Shellshock is bad, unique passwords are good

Shellshock iconA new security bug, commonly known as
Shellshock (Officially CVE-2014-6271, is bad. It is fair to say that a large number of servers (particularly web servers) were vulnerable to serious attack for some time. It is likely that many still are, and we are unlikely to learn about most of them.

What are we do to? Answer: Use unique passwords for each site and service.

Squirrels, rabbits, and passwords

Molly transfixed by "squirrel"

Let’s consider Molly, one of my dogs. She has a one track mind: Squirrels and rabbits. She also is not very good at counting, so she doesn’t understand the difference between one track and two tracks.

Molly tends to reuse the same password for lots of things. Her password for Barkbook is squirrel. It’s also the password for CatChasers and a number of other sites and services.

Suppose that Patty, my other dog, isn’t the sweet innocent little thing that she pretends to be. Suppose that she breaks into CatChasers and is able to steal user passwords from it. She learns that Molly’s password was “squirrel” on CatChasers, so she’ll check if Molly used the same password on Barkbook and other sites.

Security Audit: Molly's duplicates

Password reuse is doubly bad

Indeed, when Molly uses the password “squirrel” on multiple sites, she is putting all those squirrels in one basket. If her password is stolen on any one of those sites, Patty can get into all of those.

The more places that Molly uses the password “squirrel,” the more likely it is that at least one of that sites will get breached, and the more damage is done when her password gets discovered at any one of those sites.

If Molly uses “squirrel” for twenty sites, there is a very strong chance that several of them are vulnerable to this new Shellshock flaw, Heartbleed, or any of the other known and unknown vulnerabilities being exploited. When Patty does break into one of those twenty sites, she will now have control of twenty of Molly’s accounts.

What you can do

In short, be careful. System administrators will be busy for a while. In addition to upgrading bash on systems that use it, they should be trying to track down which systems create environment variables with untrusted content and whether those systems ever invoke a shell.

But normal people (and I don’t think that many will dispute that system administrators are not “normal people”) are left with the knowledge that there are a lot of vulnerable systems out there. By far, the single best things we can do is to cut down on our password reuse. The easiest way to do that with 1Password is to give Security Audit a whirl.

There is so much more to say

Everyone with some sort of security point to make is using Shellshock to help illustrate and draw their favorite lesson from it. This is easy to do because Shellshock isn’t just a bug, it is a bug that can be exploited because of a series of design decisions that were pretty much asking for trouble. Each one of those decisions (or non-decisions) is something that everyone in the business really does know better about. But somehow, the software and systems engineering community has managed to ignore its own wisdom at each step of the way.

  1. We members of this community know not to pass untrusted data to various other processes, yet we’ve allowed systems that create shell environment variables (things designed to be passed all over the place) from the most untrusted sources of all. [E.g. CGI, DHCP Clients, etc].
  2. Our community knows that tricking systems into executing “data” is often how attacks happen, yet bash has a feature that deliberately allows what is normally data passed around to be executed.
  3. Whether computer science students like it or not they are taught that when data is in a particular class of languages it is impossible to validate it, yet with bash we’ve stuck a Type 0 languages inside of variables.
  4. Scripts and programs should (generally) avoid invoking a shell as even the Linux manual page for system(3) says

    Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity.

    Yet calling system(3) is common practice because it is easier than invoking other programs the proper way.

When a system falls victim to Shellshock, it is because every one of those principles and guidelines have been ignored. The first one is in the design of various network services (such as web servers). Numbers two and three are in the design of bash, and number four crops up in innumerable scripts and programs. None of them are actually about the specific bug in bash. Instead, one through three are about specific design features of various systems.

There is a great deal I would like to say about each of these, but I will leave that ranting for another time. Today, I just wish to remind everyone about the importance of using unique passwords for each and every service.

Bash update for Mac OS X

Apple has made bash updates available to those who do not wish to wait
for regular software update:

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X MavericksTo check that bash has been updated:* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Check out the first apps to support our 1Password App Extension for iOS 8!

Just in time for iOS 8, 1Password 5 for iOS has been unleashed in all its Touch ID, ready-for-iPhone-6-Plus glory. It also supports iOS 8’s brand new App Extensions feature, which means over 100 developers (and counting!) are building support directly into their apps for our 1Password App Extension, allowing you to unlock your vault with Touch ID, log in with a tap, and even update your app passwords!

