Getting chilly for charity

I’m not sure if you’ve been on the Internet lately, but there’s this “ice bucket challenge” thing going around. Sure enough, some members of the AgileBits crew were challenged, and in good form … we challenged all of our co-workers.

We’ve made a donation to ALS (as well as several other causes near and dear to our hearts) and thoroughly enjoyed helping our teammates take the plunge.

Now that we’ve done our good deed for the week, we challenge YOU. Make the world a better place. Donate to a worthy cause and dump a bucket of ice water on a friend.

Our 1Password App Extension for iOS 8 is already supported by over 100 apps, here are nearly 20

App ExtensionThe response to 1Password’s App Extension for iOS 8 has been incredible: our customers are beyond excited to use 1Password across iOS with Touch ID and their favorite apps, and an amazing number of developers have already added our extension to their upcoming apps in preparation for iOS 8!

We can’t share the full list of developers yet (we just cracked 100!). But we can show you nearly 20 apps that are already working on integrating 1Password’s iOS 8 App Extension for fast, one-tap logging in and even updating your passwords!

Plus, our 1Password update for iOS 8 will be free to existing customers! Since you can get 1Password for iOS for just $9.99, you can start saving time and get secure online right now.

What the 1Password App Extension can do for you

Since the announcement, our mad-scientist developers have kept working in their secret laboratory to add even more super-hero powers to this powerful extension. Developers, check out our GitHub project to add 1Password integration to your own apps!

Here’s the rundown of the skills we’ve added to the extension so far:

  • Fill Logins, Credit Cards, and Identities into Safari
  • Fill Logins into other third party apps (including web browsers) that add support for it
  • Generate strong, unique passwords and create new Logins during a signup process
  • Update a Login’s password if you change it in an app

Apps that already Love 1Password

As promised, here is a sample of over 100 apps that are already preparing for iOS 8 and our new extension ship!

Continue reading

Watch what you type: 1Password’s defenses against keystroke loggers

1Password for WindowsI have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware, particularly keystroke loggers, running on your computer could capture your Master Password.

Safe at rest

Let me clarify one thing before going on. 1Password does protect you from the attacker who breaks into your computer and steals your 1Password data. The 1Password data format is designed with just such attacks in mind. This is why your data is encrypted with keys derived from your Master Password. It is also why we’ve put in measures to make it much harder for an attacker to try to guess your Master Password in the event that they do capture your data.

Even if an attacker gains access to your computer and 1Password data, there is little she can do without your Master Password. In this article, I’m focusing on another kind of attack in which the attacker tries to “listen in” to you typing your Master Password. This attacker is running a program on your computer that attempts to record everything you type on the keyboard or enter through some sort of keyboard-like device.

Countering counter-counter measures

I will get to the details below, but this article aims to describe and explain a change in how 1Password for Windows secures its Secure Desktop, a counter measure against a common type of keystroke logger. This change was added recently to 1Password 1 for Windows and has been included in 1Password 4 for Windows since its launch.

Márcio Almeida de Macêdo and Bruno Gonçalves de Oliveira of Trustwave SpiderLabs have discovered a way that a keystroke logger could work around our use of Secure Desktop and reported this to us. They have now reported this publicly (link might be having trouble, but it’s listed among their Security Advisories). We have since added a mechanism which prevents that particular counter measure to Secure Desktop. We very much appreciate SpiderLabs for giving us the opportunity to put a fix in place before announcing their discovery to the public. Trustwave SpiderLabs might grab fewer headlines by having done the right thing, but they have done the right thing.

Secure Desktop itself is a counter measure to keystroke loggers. De Macêdo and de Oliveira’s discovery is a counter measure to our counter measure. We have now introduced a counter-counter-counter measure. All of this will be explained, but it requires a lot of background into how keystroke loggers work and various ways to defend against them.

