEsJak
5 word, constant separator70.751.4 trillionpassion-ken-omit-verso-tortoise
5 words, constant separator, capitalize one73.076.9 trillionlady-chaise-PRISONER-mae-pocosin
Smart password84.2016 quadrillionkqh*jtg!vzk8CPR4zfe

Keep in mind that the costs are in terms of dedicated effort to break your password. A cost of $4,200 USD (a three-word generated password with a constant separator)2 may be a sufficient deterrent even if you have much more than that in value in your data. This is because an attacker may have more attractive opportunities for the same amount of effort.

But if you think you’re likely to be specifically targeted, then $4,200 USD may not be enough for your needs. Changing to three words with digit separators ($230,000 USD) or four words ($76 million USD with constant separator, $26 billion USD with digit separator) is going to mean that an attacker is going to either give up or find cheaper ways (such as compromising your devices) than trying to crack your account password.

Maybe the wordlist-based passwords aren’t your thing. If the added length of them isn’t worth the improved memorability, then consider character password generated passwords. You can get the same strength with much shorter passwords as long as these are generated in a truly random fashion. One thing I’ve learned since we introduced the wordlist passwords is that some people love them and some people hate them.

The winners

The first place winners identified themselves as they are known in the password cracking community as s3inlc, winxp5421, blazer, and hops.

They expanded their team when they went after the second- and third-place prize. I, along with some colleagues, had the pleasure of meeting many of them at PasswordsCon in November 2018. Indeed, they used some of their winnings to make the trip to PasswordsCon.

Resources

All of the computation from bits to costs are in the docs/Costs folder of the Github repository for the contest. That repository also contains all of the technical artifacts for the contest.

We also offer a CSV file containing bit strength for various password generation settings with our password generator. For guidance on what the column headers mean, see the R Markdown source in the GitHub repository.

There are slides and video for my 2020 PasswordsCon presentation about this contest.

Please join the discussion on our forum. There is a great deal more to say about this than can fit into this long-delayed blog post.

Timeline

If you want to feel like you were there as this progressed, it would be best to read the discussions as they were happening on our forum, but I will give an abbreviated timeline here:

April 23, 2018
Contest first announced in How strong should your Master Password be?,
April 23, 2018
Published contest resources on GitHub including the source code for how the challenges would be generated along with samples that people could test.
April 27
Bugcrowd enrollment opened up.
May 2:
Challenges generated. PGP signatures (signatures only) of challenges and solutions published.
May 3
Challenges published: The race begins.
May 10–16
It became clear that the participants we were hearing from were only managing about 250,000 guesses per second, and so the contest as originally stated was too hard for the prizes offered. Internally, we decided that if there were no winners by mid-June we would double the prizes.
June 16
We doubled the prizes.
July 2
Opened discussion on offerings hints.
July 26
Redoubled prize offerings. Committed to giving away more than $30,000 USD.
August 5
Published hint creation scheme.
August 23
First hints go live.
Late August – mid September
By this time, we already had a fair sense of cracking costs. Public discussion of incentives help us understand that our incentives, even with the first hint, were too low.
September 25
Second hint published. Cracking is now four times easier than the original challenge and the prizes are four times the initial offering.
October 14, 6:10 UTC
First winning solution.
October 22:
First data-driven estimate of cracking costs of approximately $6 USD for 2³² guesses. (Subsequent data from later wins merely increased confidence in this estimate.)
November 7
Second win.
November 11
Third win.
Mid November
Team that won first three prizes volunteers to leave fourth prize to other competitors.
January 14, 2019
Final winners. These winners had a different setup than the other winners, but the report of their work was consistent with our earlier cost estimate.
February 2019
I start working on this blog post. By May 2019, blog post is “90% done”.
Today
This blog post is done.

  1. The astute reader may have noticed that I’ve just dumped on our password strength meter. The truth of the matter is that while there is no reliable way to guess at the strength of a human created password, some ways of estimating strength are better than others, and even if unreliable, these are useful guides that help people pick better passwords. ↩︎

  2. When talking about the contest challenge, I said that the cost was $4,300 USD, and now I say that it’s $4,200 USD. This is because our wordlist has shed a few words over the past few years, and so a three-word password generated in 2018 is a fraction of a bit stronger than one generated today. We have more than made up for this by enabling randomly-chosen digits and symbol separators between words and for one random word to be capitalized. ↩︎

Principal Security Architect

Jeffrey Goldberg - Principal Security Architect Jeffrey Goldberg - Principal Security Architect

Tweet about this post