In fact a number of developers shipped their 1Password-slinging updates alongside iOS 8 too, from a bank to community favorite apps for reading and work collaboration. Here’s our first rundown of the available 1Password-endowed apps so far, and keep an eye on our Apps that Love 1Password page for a major redesign soon!

Simple

Simple is a new kind of bank. It has no overdraft, minimums, or monthly fees, and it actually gives you great tools for savings and managing financial goals. Support is powered by human beings you can contact right inside this iPhone app, and you can instantly transfer money to (and from!) friends.

Simple integrated our 1Password extension so you can unlock your vault with Touch ID right inside the app and log into your account with a single tap. You can get Simple 2.1 with 1Password integration in the App Store now.

Slack

Slack is changing the way teams communicate. It’s real-time messaging for iPhone, iPad, and the web, combined with file storage and integrated with tools that teams are already using: Dropbox, Asana, Google+ Hangouts, Twitter, Zendesk, and many more. Conversations and files are archived, indexed, and instantly synced across multiple devices, making everything accessible through one simple search box.

You can find out more about Slack on its website, and get it on the App Store to see how Slack could help you be more productive and less busy.

Instapaper

Instapaper is the read-later service that lets you save anything and read it anywhere. You can save articles and other things on the web from any device, then grab this iPhone and iPad app to read those things later, even while offline.

Among plenty of other great new features, the new Instapaper added the 1Password extension so you can use Touch ID and log into your account with a single tap. You can pick up Instapaper 6.0 now in the App Store.

Retro

Retro is a beautiful Instagram browsing app for iPad. It supports multiple accounts, a Today widget for a quick glance at your feed, multiple themes, background updates, and much more.

With its latest update, Retro also gained the 1Password extension for that sweet Touch ID unlocking action and one-tap logging in. You can get Retro 2.2.1 for Instagram in the App Store.

InBrowser – Private Browsing

InBrowser is a web browser for iPhone and iPad with privacy at its heart. In fact, everything will be erased every time you exit InBrowser, including history, cookies, and sessions. You also get tabbed browsing, browser agent cloaking to avoid mobile sites, AirPlay, and more.

Considering InBrowser’s focus on privacy, it’s a good thing the latest version gained the 1Password extension. Now you can unlock your 1Password vault right inside InBrowser with Touch ID, log in with a tap, and leave no trace when you’re done. You can get InBrowser 1.55 in the App Store now.

Treehouse

Treehouse for iPad is “the best way to learn technology.” You can learn to build everything from websites to iPhone apps to web apps, or even to start a business. Over 1,000 videos, quizzes, and interactive code quizzes help you to learn and retain your new skills.

For its big upgrade, Treehouse now includes the 1Password extension so you can unlock your vault with Touch ID and log into your account with a single tap, or sign up for a new account with our Strong Password Generator! You can get learning with Treehouse 2 now in the App Store.

Paste+

 

Paste+ for iPhone is an interesting new breed of iOS 8 apps in that it is primarily a Today widget, and a useful one at that. When you copy something to your clipboard, Paste+ has lots of quick one-tap actions you can take with that thing, such as search it in Google, upload to Dropbox, share to social media and messaging, create reminders, make calls, and much more.

We’re thrilled to see that, for its 1.0 debut, Paste+ included our 1Password extension for login prompts. When you need to authorize Paste+ to access Dropbox, Twitter, or other services, you can unlock your vault with Touch ID and use 1Password to log in with a single tap.

You can get the first-ever version of Paste+ in the App Store now.

1Password 5 for iOS how-to: Enable the extension for Safari and third-party apps

1P5 iOS App Extension sheet1Password 5 for iOS is now available for iOS 8 and it. is. amazing. One of its best new features is an App Extension that lets you fill Logins directly in Safari and even third-party apps!

There’s just one thing you have to do: like all iOS 8 App Extensions, you have to manually enable the 1Password extension if you want to use it in Safari and other apps. It’s easy to do it, and we have a great support document that shows you how.

The simple version is that you just need to launch 1Password 5 first (and set it up if you never have), then tap the Action menu, scroll to the right of the actions list (the bottom one with black and white icons; Share extensions are on top), tap More, and enable it.

Then you can get on with filling Logins (and soon Identities and Credit Cards) right into Safari!

1Password 5 for iOS is here with App Extensions, Touch ID, new freemium price

1Pi iOS 7 icon 152 paddedI can’t tell you how fired up we are about this release! I literally can’t because there is no tool that can measure excitement on this scale. Years in the making, 1Password 5 is rolling out to the App Store with iOS 8’s best features at its heart, and now it’s free so everyone can save time and get secure online. All Pro features are free to existing v4 owners, and new customers can now get started for free.

