Hacker News new | ask | show | jobs
by roustem 5199 days ago
I agree.

I am going to add the PBKDF2 strengthening and fix the problem with the PKCS#7 padding mentioned in the article. We plan to submit the 1Password update by the end of March.

The support iOS 3 and the old devices really hurt us there as the performance gap between iPhone 3 and iPhone 4S is huge and so far we were targeting the lowest common denominator. I am still not sure what to do about the older iPhones. We'll probably try to adjust the number of PBKDF2 iterations based on the device. Unfortunately, the PBKDF2 calibration API is only available on iOS 5.
2 comments
MattRogish 5199 days ago
Hardly anyone runs on iOS3 and/or iPhone3 - do you have data showing this market segment is large?

Weakening security for such a tiny market segment - I can't imagine that's worth it.

link
roustem 5199 days ago
We don't collect any usage information.

About 18 months ago I removed support for iOS 3 and we got a huge pushback from existing users. I spent another month adding back iOS 3 support. I am sure things must be different now.

link
imajes 5199 days ago
in other products which are very very non-tech consumer focused, i've seen almost zero iOS 3 deployment. You should feel incredibly comfortable deploying as iOS 5+ only at this point.
link
pyre 5199 days ago 

  >  i've seen almost zero iOS 3 deployment

  > You should feel incredibly comfortable deploying
  > as iOS 5+
A number seems to be missing there.
link
azov 5199 days ago
People most definitely still use older phones. I use my iPhone 3G when I travel overseas because there's an easy unlock available for it (unlike the baseband on my current model). And password manager is one of the things I really want to work across all my devices. Actually, if I can't share 1password database between old and new phones, I'll probably be looking for a different password manager. Having said that, I obviously don't expect it to perform fast on older hardware.
link
dorianj 5199 days ago
Thank you for being forthright and responsive.

I think the better thing to do for older devices would have been to make it a user-settable option, with a note on first install. I would have preferred to have a 5 or even 10 second delay in opening my 1password keychain, rather than have it less secure. But it's a moot point now--as others noted, the older devices are quickly falling out of favor (at least among those savvy enough to use something like 1password).

link