## 1Password 4.5 for iOS and 4.3 for Mac are out and on Launch Celebration Sale!

One could say we’ve been busy these last couple of months, but that would only be the half of it. We have two great releases today that are packed with so much stuff, we had to cut down on our What’s New text just to fit it within the App Store requirements.

Completely redesigned. Multiple Vaults and Sharing. AirDrop. Search always where you need it. A unified AutoFill tool in 1Browser. This is our biggest free update for iOS ever and you can get the full details on why in the App Store.

Plus, all versions of 1Password are 50% off through the 4/26-27 weekend for our Launch Celebration Sale! Pick up 1Password for iOS now for just $8.99! # 1Password 4.3 for Mac 1Password mini can now search everything, use a healthy dose of keyboard shortcuts, and show your Secure Notes. Go full screen. Sync your data file on a USB drive. Mac App Store customers also get all the great stuff from our 4.2 web release, like AutoSave updating existing Login items when you change passwords (that’s a big one!), editing items right in 1Password mini, and more. Check out the full details in our changelog or on the Mac App Store, and don’t miss the Launch Celebration Sale here too. Through April 27, pick up 1Password for Mac in our web store or the Mac App Store for just$24.99!

## Introducing the 1Password Watchtower service for Heartbleed and beyond

When news of the internet’s Heartbleed bug broke last week, we published what we knew about it and the implications for 1Password and 1Password users.

To recap: 1Password is not affected by Heartbleed, but there are steps you need to take to protect your passwords from sites that may have been affected.

Today, we’re introducing a new service to help you check vulnerable sites and stay on top of your online security. We call it 1Password Watchtower.

## A way to check if the bleeding has stopped

Most, but not all, websites have had some period of being insecure because of Heartbleed, and this is why so many passwords need to be changed.

Since those first few hours on April 7, we’ve gone from “what is this all about?” to “which sites do I need to change my password, and when?” Today, the 1Password Watchtower service will help you answer that question.

## The categories of sites

With respect to Heartbleed, the 1Password Watchtower service will try to categorize websites into one of the following five categories.

### 1. Vulnerable

Sites that are still exhibiting the Heartbleed bug should be avoided until they’ve fixed it. Once fixed, you should change your password.

If you reused a password for one of these sites, then all of those websites are also at risk. You should change your passwords on those other websites as soon as appropriate, and be sure to set up a different password for each of these sites.

### 2. Not currently vulnerable but needs new certificate

This is where things get complicated. While these sites have stopped the bleeding, their master keys may have been stolen while the site was vulnerable.

To protect against this, websites need to get new certificates signed by certification authorities, which simply takes time (especially when nearly every site needs to do it). It took two days to get our new certificate, and I would not be surprised if others will have to wait longer, especially if they submitted their requests after us.

For these sites we recommend that you change your password twice. Changing your password now will prevent an attacker from using any previously stolen passwords. Then you can change your passwords again once the site’s certificates have been reissued to guarantee that the new password is only known by you.

### 3. Not currently vulnerable and has a new certificate

These sites were vulnerable to Heartbleed at one time but have been completely fixed. You can go ahead and change your passwords on these sites

You may find yourself with many sites for which you need to change passwords, but don’t let yourself get overwhelmed. Focus on changing passwords for your most important websites first.

### 4. Never vulnerable

Some sites and services were never vulnerable to Heartbleed, typically because they never used OpenSSL or had disabled various features.

One piece of good news is that, as far as we can tell, most banks fall into this category. However, to the annoyance of security researchers, banks are not telling us why they weren’t vulnerable; they are merely repeating that their customers are and have been safe.

For  sites that were never vulnerable, no special action is needed. You do not need to change those passwords if your passwords were unique to those sites.

But (and you will hear us repeating this often) if you used the same password on a “never vulnerable” site that you used on one which was vulnerable, then you should change your passwords to be strong and unique on both sites.

This illustrates why password reuse on multiple sites is so dangerous. Even services that have had excellent security on their own can be broken into with a password stolen from elsewhere. 1Password’s Security Audit will help you find duplicate passwords.