By the way, if you sync with iCloud, please see this document about requirements and how best to upgrade.

The new 1Password 5 for iPhone and iPad now requires iOS 8 and is packed with some of our (and your!) best ideas ever:

  • App Extensions – Use 1Password to log into a growing list of your favorite apps and even update your passwords—all with just a tap!
  • Safari + 1Password – You read that right. Just like our in-app 1Browser, you can now fill 1Password Logins directly within Safari! Ooh, speaking of thumbs…
  • Unlock with Touch ID – After unlocking with your Master Password, get back into your vault in 1Password, Safari, and your favorite apps with just your thumb on devices with Touch ID. Check Settings > Security to learn how this works and pick your auto-lock time.
  • Sync now goes to 11 – We rebuilt iCloud sync using Apple’s new CloudKit and it is awesome. Wi-Fi Sync will be automatic and sync attachments with the forthcoming 1Password 5 for Mac, and it’s just plain also awesomer.
  • Adaptive UI – Whether you’re on an iPhone 4S, iPad Air, or a brand new iPhone 6 Plus, 1Password’s interface is dressed for the occasion.
  • So much more – Resume editing items after unlocking 1Password. A brand new Welcome Aboard process makes it even easier to set sail with 1Password. Backup restoration has you covered. And all that is just page one.

Oh, did we mention free?

I have good news and great news.

The good news

1Password 5 for iOS and all Pro features (yep, you read that right!) are a free upgrade to all existing 1Password 4 for iOS customers (reminder: 1Password 5 requires iOS 8).

The great news

1Password 5 for iOS and its core features are now free for everyone to use. We believe every man, woman, and child needs to save time and get secure online. This release is another big step towards making that dream reality.

The free edition can create Logins, Identities, Credit Cards, and Secure Notes, and use those items in Safari and other apps. It can also sync with 1Password for Mac, Windows, and Android.

Introducing Pro features

For a one-time in-app purchase in version 5, Pro features unlock the full power of 1Password 5 for iOS. You can:

  • Create the full range of items including Bank Accounts, Email Accounts, Memberships, Passports, Reward Programs, Wireless Routers, Software Licenses, and many more.
  • Organize your items with folders and tags.
  • Create and add Multiple Vaults.
  • Add custom fields to all items.
  • Support a great company with world-class human-powered customer service that loves you. Yes, including you.

Told you we were excited

We’ve been working towards this day for years and some of us are literally bouncing off our Toronto office walls with joy. We hope you love the new 1Password as much as we do, and now all our friends, family, and coworkers have even more great reasons to use it.

Please let us know what you think on Twitter @1Password, Facebook, and our forum, and join our newsletter so we can stay in touch with you!

Getting chilly for charity

I’m not sure if you’ve been on the Internet lately, but there’s this “ice bucket challenge” thing going around. Sure enough, some members of the AgileBits crew were challenged, and in good form … we challenged all of our co-workers.

We’ve made a donation to ALS (as well as several other causes near and dear to our hearts) and thoroughly enjoyed helping our teammates take the plunge.

Now that we’ve done our good deed for the week, we challenge YOU. Make the world a better place. Donate to a worthy cause and dump a bucket of ice water on a friend.

Our 1Password App Extension for iOS 8 is already supported by over 100 apps, here are nearly 20

App ExtensionThe response to 1Password’s App Extension for iOS 8 has been incredible: our customers are beyond excited to use 1Password across iOS with Touch ID and their favorite apps, and an amazing number of developers have already added our extension to their upcoming apps in preparation for iOS 8!

We can’t share the full list of developers yet (we just cracked 100!). But we can show you nearly 20 apps that are already working on integrating 1Password’s iOS 8 App Extension for fast, one-tap logging in and even updating your passwords!

Plus, our 1Password update for iOS 8 will be free to existing customers! Since you can get 1Password for iOS for just $9.99, you can start saving time and get secure online right now.

What the 1Password App Extension can do for you

Since the announcement, our mad-scientist developers have kept working in their secret laboratory to add even more super-hero powers to this powerful extension. Developers, check out our GitHub project to add 1Password integration to your own apps!

Here’s the rundown of the skills we’ve added to the extension so far:

  • Fill Logins, Credit Cards, and Identities into Safari
  • Fill Logins into other third party apps (including web browsers) that add support for it
  • Generate strong, unique passwords and create new Logins during a signup process
  • Update a Login’s password if you change it in an app

Apps that already Love 1Password

As promised, here is a sample of over 100 apps that are already preparing for iOS 8 and our new extension ship!

