Over the past 48 hours, Internet security forums have buzzed with news about a newly discovered technique that allows crackers to make an impressive 3 million guesses per second when trying to find the passcode that unlocks the contents of the widely used 1Password password manager.

The optimization, devised by the developer of the oclHashcat-plus password cracking tool, achieved guessing speeds that were, depending on whom you are asking, from two to four times faster than expected. Its discovery was surprising, mainly because it relies in part on a subtle design flaw that until now has been overlooked.

Cryptographers disagree about whether the weakness resides in the popular cryptographic hash function folded into 1Password or the specific implementation contained in 1Password. Either way, the designers of 1Password are smart people who do cryptography right, so the flaw has turned heads. And while even a four-fold reduction in the time it takes to exhaust a cracking attack isn't earth-shattering, it's still significant, considering how many people use 1Password to store the keys to their digital kingdoms.

I spent much of the past two days reading various blog posts and communicating with people from both Hashcat and AgileBits, the developer of 1Password. After weighing a variety of sometimes conflicting viewpoints, I don't think users of the password manager have much to worry about, so long as they're following the company's oft-repeated advice for generating strong master passwords. Still, this bug needs to be fixed in 1Password, and possibly in other unrelated products that may also be affected. More about that later; first, let's review what we know about the weakness.

One way. Go slow

As many Ars readers know, it's never safe to store sensitive passwords in cleartext, or even in an encrypted format that can be mathematically converted back into plaintext. Enter the one-way cryptographic hash, a way of converting passwords, documents, or computer files into (theoretically) unique strings of text. As the description suggests, one-way hashes can't be reversed, so the only way to crack them is to run guesses through the same hash algorithm used in the first place. When the cracking output matches the intercepted hash, you've guessed the password. Crackers engage in the activity for fun and profit all the time.

Like all savvy developers whose software works with passwords, the AgileBits team has taken precautions to lower crackers' success. Chief among those measures is the use of the PBKDF2 hash function. This function allows developers to pass plaintext through SHA1, MD5, or any number of other hash algorithms hundreds or even thousands of times. That drives up the computing requirements needed to throw billions of guesses at a targeted hash and can literally add years or decades to the time it takes to arrive at the correct candidate. Functions such as scrypt and bcrypt do much the same thing.

Depending on the platform used to generate keychains, current versions of 1Password will pass the plaintext of a master password through 10,000 to about 45,000 iterations involving a randomization process known as HMAC, AgileBits "Chief Defender Against the Dark Arts" Jeffrey Goldberg told me. (Devices with lower processing speeds perform fewer iterations to prevent 1Password from requiring unacceptable amounts of time to unlock a keychain.) In a forum post published Tuesday, Hashcat developer Jens "atom" Steube said he was able to cut the number of repetitions required to crack passwords by a factor of four, allowing his PC running two AMD HD6990 graphics cards to throw 3 million guesses per second at a 1Password master password with 1,000 iterations. Since the password manager has been updated to require a minimum of 10,000 iterations, as Goldberg told me, cracking efforts presumably would increase proportionately.

Steube's technique is able to reduce the number of required repetitions by targeting the way PBKDF2 running in 1Password interacts with SHA1. When a user unlocks a keychain, each iteration actually calls the hash algorithm twice, once to generate a 128-bit AES key and again to generate what's known as an initialization vector of the same bit length. (Because SHA1 generates hashes of 160 bits, 1Password taps it twice to generate two 128-bit outputs, discarding what's left over.) What has surprised people over the past two days is the revelation that once the 128-bit AES key is discovered, crackers know immediately that they have arrived at the correct password guess. The Hashcat optimization works by running guesses through only the part that involves the AES key, effectively cutting in half the number of SHA1 calls needed to crack a master password.

Public reaction to the new technique has understandably prompted some panicked comments, mostly on Twitter. Fortunately, a handful of cryptography experts have stepped in to provide a reality check.

"For the end users, it means that an attacker only needs to perform 50% of the SHA1 calls that the 1Password software needs (maybe only 25%, depending on how optimized the 1Password code is)," security consultant and software developer Adam Caudill wrote in a blog post published Tuesday. "When it comes to password cracking, that certainly seems less secure than what was intended. As flaws go, it could be far worse, but it's likely less secure than intended."

Thomas Ptacek, founder and principal at Matasano Security, is even more adamant that there's no meaningful security vulnerability. Yes, for legitimate users unlocking their 1Password keychain, each iteration calls the SHA1-version of HMAC twice, and this requirement doesn't extend to crackers who merely want to test whether a password guess is right. But it doesn't automatically follow that this arrangement is a defect, he argued.

"This is not a great design," he explained. "But it's bad in a way that wastes cycles for users. The fact that [1Password] does extra PBKDF2 work that doesn't bind on attackers [doesn't] make [1Password] meaningfully weaker than any other app that uses PBKDF2, because it was already weird that they were tapping PBKDF2 twice to begin with. A more idiomatic use of PBKDF2 in this situation would be to tap PBKDF2 once, and then expand it (say with SHA2) to 256 bits. That design, which is totally reasonable and would not be the subject of a news story, would be equivalently secure to the 'flawed' approach [1Password] took."

Not all cryptographers are as quick to dismiss the practical consequences, however.

"The analogy I'd give is: it's like buying a life insurance policy that suits your needs, then finding out you could have gotten a much more generous policy for the same premium," Matthew Green, a professor at Johns Hopkins University told me. "1Password is happy with the insurance they bought. At the same time, they—and their users—could be much better protected."

1Password's Goldberg blamed the odd behavior on a "subtle design flaw" that is triggered when a hash function is programmed to derive outputs that exceed what a single hash iteration is capable of producing. But he still isn't sure if the flaw resides only in 1Password or in the hashing function itself.

"This very well may be a newly discovered problem with PBKDF2," he said. "If it's designed to be able to give you more bits out than the hash you give it, it shouldn't be weakened by how you choose to use those bits."

Curiously, he said, 1Password appears to make only one call to SHA1 to generate the two 128-bit outputs, and it was only after Steube's post that he discovered the program somehow executes that request by making a second iteration. He has heard rumors that scrypt may exhibit some similarly odd behavior, but he hasn't yet had time to investigate them. Ultimately, 1Password will have to make changes to counter the effects of the newly discovered optimization. One possibility is to replace SHA1 with SHA512 or another algorithm that generates larger outputs. Another possibility is for 1Password to do away with PBKDF2 altogether. And if it's true that PBKDF2 or other hash functions behave similarly, it may be time to tweak other applications or even rewrite entire encryption protocols.

"PBKDF2 is not serving its purpose as well as we would want," Goldberg wrote in blog post published Wednesday. "Now I love PBKDF2. It may not be engraved on my heart, but it is engraved on my iPad. But it has been growing clearer that the world needs a successor to PBKDF2."

While the new technique for cracking 1Password has knitted the brows of cryptographers and security experts, end users have little reason for concern, so long as they're picking truly strong master passwords to encrypt their keychains. Even when attacking an older version of 1Password that uses only 1,000 PBKDF2 iterations, Hashcat will require about 19 years to crack a randomly derived four-word passcode. Those times increase to 192 years and 482 years for 10,000 repetition and 45,000 repetitions respectively. Those times may not be as long as previously thought, but they should tide us over until cryptographers devise something better.

Listing image by because_just