#### 5. No SSL/TLS

Sites in this category are in no way affected by Heartbleed, but these are the services where it is most important that you don’t reuse passwords.

Some sites and services do not use SSL/TLS to secure connections between your web browser and their service. Because they have no transport security to break, their security can’t be “broken” by Heartbleed. Any password—or, really, any data—sent to such a site can be easily captured. If you have a password for one of these sites, make sure that you don’t use the same password for any other service.

Subdomains matter: It is important to remember that 1Password Watchtower checks the exact domain you tested. So even if go.com doesn’t use SSL, subdomains such as disney.go.com, may. It does not appear that one ever sends passwords to go.com itself, so its lack of SSL does not put passwords at risk.

## How do we know which sites fall into which category?

As 1Password Watchtower checks for Heartbleed, it performs a number of tests on a domain and its certificate, as well as looking at the results of earlier tests. But even with all of the tests that we run, there is some substantial “guess work” in the categorization.

We can reliably tell which sites are currently vulnerable and which sites aren’t. We can also check the start date for the validity of a certificate. We run other tests, but whether they produce results or not, they only offer hints at which category we should put a domain into.

If you are a site administrator and find that we are reporting incorrect results for your site or service, please make use of Heartbleed HTTP Headers to announce your condition or let us know.

## Uncertainties

### Never vulnerable or needs a new certificate?

The biggest uncertainty is that we have no reliable way to distinguish between sites waiting for new certificates and sites which were never vulnerable. Both such sites will not be currently vulnerable and will not have new certificates. We look at fragmentary results of previous scans as well as web server software to try to form a guess, but it remains a guess.

### Is an old certificate really old?

Every certificate has a validity period. They have a “valid from” date and a “expiry” date. We are (mostly) using the date from which they are valid to see if they are old or new. However many recently reissued certificates have the same validity period as the one that they replaced. As a consequence, certificates that appear as if they are in need of replacement aren’t.

### Are we talking to the right service?

Many high traffic web sites use load balancers, which don’t actually process your web request, but send off your request to a one of many back-end servers. The software on a load balancer is meant to be invisible, but it will often be different than what appears on the backend. The tests we perform involve a number of queries, some of which will be handled by the back-end servers and some by the load-balancer. For example, a load-balancer that was running an affected version of OpenSSL might be using IIS as a back end, and thus we might false report as “never vulnerable”.

## Use strong, unique passwords and carry on

Heartbleed is an astonishingly serious thing, but it isn’t cause to panic. Indeed, frightened people tend to make poor security decisions. The bulk of the work is being done by system administrators, and there are changes to come in the ways critical software is scrutinized. But for most people like you and me, the job is to improve our password practices.

Many—I’d like to think nearly all—1Password users are good about having strong, unique passwords for each site and service. That habit should already make the current task easier for you. Heartbleed and this initial version of 1Password Watchtower gives you another opportunity to improve even more. Doing so will make you safer now and long into the future.

Our co-founder, Dave Teare, sent an AgileBits newsletter to our subscribers Friday night about the internet’s Heartbleed bug and how you can use 1Password to defend yourself and change all your passwords. We had a surprising number of requests to republish it here, so I’m happy to oblige!

If you want to receive our occasional AgileBits newsletter with news and tips about 1Password and Knox, as well as other goodies, hit the button below.

Hello everyone,

I’m writing to you today with some very important news. A vulnerability named Heartbleed was discovered in the software that protects most web sites.

# What is Heartbleed?

Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.

Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.

I found this XKCD comic explained perfectly how the Heartbleed exploit works.

There is a lot of work to be done as a result of Heartbleed, but lets start by talking about what this vulnerability does not mean.

This means 1Password is not affected by the Heartbleed bug and there is no need to change your Master Password.

With that said, there is still a lot of work to be done…

The knee jerk reaction to this news is to change all your passwords immediately. While I will be recommending you change your passwords, not all websites have been updated yet to protect against this vulnerability.

The best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.

After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.