Keystroke loggers

Keystroke loggers attempt to capture everything that is typed on a particular computer or keyboard and pass that information on to a third party.

There are one or two legitimate uses of these (such as in research on writing), but those all involve the consent of those whose key strokes are being logged. More typically, keystroke loggers run surreptitiously, and are an attack on user privacy. I know that people don’t come to this blog for relationship advice, but if you are seriously tempted to install a keystroke logger to spy on a spouse or lover – a popular use of these things – then I have my doubts about the future of your relationship. Since you didn’t come here for relationship advice (and if you did you came to the wrong place), let’s return to how keystroke loggers work.

Logger in the middle

There are many different ways that keystroke loggers can work, but one useful way to think about this is as something (either hardware or software) that sits between your keyboard and the program you are typing into, something which shouldn’t be there.Hardware PS/2 keylogger in action

For keyboards that are attached to a computer with a cable, the simplest keystroke loggers are little physical devices that the attacker plugs into the computer, and then plugs the keyboard cable into that.

The keystroke logger is, in this case, sitting between the keyboard and the computer. The computer thinks it is talking directly to the keyboard, and the keyboard thinks it is talking to the computer, but the keystroke logger is sitting between them.

Alternatively, software keystroke loggers sit between components deep within the operating system and silently grab data. Things that are embedded that deeply or are using hardware loggers are not things that user software can detect or defend against.

Most keystroke logging is shallow

Most keystroke loggers take a simpler approach, rather than inserting themselves deep within the system. It is much simpler to write a program that says “hey, I am a program that needs to know everything that is coming in from the keyboard.” Operating systems provide hooks for programs to do exactly that.

You might be asking why operating systems might make writing keystroke loggers so easy. What business does any program running in the background have in seeing the input to some other program? One reason is to help my poor dog Molly, who suffers from (among other things) diabetes. This has led to sufficient necrosis in her paws so that she cannot easily type using a standard keyboard. The specialized device that she uses involves some clever software that looks at the input and uses various predictive technologies to replace the actual input with the intended text. This system intercepts (and changes) input bound for any program running on her computer; however, as far as most programs know, they are just getting input from a “keyboard”. Assistive technologies similar to the one Molly uses are a big part of making computing and communication accessible to more people.

Not only is a basic keystorke logger easy to write, it doesn’t require a complete break into a system. Different processes on a computer run with different privileges. When Molly logs in to her account and runs a program on a computer, the program is run under her user ID and with her privileges. This means that she isn’t able to interfere with processes that are run by Patty (the other dog). She also isn’t able to interfere with the system as a whole. If Mr Talk (the neighbor’s cat) tricks Molly into running a malicious program, that malware will be limited in the damage it can do.

The really deep and hard-to-avoid keystroke loggers would require full power over the system to install. But one of these simpler keystroke loggers requires only the privileges of the user whose keystrokes are to be recorded. So if Molly gets tricked into running a keystroke logger, it won’t affect Patty even if they use the same computer (as long as they are using different accounts). As you can imagine, the bulk of malicious keystroke loggers that spread through computer infection are of this shallower sort.

Counter measures

Now that we have some idea of how the typical keystroke logger works, it’s time to look at some counter-measures. The two most important counter-measures are:

  • keep your system and software up to date
  • exercise caution in what software you install and run

But let me focus a couple of the counter-measures that 1Password takes.

Counter measures on Mac: Secure Input

On Mac OS X, there are two simple provisions that makes it easy to thwart those shallow key loggers. The first one of these is called “Secure Input” and was introduced with OS X 10.3 Panther in 2003. A program—1Password for example—can say, “when the user types something into this particular input field, it must be done in a way that other processes can’t interfere.” Secure Input needs to be used sparingly, as it blocks all of the sorts legitimate activity, including assistive technologies that many people (and a few dogs) rely on. And Secure Input blocks TextExpander, which I rely on.

