Skip to main content
likethesky
February 4, 2025
Question

Strength of 1Password master password vs 2fac

  • February 4, 2025
  • 3 replies
  • 236 views

Hi 1P folks ~

I appreciated @thedean‘s recent post about password complexity requirements and this got me thinking more deeply about how complex my 1Password master password needs to be.

I use a hardware key for 2factor authentication (like a Yubikey), and I’m wondering how necessary a 70 bit+ master password is, if I use a yubikey like device too?

I suppose the attack vector there is, they steal my yubikey. The question then becomes is it just as easy for them to spend—say “only” [EDIT] $76 M, as mentioned in your article dated 2018, updated last in 2021, for a 56-bits of entropy password–to crack my password if they have possession of my yubikey like device? Or does having to use my yubikey—even though they have possession—make a [EDITs made to bits of entropy] 56 bit+ password much more expensive? I like the $1T cost of 70+ bits, that way only if Zuck, Musk, and Bezos agree to burn all their resources together can it be cracked. ;-)

Anyway, my question is—in short—do I need to have a 71-bits of entropy password if I’m using a yubikey-like device for 2fac, or not—if I want to maintain a $1T cost to attackers—were my yubikey to be stolen? (Iow, does having possession of my yubikey like device bring the cost to exactly what it would be if I weren’t using a hardware device, or does it somehow rate slow or otherwise inhibit the attacker and, essentially, add more bits of entropy or make it impossible(bly expensive) to attack a 56 bit password?)

3 replies

likethesky
February 4, 2025

Still hoping for someone from 1P to respond here. Thanks!

likethesky
February 11, 2025

Maybe someone could just respond: "Hey, we've passed this along to a senior engineering contact who is researching this question and that person should be able to get back to you within the next week or so?" Or something like that? Thanks again!

likethesky
February 28, 2025

This query seems to have been lost in a bit bucket somewhere… can someone respond?