Heartbleed is a very serious issue so I hope you will take the time needed to update your passwords. Ideally you would change all your passwords, but at the very least, please update the most important ones.

# Stop The Bleeding

To make it easier for everyone to improve their security we decided to put 1Password on sale.

### Save 50% Off 1Password and Stop the Bleeding

Please share news of Heartbleed with your friends and families. Simply forwarding this email is a great first step to helping them know that this is a serious issue.

I know I will be using this opportunity to finally convince my mother that she needs to take her internet security more seriously. Hopefully you will also be able to turn this crisis into an opportunity for good.

# Stay Tuned

The Heartbleed story is continuing to evolve. I’ll be in touch again soon with an update.

While I normally send these newsletters infrequently, given the gravity of this situation, I’ll likely be sending a few extra this month. I hope you find this helpful.

Please keep in touch and let us know if there is anything we can do to help.

## Heartbleed: Imagine no SSL encryption, it’s scary if you try

Only two months ago, in the wake of the “goto fail” bug, we had to point out that 1Password’s security does not depend on SSL/TLS. Today, with the far more damaging Heartbleed bug in OpenSSL, we need to tell you the same. 1Password’s technology is not built upon SSL/TLS in general, and not upon OpenSSL in particular. 1Password’s encryption remains safe.

## This bug matters for everyone

Just because 1Password’s technology isn’t affected by this doesn’t mean that you aren’t. Pretty much everyone is affected by this. Many of the secure connections that you use with various services, including HTTPS connections to secure sites for shopping and many other activities, may be fully readable to attackers. Of course, this includes the usernames and passwords that you use to log in to various services. It’s not just HTTPS connections, but IMAPS—how your email program, such as Mail.app or Outlook, talks to a mail server—may be vulnerable.

You will, at some point, need to change a lot of passwords. And 1Password makes this much easier than it other would be. But don’t rush to do that just yet. Not every server is affected, and those that are need to fix things at their end before you change your password. If you change your password before the servers fix things, then your new password will also be vulnerable to capture.

All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.

At this point, I can only guess at how long it will take for various service providers to make announcements. They are in a difficult position right now. First, they need to determine whether they are vulnerable. That means finding out if their particular SSL/TLS service was using OpenSSL (the most popular SSL library in use today) version 1.0.1 (Released March 2012) through 1.0.1f (1.0.1g, containing the fix, was released April 7, 2014).

Once a service upgrades to a fixed version of OpenSSL (or to some other cryptographic library), they will need to revoke the certificate that they had been using with with the vulnerable version of OpenSSL and obtain a new certificate. Exactly how long that takes will depend on how quickly they can get things sorted out with their certification authority. Certification authorities are going to be very busy over the next few weeks.

Only after a new, certified certificate is in place on a server that is not using a broken SSL/TLS library will it make sense for you to update your password for that service (or even trust your communication with it). Most of us simply have to wait until notified by various websites and services when and whether we should change passwords.

### Certificates and keys

If you are curious about what is actually exposed by the heartbleed bug, read on. It requires some understanding of how certificates work, but I’ll try to give an overview of just the parts we need for this discussion. I will take a lot of shortcuts in the presentation and pretend that things are simpler than they actually are.

### How certificates and keys work

In order for your browser and a web site to encrypt the communication between them, they need to use an encryption key. That key is typically a 128-bit number. Now, it may be that your browser and the particular website have never spoken to each other before, so they need to work out an encryption key for this session in such a way that someone listening in will not know what the key is. It’s as if they have to work out a password to share between them while communicating where anyone can listen.

The encryption key that they work out is just for that particular session. The next time your browser establishes a connection to that server, a new key is worked out. This is called a “session key”.

### Establishing a session key

Your browser and the server work out a session key using something called “public key encryption”. Public key encryption is the nearest thing to magic you will find in mathematics and cryptography. When I describe what I do to school kids on career day, I say that I get to think like a criminal and do magic with math.

Anyway, the server will have a public key and a private key that are mathematically related. The public key is not a secret at all. The mathematically related private key is. It is possible to use the public key to encrypt stuff that can only be decrypted with knowledge of the private key.