1Password declares the field in which you type your Master Password as a “Secure Input field”, then ordinary key loggers won’t have access to it. Since last year’s OS X 10.9 Mavericks, there is another defense built into the operating system. A program can only capture all of a users’ keystrokes if the user has explicitly granted it that permission in System Preferences > Security & Privacy > Privacy under Accessibility. As I described earlier, most (but not all) such software are components of assistive technologies designed to make computers accessible to more people. That is why this system preference is ultimately under Accessibility.

Between these two mechanisms – Secure Input and that any application which has the capacity to log keystrokes must have explicit user approval to do so – OS X defends against these otherwise common sorts of keystroke loggers.

Counter measures on Windows: Secure Desktop

1P Win unlock secure desktop

Windows doesn’t offer the same sorts of defenses that OS X has, but it does allow for the creation of somewhat isolated environments called “Desktops”. On Windows, one can set up different Desktops in which only your program is running (along with system processes). A program running in one Desktop will not be able to listen in on keyboard input in a separate Desktop.

You will find a button that says “Unlock with Secure Desktop” in the upper right corner of the lock screen in 1Password 4. Clicking on that launches the Secure Desktop in which you will be prompted for your Master Password. You can take a look at Unlock with Secure Desktop in action.

Countering Secure Desktop

What de Macêdo and de Oliveira have discovered is that there is a way to set up a keystroke logger that does operate in all desktops, not just the one it was started in. Quite simply, their system launches a process that is able to listen for the creation of new desktops and add a process to each desktop created.

The ease at which they were able to do this (well, everything looks easy in retrospect) reflects the fact that the SwitchDesktop function in Windows was not designed for security purposes. We and others who use Secure Desktop as a mechanism for evading keystroke loggers have been taking advantage of the relatively isolated environment of a separate Desktop. Once the authors of keystroke loggers take our counter measures into account, they can launch counter-counter measures like the one Trustwave describes.

Knowing your environment

We want nothing but system processes and 1Password’s Master Password entry to be running in a Secure Desktop. We don’t want other, probably malicious, processes joining that Desktop. And so, our counter-counter-counter measure is to simply look around and see if there is anything running in the SecureDesktop that is unexpected.

If some unexpected process is found in the Secure Desktop environment, you’ll be prompted to close the Secure Desktop.

Secure Desktop: 1Password has detected an unknown process

Lessons

1. Keep your system and software up to date

The single biggest thing you can do for your computer security is to keep your system and
software up to date. The overwhelming majority of actual break-ins are through vulnerabilities that have already been fixed by the software vendors.

2. Pay attention to what software you install and where you get it from

Keystroke loggers and other malware are often installed unwittingly by the victims themselves. Try not to be one of those victims. Be particularly careful of anything that tries to frighten you into installing it. Fake security software and alerts are a common way to get people to install malicious software.

The move toward curated app stores offers additional protections, but it isn’t a complete solution. Still, using those where available will reduce your risks.

3. Use Windows Defender on Windows

I have long been skeptical of most anti-virus software, but Microsoft Security Essentials is something I can unequivocally recommend for those using Windows 7. In Windows 8, Windows Defender is automatically built in and enabled.

4. Understand what software can and can’t do for you

The core security design of 1Password is extremely strong. Quite simply: if you have a good Master Password, nobody who gets a copy of  your 1Password data will be able to decrypt it. 1Password can and does offer outstanding security.

At the same time, 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race. As you see, we have had to put into place a counter measure to a counter measure to our counter measure against common keystroke loggers.

This is why the first two items on this list are so important.

In conclusion

1Password takes extraordinary and effective steps to protect your data. This is built into every aspect of its design. But you have to help protect 1Password from malware running on your machine. We do what we can to make things harder for the malware writers, but we can’t do it alone. You must try to provide a safe environment for 1Password and all of your software to run in.