Continue reading

Watch what you type: 1Password’s defenses against keystroke loggers

1Password for WindowsI have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware, particularly keystroke loggers, running on your computer could capture your Master Password.

Safe at rest

Let me clarify one thing before going on. 1Password does protect you from the attacker who breaks into your computer and steals your 1Password data. The 1Password data format is designed with just such attacks in mind. This is why your data is encrypted with keys derived from your Master Password. It is also why we’ve put in measures to make it much harder for an attacker to try to guess your Master Password in the event that they do capture your data.

Even if an attacker gains access to your computer and 1Password data, there is little she can do without your Master Password. In this article, I’m focusing on another kind of attack in which the attacker tries to “listen in” to you typing your Master Password. This attacker is running a program on your computer that attempts to record everything you type on the keyboard or enter through some sort of keyboard-like device.

Countering counter-counter measures

I will get to the details below, but this article aims to describe and explain a change in how 1Password for Windows secures its Secure Desktop, a counter measure against a common type of keystroke logger. This change was added recently to 1Password 1 for Windows and has been included in 1Password 4 for Windows since its launch.

Márcio Almeida de Macêdo and Bruno Gonçalves de Oliveira of Trustwave SpiderLabs have discovered a way that a keystroke logger could work around our use of Secure Desktop and reported this to us. They have now reported this publicly (link might be having trouble, but it’s listed among their Security Advisories). We have since added a mechanism which prevents that particular counter measure to Secure Desktop. We very much appreciate SpiderLabs for giving us the opportunity to put a fix in place before announcing their discovery to the public. Trustwave SpiderLabs might grab fewer headlines by having done the right thing, but they have done the right thing.

Secure Desktop itself is a counter measure to keystroke loggers. De Macêdo and de Oliveira’s discovery is a counter measure to our counter measure. We have now introduced a counter-counter-counter measure. All of this will be explained, but it requires a lot of background into how keystroke loggers work and various ways to defend against them.

Keystroke loggers

Keystroke loggers attempt to capture everything that is typed on a particular computer or keyboard and pass that information on to a third party.

There are one or two legitimate uses of these (such as in research on writing), but those all involve the consent of those whose key strokes are being logged. More typically, keystroke loggers run surreptitiously, and are an attack on user privacy. I know that people don’t come to this blog for relationship advice, but if you are seriously tempted to install a keystroke logger to spy on a spouse or lover – a popular use of these things – then I have my doubts about the future of your relationship. Since you didn’t come here for relationship advice (and if you did you came to the wrong place), let’s return to how keystroke loggers work.

Logger in the middle

There are many different ways that keystroke loggers can work, but one useful way to think about this is as something (either hardware or software) that sits between your keyboard and the program you are typing into, something which shouldn’t be there.Hardware PS/2 keylogger in action

For keyboards that are attached to a computer with a cable, the simplest keystroke loggers are little physical devices that the attacker plugs into the computer, and then plugs the keyboard cable into that.

The keystroke logger is, in this case, sitting between the keyboard and the computer. The computer thinks it is talking directly to the keyboard, and the keyboard thinks it is talking to the computer, but the keystroke logger is sitting between them.

Alternatively, software keystroke loggers sit between components deep within the operating system and silently grab data. Things that are embedded that deeply or are using hardware loggers are not things that user software can detect or defend against.

Most keystroke logging is shallow

Most keystroke loggers take a simpler approach, rather than inserting themselves deep within the system. It is much simpler to write a program that says “hey, I am a program that needs to know everything that is coming in from the keyboard.” Operating systems provide hooks for programs to do exactly that.

You might be asking why operating systems might make writing keystroke loggers so easy. What business does any program running in the background have in seeing the input to some other program? One reason is to help my poor dog Molly, who suffers from (among other things) diabetes. This has led to sufficient necrosis in her paws so that she cannot easily type using a standard keyboard. The specialized device that she uses involves some clever software that looks at the input and uses various predictive technologies to replace the actual input with the intended text. This system intercepts (and changes) input bound for any program running on her computer; however, as far as most programs know, they are just getting input from a “keyboard”. Assistive technologies similar to the one Molly uses are a big part of making computing and communication accessible to more people.