So (and this is taking a big shortcut), your browser can pick a random session key and encrypt it using the server’s public key. Because only the server knows the corresponding private key, only the server can decrypt the encrypted session key. Once your browser has sent a randomly chosen session key to the server, both the server and browser can use that session key for their communication throughout that session.

The private key is a big, long number. Often thousands of bits long. And it can’t be just anything; it has to have the appropriate mathematical relationship to the public key. Clearly no human is going to be dealing with those keys directly. Typically, those keys are stored in a something that can be used by the server software and is protected by a password.

This scheme of using a password to protect a key and then have the key be used for the encryption is typical of high security software. You find this in SSH, PGP, and in 1Password. A strong key is picked by the software and that key is then encrypted with a password that a human uses. With 1Password, your data is encrypted with a random 256-bit key that is chosen when your data vault is created. Your Master Password is used (indirectly) to encrypt that key (again, I’m skimming over some details).

### How heartbleed bleeds your privacy

Anyway, the heartbleed bug pretty much allows an attacker to probe a server that will end up revealing the private key. Once an attacker knows the private key, they can decrypt session keys that have been sent to the server, and thus decrypt all of the encrypted traffic that goes back and forth between the browser and the server.

Another bit of magic with public key encryption is the notion of “digital signature.” Your browser can create a mathematical challenge using the public key that only someone with knowledge of the private key can solve. This is part of how a website proves to a browser that it is what it says it is. If an attacker learns the private key of some website, then it can masquerade as that site.

All in all, the capture of a server’s private key is a bad thing, and that is what this bug enables.

Most of us ordinary folk need to wait for sites that need fixing to actually get fixed, then wait for instructions on whether we need to change passwords. But some of us need to get working. The definitive source for information about Heartbleed is heartbleed.com.  Since this article was originally written, Filippo Valsorda has published a tool for checking which sites are vulnerable (this has also finally pushed me to play with the Go programming language I’ve been hearing so much about).

The IMAPS server passes the Heartbleed test

Valsorda has also created a web page based on his testing tool, which makes it easy for people who don’t wish to install and run the command line program to see which websites (or other services) are currently vulnerable to Heartbleed. I wanted to test the IMAP (mail access) server used by Fastmail.fm (which I use for my personal mail).  The name of the IMAP server is “mail.messagingengine.com” (which I happened to look up in my Email accounts category in 1Password). Because I wasn’t testing normal HTTPS, which used port 443, I also had to enter the port number for IMAPS, 993.  So what I put in the form was “mail.messagingengine.com:993″. This nicely passed the test at the time I tested.

The Heartbleed test fails for Dreamhost at the time of testing

To test a website, you do not need to put in the port number. The test will default to port 443 (HTTPS). So I was able to test Dreamhost.com by just using “dreamhost.com” in the form. At the time I tested, dreamhost had not updated to the fixed version of OpenSSL, and so the test reported it as vulnerable.

### Patching OpenSSL isn’t enough

It is important to remember that during the period that your site was vulnerable attackers could have captured the key for the SSL certificate. Once they have your key, they can (under most circumstances) continue to read and manipulate traffic to and from your site. So the next step is to generate a new certificate and get that signed by a Certificate Authority. This is also a good opportunity to ensure that your RSA or DSA key is at least 2048 bits long. 1024 bit RSA and DH keys are no longer considered safe.

Once you have your new certificate signed and in place, you should inform users that their sessions may have been compromised prior to the installation of the new certificate. They should then change their passwords and take whatever other action is appropriate given that confidential data may have been exposed.

The bulk of this article was drafted late Monday (April 6) night and in the wee hours of Tuesday morning. We will have a series of other articles and announcements coming soon, so please continue to watch the Agile Blog for news here and 1Password on Twitter,  on Facebook, and on App.net. We will also be providing only minor updates to this post, as we prepare new ones.

#### April 12

• A new certificate for agilebits.com was put in place on April 10 and Dropbox.com put a new certificate in place on April 11.
• Now that Dropbox is using a new certificate, we’ve removed the earlier advisory for users of the 1PasswordAnywhere feature.