This shared responsibility is similar to that which we have with your Master Password. We provide excellent encryption and protections and defenses against automated password guessing. But you have to pick a good Master Password and treat it well. For those who might be wondering, displaying your password on a giant screen is not treating a password well.

wold-cup-wifi

1Password 4.1 for Android brings new features and new freemium pricing!

1P4 Android bot 230Since the release of the all-new 1Password 4 for Android, we’ve been thrilled with your feedback and our developers immediately got to work on our first free update. Now we’re back with version 4.1 (rolling out through Google’s servers as you read this!), which packs some powerful new features and our brand new freemium pricing so everyone can get secure, convenient security!

Features and Fun

1Password 4.1 for Android includes some big improvements:

  • Create your 1Password datafile right within the app – You no longer need an existing agilekeychain file to enable sync
  • Stay secure, whether you pronounce it asegurar, sichern, garantir or обеспечить. Version 4.1 has localizations for 17 languages – including Spanish, German, Portugese and Russian
  • Freemium pricing – 1Password 4 for Android is now free for anyone to try with premium features unlockable via a one-time, in-app purchase. Read on for details!
  • Full release notes with all the features, improvements and fixes are available via the Settings pane within the app

Choose your own adventure with the Freemium model

Do you just need quick access to a password on the go? Or are you a mobile security ninja adding passwords and organizing your data in exotic locations on your Android phone or tablet?

Either way, our new freemium pricing in 1Password 4.1 for Android has you covered. You can now get 1Password 4 for free in the Google Play Store, and everyone can try all premium features for 30 days.

1Password 4 for Android, the Reader version

As a free app, 1Password 4 for Android can:

  • View all items in the vault
  • Delete items from the vault
  • Browse your favourite sites with 1Password’s built-in web view
  • Access all options in Settings (including PIN code and Rich Icons)
  • Configure sync with Dropbox or Folder Sync – both to an existing vault created with one of our other editions or by creating a brand-new vault
  • A whole lot more!

1Password 4 for Android, the premium version

The paid edition unlocks the full power of 1Password for Android, right in your pocket:

  • Create and add an unlimited number of new items
  • Modify existing items
  • Organize items into Folders
  • Mark (and unmark) items as Favourites for quick access… or ‘Favorites’ for our friends south of the border

All 1Password 4 premium features are available for a single in-app purchase of $9.99 and will apply to all devices using the same Google Play Store account.

Did someone say “Sale!”?

You may have noticed that 1Password 4 for Mac, 1Password 4 for Windows and 1Password 4 for iOS are currently on sale, so we certainly couldn’t leave 1Password 4 for Android out of the fun!

For a limited time, you can unlock the premium features of 1Password for only $7.99 – a 20% discount! We do mean limited time, though, so snag those premium features, keep your 1Password data organized, and get simple, convenient security at an incredible price!

Announcing the Get Secure With 1Password Now But Also Stay Secure This Fall When Our Free Updates Arrive Sale

fireworksOk, so maybe our Director of Naming Sales is still in bed, but that changes nothing: in light of this purportedly massive Russian data breach, now is a great time to get yourself, your friends, your coworkers, and that random stranger you always seem to pass on the way to work more secure online.

That’s why we’ve put 1Password for desktops on sale for 30 percent off, and 1Password for iPhone and iPad on sale for a whopping 40 percent off (1Password 4 for Android remains free-to-try through August 18!).

Get 1Password for Mac or Windows for just $34.99 (or both for $48.99!) and Get 1Password for iOS for just $9.99. Family Packs of five licenses also start at just $48.99.

But as the title here suggests, one of our most long-winded sales in AgileBits history is not all that you, your friends, your coworkers, and that random-stranger-turned-friend get. We are announcing that, for Mac and iOS users, our updates coming this fall for Apple’s OS X Yosemite and iOS 8—yes, including our awesome new Safari and in-app extension—will be free for current owners.

So, TL;DR: buy now at an incredible price, get more incredibleness later for free.