## Large even prime number discovered

You have probably been taught that two is the only even prime number. But today mathematicians at the University of Southern North Dakota at Hoople have discovered a new, large, even prime. It is more than a million digits long and is equal to the value of 3²²³⁷⁵⁶¹+3¹¹¹⁸⁷⁸¹.

Many people are under the erroneous belief that two is the only even prime number, but as Professor Paul Forester explains, “tings get really meshuga vhen numbers get large.” For example, when some number n gets very large, it becomes approximately the same as its successor. Because:

$\displaystyle\lim_{n \to \infty} \frac{1}{n} = \frac{1}{n+1}$

we can see that n must get closer and closer to n+1 when n is very large. So when numbers are pretty much the same as their neighbors at these large values, the notion of odd and even don’t hold in the traditional sense.

## What does this mean for cryptography

First of all, this surprising mathematical discovery has no (immediate) bearing on the security of 1Password, as 1Password does not use the kind of cryptography that depends heavily on the theory of prime numbers. But this might have some implications for cryptography. At the moment, the only immediately visible impact is that it should make some of the slowest cryptographic computations quicker and more efficient.

In some cryptographic systems (though not 1Password), the software must generate large, randomly chosen prime numbers. This is a very time consuming process, and it works by first picking large random numbers, then checking whether they are prime through a series of tests. Almost all software implementations of this will only pick odd numbers by setting the least significant bit of the random number of 1. But this excludes half of the numbers it could pick, thus failing to find any of the even large primes.

### Testing for primes

Once a random number is picked in the appropriate range it needs to be tested for primality. Many of the tests result in answers that aren’t quite definitive. Indeed, a number of tests produce results of either “definitely not prime” and “possibly prime” and each of these tests may different amounts of time to run. The general strategy is to run the quickest tests first on your candidate number, and only then run the more expensive tests. If your candidate number passes a sufficient number of those tests, then you can determine with sufficiently high probability that the number really is prime.

There is a way, of course, to definitively test whether a number, N, is prime. And that is to attempt to divide by every prime number less than or equal to the square root of N. But while that approach if definitive, it is simply far too many divisions to actually test.

### The prime numbers in cryptography

The prime numbers used in cryptographic systems are typically 1024 bits (about 308 digits) long. Pairs of these are generated and multiplied together to produce 2048 bit (about 616 digit) products. Note that when you multiply, say, a five digit number by a three digit number you usually end up with an eight (five plus three) digit number. This holds when using bits instead of decimal numbers. So the product of two 1024 bit numbers will typically be a 2048 bit number.

Even for 300 digit numbers, which are far, far smaller than the million digit prime announced Saturday, it isn’t feasible to run definitive primality tests in the time we need when picking prime numbers. Indeed, it is probably near the edge of the NSA’s capability to factor 1024 bit products of 512 bit primes. This is why it is no longer recommended to use 1024 bit RSA keys.

### A note on key sizes

If I am saying that 1024 bit keys aren’t safe, why does 1Password “only” use 256 bit keys? This is because different kinds of encryption systems have different kinds of keys. Keys used for the AES algorithm are completely random numbers. Guessing the key means trying every single 256 bit key until you find the one that works. That just isn’t possible even for a 128 bit key. But for public key encryption systems, not just any public key will do. Not just any 2048-bit numbers can be an Rivest-Shamir-Adleman (RSA) public key. Instead, it must (essentially) be the product of two 1024-bit prime numbers (which are, in essence, the private key).

I say “essentially” in there because if two prime numbers are p and q, then the actually public key isn’t p times q, pq, but is in fact Φ(p)Φ(q), which works out to (p-1)(q-1) in this case. The Φ function is known of as Euler’s totient function. For quite some time, I believed that there was a mathematician whose name sounded like “Oiler” who worked on similar stuff as the mathematician I’d read about, whose name I pronounced “Yuler”. Along the same lines, it was only when someone read the Little Prince aloud that I realized that the word I’d heard as “yu-neek” was the same as the one that I pronounce “un-ee-cue”. I still think of the Prince as “un-ee-cue in all the world.”