Maybe we should keep the crazy sale title after all.

Heads up: Your best defense against the Russian hacker data breach is still strong, unique passwords [Update: And a sale!]

The bad news: Russian hackers claim to have gotten their hands on a sizeable collection of login credentials and emails.

The semi-good news: the story might not add up. According to The Verge, most, if not all, the credentials may simply have been collected from previous breaches we already knew about, including Adobe, LinkedIn, and others.

The good news: strong, unique passwords for all your sites are still your best defense. If shady individuals nab one or even more of your accounts, 1Password’s unique passwords prevent them from using that information to break into all your accounts.

EVEN MORE good news: To help everyone get more secure online with strong, unique passwords for all their accounts, we’re putting 1Password for iOS on sale for just $9.99! For how long? We’re not sure yet, so act fast and spread the word. Bonus points: our upcoming update for iOS 8 will be free to existing owners!

Unfortunately, we live in a world where data breaches are going to happen. As my colleague Jeff Goldberg likes to remind us: security is a process, not a destination.

Strong Password Generator hero

The best way to defend against breaches large and small is the same as it ever was: use 1Password’s Strong Password Generator on Mac, Windows, and iOS to create strong, unique passwords for all your accounts with a single click.

1Password’s Security Audit feature is also a great way to stay on top of your security. It shows you duplicate and weak passwords, and our built-in 1Password Watchtower service warns you to change your passwords for any of your Login’s sites that have recently been breached.

As usual, the headlines sound big, but the solution is simple. Use 1Password’s Strong Password Generator for the best defense against data breaches. As this matter is examined further, we’ll let you know more about breach sources or any other pertinent details.

Filling with your approval: On 1Password’s App Extension and iOS 8 security

App ExtensioniOS 8 has an incredible feature coming called App Extensions, and we’re thrilled to say we have a 1Password extension ready for developers to use right in their apps! In apps that gain support for our extension, you will no longer have to copy and paste passwords from 1Password. Yes, it really is a game changer, and you can see it in action for yourself.

Naturally, this new-fangled way for apps to interact in iOS 8 is leading people to ask how we do this in a secure manner:

  • Are we really letting third-party apps poke around inside of your 1Password data?
    • Answer: No, that is not how extensions work.
  • Can these third party apps ask 1Password for your PayPal password?
    • Answer: Well, they can ask, but you decide if they should get what they ask for.
  • Can they trick you into entering your 1Password Master Password into something that isn’t 1Password?
    • Answer: The very same mechanisms that prevent that today apply to application extensions.

TL;DR

I will elaborate on all of this below. But to summarize, all of my points and these safeguards in both iOS extensions and 1Password are built on an important design principle: Nothing happens without your explicit action.

Continue reading

Introducing the 1Password App Extension for iOS 8 apps

Throughout history, the greats have always sought a “holy grail.” The Dude really wanted that new rug. Indiana Jones searched for… well, the Holy Grail. Today, we’re happy to say we built our holy grail: automatic 1Password Logins right in iOS 8 apps.

The video embedded here, produced by our fearless co-founder Dave Teare, speaks for itself. Thanks to Apple’s incredible new developer features in iOS 8, third-party apps can let 1Password fill Logins without the user ever leaving the app. Yep, complete with Touch ID for unlocking the vault. Yep, it’s this awesome.

How easy is it for third-party apps to get in on this one-tap Login goodness? Extremely! Developers: check out our 1Password App Extension on GitHub with documentation and sample code.

App users: reach out to the developers of your favorite apps and help us spread the word! Show them the video and link this blog post and our GitHub project.

We want to share our holy grail with all apps: the convenience of one-tap Logins and the security of strong, unique passwords with 1Password.

Up your 1Password-fu with keyboard shortcuts

Vault lock shortcut 1000px

I don’t know about you, but constantly typing my login details is not my favourite part about visiting websites, and digging for my credit cards, then typing all those details takes all the fun out of shopping.