Let’s get back to key sizes. Not every public key system uses the RSA algorithm. The Diffie-Hellman (DH) system uses different mathematics, but has key length requirements similar to RSA. 1024 bits is no longer considered secure against the likes of the NSA. The third kind of public key algorithm in use is based on elliptical curves, and is sometimes called ECDH because it is actually based on the same logic as Diffie-Hellman at its heart, though it works through different mathematical operations. One advantage of ECDH is that it works with much smaller keys. So a 256-bit ECDH key is perfectly reasonable.

This article was posted on April 1, 2014. The claim that an even prime number other than two has been found is bogus. The notion of odd and even holds for all integers, no matter how large. The fictitious University of Southern North Dakota at Hoople is the creation of the real Peter Schickele. The fictitious mathematician Paul Forester is my resurrection of the great 20th century mathematician, Pál Erdős. Everything else here is actually meant to be reliable information. Including those bits that are un-ee-cue in all the world.

## Where’s Eddy?

You may remember that AgileBits won a Macworld Eddy Award in 2013 for 1Password 4 for Mac (We were a little bit excited about it). 1Password 4 has been a labour of love for the entire team, from developers to support, and it was a true honour to be singled out for such a prestigious award.

Well, because the powers-that-be at AgileBits are pretty awesome, they decided to share the honour. So, not only is there a shiny new Eddy from 2013 sitting next to his friend from 2010 on our office shelf, but Eddy is also gracing the shelves and homes of every AgileBits employee! I was completely blown away by this generosity, and it got me thinking: how were the rest of the AgileBits team celebrating the arrival of this shiny award?

As it turns out, there’s some excitement, a little bit of weirdness, and a whole lot of smiles. Check out some of our photos here and give us a like on Facebook to check out the full gallery!

## The 1Password at Macworld/iWorld 2014 megastravaganza post!

We’re in San Francisco for Macworld/iWorld 2014—and for you! We love hearing from our customers, and we have booth #39 in the Appalooza so we can hear from you in person this week! We’ve spent the day getting the booth ready and tracking down that one thing we need to make it all work. Now we’re just excited to get the show on the road.

Swing by anytime Thursday, Friday, or Saturday during the conference to say hi. Bring a friend if you like! In fact, we’re bringing a friend on Friday from 11am-12pm—Joe Kissell, he of the Take Control of 1Password book.

Our co-founder Dave Teare is also going to be on the Main Stage Thursday, March 27 in Mac Gems: Meet the Developers. He’ll join Jennifer Bell of Prosoft Engineering, John Chaffee of BusyMac, and Greg Scown of Smile to talk everything from ‘where do the great ideas come from?’ to ‘the risks and rewards of the Mac App Store and developing software in general’. Be sure to catch the panel and learn from some of the best in the Apple community.

Last but not least, 1Password 4 for Mac (and Windows!) is 50 percent off to celebrate Macworld/iWorld! You can get the sale price in our web store and in the Mac App Store, so it’s up to you!

Whether you pick up 1Password on sale or not, be sure to swing by our booth at the conference to say hi!

This is another particularly delightful edition of Apps that Love 1Password since it’s so diverse. This time we have a hot new newsreader, one of the best calendar apps for iPhone, and a slick utility for tracking your project time with Tick.

Unread for iPhone from Jared Sinclair is a beautiful, minimal newsreader for Feedly, FeedWrangler, and Feedbin. Jared cut out a lot of buttons and toolbars in favor of simple gestures to let you focus on reading and (optionally) sharing articles.

Unread’s login forms for FeedWrangler and Feedbin features a 1Password button so you can quickly find your accounts. The sharing feature also lets you open the current article or webpage in our 1Browser so you can use Identities to quickly register for services, or even Credit Cards so you can insta-buy what you just read about!

# Fantastical 2

The Sweet Setup declared Fantastical 2 the best calendar app for iPhone, and it’s easy to see why. Fantastical is fast, a native iOS 7 citizen, and has optional support for Apple’s Reminders. One of its best features is that you can use natural language to create events and tasks, like “Lunch with Amy at 12:30″ to create an event, or “get milk /p” to add a Reminder to your Personal list.

As of Fantastical 2.0.5, you now have the option to open links in our 1Browser, making it much easier for you to securely log into services, register at new sites with 1Password Identities, and fill out shopping carts with one tap.

# Tonalli

For all you folks out there who need help tracking projects and the time you put into them, Tonalli is a minimal and free iPhone client for Tick. You can see your daily timecard, manage said timecards, and view reports and charts for all your projects.

A new 1Password button in Tonalli’s login screen should make it faster to log into your Tick account. You’ll switch to 1Password with an AutoSearch for Tick. Swipe the item to open the Action Bar, copy your password, then switch back to paste and get to tracking time.

As always, we thank the developers behind these and all the Apps that Love 1Password for making it easier to work, play, and stay secure both on- and offline with 1Password.

## 1Password – No More Sticky Notes

Ever wanted a succinct video with a catchy soundtrack to help explain what 1Password is all about to friends, family, and coworkers? Now you got it!

We wanted to make a video that explains the overall problems and challenges of passwords and staying secure online, then how 1Password is the best way this side of the sun to solve it all. I might be biased, but I think we nailed it, and we’d like to thank the wonderful folks we worked with at Sandwich Video for making it happen.

## Crackers report great news for 1Password 4

To understand why this is really good news for us and for 1Password users, it is important to know what “crack” means in this context. I’ll come back round to that and why we encourage the developers of hashcat, John the Ripper, and cryptohaze to take a crack at 1Password. But first, let’s talk about this news and what it says about your password security.

## Cracking fast and slow

Jens Stuebe, the developer of a password hashing system called hashcat, has been testing just how many guesses per second he can get out of hashcat for the 1Password 4 data format. The hashcat demonstration showed fewer than 500 guesses per second, but with somewhat beefier hardware and a more realistic data file, a better estimate based on the hashcat data would be between 5,000 and 20,000 guesses per second. For all of the calculations below, I will use the more pessimistic (for us, the defender) estimate of 20,000 guesses per second. It’s not because I think the pessimistic estimate is the most realistic, but simply that it is better to err on the side of caution.

If you use a four word password from the scheme described in Toward Better Master Passwords, then at 20,000 guesses per second it would take more than 5,600 years for a high-end PC with with multiple graphics processing units (GPUs) to work through all of the 3.65 trillion equally possible passwords. Of course, the attacker won’t have to try all of those. On average, she will find the right one after going through about half of the possibilities. So the average time to crack will be about 2,800 years. If you use a five word password, then the average time to crack will be more than 20 million years.

## We like crackers

With enough time (perhaps far more time than the life of the universe) it will always be logically possible to guess a Master Password. This is simply the nature of the beast. We need to know how many guesses an attacker can make in a second, a day, a year with the resources available to them so that we can devise the most effective defenses against these sorts of attacks.

We make our own estimates, but the best estimates come from looking at real data. We will, on occasion, run our own tests but the people who specialize in password cracking are the people who perform the most stringent tests and will look for things that we might not notice. We want to know how hard they have to work at guessing passwords. We are extremely supportive of projects like John the Ripper, hashcat, and Cryptohaze. Indeed, conversation with people involved in these projects has very much helped us develop better resistance to password cracking.

This is one of several reasons why we are open about our data format. We get better analysis from the security community by doing so. Hashcat, and John the Ripper, worked against some sample data we make available to the public.

### Cracking isn’t breaking

When crackers develop tools to guess at 1Password Master Passwords, they are not “breaking” anything. They aren’t exploiting vulnerabilities. They are just automating password guessing. Because they are working directly on the data files themselves, not with the 1Password software, things like lock-outs after multiple failed guesses aren’t an option (and don’t provide any meaningful security against encryption tools like this).