Fortunately, 1Password and some handy keyboard shortcuts are happy to save you a ton of time with all these less-than-thrilling parts of being online, so you can spend more time on the stuff that matters.

1Password’s bread ‘n butter

One of our best, long-standing shortcuts is Command-\ (for PC users, Command = Control). This game-changer instantly fills and submits your Login for the current page, so you get in and get going with a single shortcut. If you have more than one Login for the page, a 1Password menu will list them all so you can arrow up and down, then hit Return on the one you need.

Of course, many standard computing shortcuts work for 1Password, too: Command-N will create a new item for you, Command-E will edit an existing item, and Command-S will save the edits.

Fill forms with the 1Password menu

“Password” might be in the app’s name, but 1Password also fills things like registration forms and shopping carts. First, you’ll want to open the main 1Password app and create a couple Identities and Credit Card items.

Then, on a page with a form you want to fill, press Command-Option-\ (Control-Alt-\ on PC) to display the 1Password menu. There you can arrow to the Identities or Credit Cards section, arrow right to find the item you need, and hit Return to sign up for a new service or checkout online faster than you can say “Siri, remind me to review our monthly budget.”

Switch vaults (Mac)

switching vaults

switching vaults

We introduced Multiple Vaults in 1Password 4 for Mac, allowing you to securely share and sync items with a team at work, your family members, and monthly D&D squad.

Each vault gets a numbered keyboard shortcut. To switch between them, open the 1Password app or 1Password mini’s menu in your browser and use Command-2 for your second vault, Command-3 for the next, etc. Command-1 is always your primary, personal vault.

Lock 1Password

Control-Option-Command-L on your Mac or Control-L on your PC will lock 1Password and keep it safe from any prying eyes.

Copy an item’s password

Command-Shift-C on your Mac in 1Password or 1Password mini, Control-Shift-C on your PC in 1Password, to copy the password for the selected item.

Reveal a password

If you’re a cautious sort and prefer to keep your passwords safely obscured behind dots, simply hold down the Option key on your Mac, or Control-R on your PC to sneak a peek at the password.

The whole enchilada

Find the full list of keyboard shortcuts for 1Password 4 for Mac here and 1Password 4 for Windows here.

1Password 4.1 for Android is coming, we extended the freemium date and have a price!

1Pa premium featuresOver the past six weeks, we’ve seen a tremendous response to the all-new 1Password 4 for Android and our free trial experiment. Our team has been hard at work on a number of updates and great new features, and today we’re happy to say that v4.1 is coming soon, we extended the trial date, and we can now announce a price!

v4.1 for Android

Coming soon, 1Password 4.1 for Android will allow new users to create their first vault right on the device, no existing sync or vault required.

We added localizations for German, Spanish, Portuguese (European and Brazilian), Romanian, Russian, and Swedish. We are also finishing up translations into Chinese, Japanese, French, and Italian. Finally, we added some fixes and improvements that lay the groundwork for goodies that are on their way.

Free trial deadline extended, and a price!

Since our experiment is going so well, we extended the final day through Monday, August 18. Now everyone can have a few more weeks to check out 1Password 4 for Android and all its security awesomesauce.

On Tuesday, August 19, our Android version will switch to a freemium model. You can download it for free and use it as a 1Password reader, a great sync companion with 1Password for Mac or Windows, so you can take all your items on the go. To unlock all editing, organizing, and creating features, make a one-time, in-app purchase of just $9.99 USD to get the full power of 1Password right in your hands.

But wait there’s more

Since we’re just that excited about 1Password 4 for Android, we’ll start this off on August 19 with a $7.99 USD Awesome Android Launch Sale! This 20-percent-off sale will run for just two weeks, so when the sale starts mid-August, move fast.

To make sure you don’t miss it and stay in touch with us, be sure to follow 1Password on Twitter and Facebook!