## The technical stuff

The 1Password 4 data format uses PBKDF2-HMAC-SHA512 with an absolute minimum of 10,000 iterations when transforming a Master Password to a decryption key. I’m not going to explain what all of that means, but I will say that PBKDF2 is a Password Based Key Derivation Function that is designed to require that there be lots of computation in getting from an entered password to a key. It is specifically designed to slow down cracking attempts.

The attacker is able to build special machines for their cracking efforts, and software carefully optimized for that hardware. Defenders like us have to be able to process a single password in an acceptable amount of time for them on the hardware in their pockets. As a consequence, the attacker can process a candidate password much more quickly than the legitimate user. @bitwiesil, the developer of Cryptohaze, describes this as an Attacker/Defender Ratio (ADR).

For example: if it takes 1/4 of a second for a user’s Master Password to be processed on their mobile device, but the attacker using specialize hardware can make 10,000 guesses per second, the ADR would be 2,500. In a perfect world, the ADR should be 1:1, but that is never going to happen. Plus, ADR in the tens of thousands, instead of in the millions or billions, is a hard but more realistic goal.

### The limits of PBKDF2

PBKDF2 isn’t perfect. Most importantly, it can only go so far. We can reach a point where even tiny improvements to a password (say, just adding a digit) can offer far more additional protection than adding extra strength to PBKDF2. For example, adding a single random digit to the end of a password will offer as much as going from 30,000 PBKDF2 iterations to 300,000. And the latter can do real harm in making legitimate decryption too slow. Increasing the number of PBKDF2 iterations does not change the Attacker/Defender ratio at all.

There are a couple of other things that PBKDF2 doesn’t do. When it uses SHA1 internally (a very common configuration), it can be optimized to run extremely quickly in GPUs, giving the attacker a high ADR. Computers built with several (or many) GPUs operating in parallel can still perform many billions of SHA1 computation per second. GPUs cannot be so easily tuned when PBKDF2 uses SHA512 instead of SHA1. Our use of SHA512 within PBKDF2 in 1Password 4 is overwhelmingly the biggest reason that we are seeing such a small Attacker Defender Ratio in the hashcat report.

There is another, more subtle issue with PBKDF2 which can allow the attacker to double the ADR in some peculiar cases. Those cases can be avoided (once people know to avoid them), and a doubling of the ADR is not a big deal. But this does show that PBKDF2 is not the slow hash we would design today.

PBKDF2 is not “memory hard”. It is designed to raise the cost in computation for both attacker and defender, but it doesn’t force a substantial demand on computer memory. If, as the case has been, that the price of computations falls faster than the price of computer memory, the attacker can affordably purchase or rent a fleet of fast processors. But, if we build a slow hash function that also requires substantial memory use, we have more flexibility in trying to reduce the ADR.

### So why do we stick with PBKDF2?

For all of its warts, PBKDF2 is the best choice for 1Password today, although it may not be tomorrow.  We can mitigate some of the limitations of PBKDF2 in our design, which we currently do. After all, the great results that we have from this weekend’s hashcat report show that we continue to be successful with it.

The best alternative to PBKDF2 that is reasonably well available and scrutinized is scrypt. If scrypt or similar had been further along as a standard, we probably would have used that. But because you need to unlock your 1Password data on a variety of different platforms, we need to use cryptographic functions that are included in well-tested libraries for all of those platforms.

This is why the Password Hashing Competition is so important. This is an effort to develop and agree upon a design for a successor to PBKDF2 that takes into account everything we’ve learned since it was first developed. The aim is that the successor will have enough support to become available to developers in many cryptographic tool kits. But that is a hope for the future. Right now we continue to use PBKDF2 in a way that takes its various quirks into account.

## Your part of the job

Even the slowest hash with a perfect Attacker/Defender Ratio can’t protect a weak Master Password. Our job is to make sure that, when an attacker needs to guess trillions of passwords, they have to really work to do so. Your job is to pick a good Master Password so that it is trillions of passwords they need to guess instead of thousands. In our sample data that hashcat used, the password was “fred” (this was also made public). So even performing less than 500 guesses per second, hashcat was able to find the password “fred” in less than a minute.