Not only is a basic keystorke logger easy to write, it doesn’t require a complete break into a system. Different processes on a computer run with different privileges. When Molly logs in to her account and runs a program on a computer, the program is run under her user ID and with her privileges. This means that she isn’t able to interfere with processes that are run by Patty (the other dog). She also isn’t able to interfere with the system as a whole. If Mr Talk (the neighbor’s cat) tricks Molly into running a malicious program, that malware will be limited in the damage it can do.

The really deep and hard-to-avoid keystroke loggers would require full power over the system to install. But one of these simpler keystroke loggers requires only the privileges of the user whose keystrokes are to be recorded. So if Molly gets tricked into running a keystroke logger, it won’t affect Patty even if they use the same computer (as long as they are using different accounts). As you can imagine, the bulk of malicious keystroke loggers that spread through computer infection are of this shallower sort.

Counter measures

Now that we have some idea of how the typical keystroke logger works, it’s time to look at some counter-measures. The two most important counter-measures are:

  • keep your system and software up to date
  • exercise caution in what software you install and run

But let me focus a couple of the counter-measures that 1Password takes.

Counter measures on Mac: Secure Input

On Mac OS X, there are two simple provisions that makes it easy to thwart those shallow key loggers. The first one of these is called “Secure Input” and was introduced with OS X 10.3 Panther in 2003. A program—1Password for example—can say, “when the user types something into this particular input field, it must be done in a way that other processes can’t interfere.” Secure Input needs to be used sparingly, as it blocks all of the sorts legitimate activity, including assistive technologies that many people (and a few dogs) rely on. And Secure Input blocks TextExpander, which I rely on.

1Password declares the field in which you type your Master Password as a “Secure Input field”, then ordinary key loggers won’t have access to it. Since last year’s OS X 10.9 Mavericks, there is another defense built into the operating system. A program can only capture all of a users’ keystrokes if the user has explicitly granted it that permission in System Preferences > Security & Privacy > Privacy under Accessibility. As I described earlier, most (but not all) such software are components of assistive technologies designed to make computers accessible to more people. That is why this system preference is ultimately under Accessibility.

Between these two mechanisms – Secure Input and that any application which has the capacity to log keystrokes must have explicit user approval to do so – OS X defends against these otherwise common sorts of keystroke loggers.

Counter measures on Windows: Secure Desktop

1P Win unlock secure desktop

Windows doesn’t offer the same sorts of defenses that OS X has, but it does allow for the creation of somewhat isolated environments called “Desktops”. On Windows, one can set up different Desktops in which only your program is running (along with system processes). A program running in one Desktop will not be able to listen in on keyboard input in a separate Desktop.

You will find a button that says “Unlock with Secure Desktop” in the upper right corner of the lock screen in 1Password 4. Clicking on that launches the Secure Desktop in which you will be prompted for your Master Password. You can take a look at Unlock with Secure Desktop in action.

Countering Secure Desktop

What de Macêdo and de Oliveira have discovered is that there is a way to set up a keystroke logger that does operate in all desktops, not just the one it was started in. Quite simply, their system launches a process that is able to listen for the creation of new desktops and add a process to each desktop created.

The ease at which they were able to do this (well, everything looks easy in retrospect) reflects the fact that the SwitchDesktop function in Windows was not designed for security purposes. We and others who use Secure Desktop as a mechanism for evading keystroke loggers have been taking advantage of the relatively isolated environment of a separate Desktop. Once the authors of keystroke loggers take our counter measures into account, they can launch counter-counter measures like the one Trustwave describes.

Knowing your environment

We want nothing but system processes and 1Password’s Master Password entry to be running in a Secure Desktop. We don’t want other, probably malicious, processes joining that Desktop. And so, our counter-counter-counter measure is to simply look around and see if there is anything running in the SecureDesktop that is unexpected.

If some unexpected process is found in the Secure Desktop environment, you’ll be prompted to close the Secure Desktop.

Secure Desktop: 1Password has detected an unknown process

Lessons

1. Keep your system and software up to date

The single biggest thing you can do for your computer security is to keep your system and
software up to date. The overwhelming majority of actual break-ins are through vulnerabilities that have already been fixed by the software vendors.

2. Pay attention to what software you install and where you get it from

Keystroke loggers and other malware are often installed unwittingly by the victims themselves. Try not to be one of those victims. Be particularly careful of anything that tries to frighten you into installing it. Fake security software and alerts are a common way to get people to install malicious software.

The move toward curated app stores offers additional protections, but it isn’t a complete solution. Still, using those where available will reduce your risks.

3. Use Windows Defender on Windows

I have long been skeptical of most anti-virus software, but Microsoft Security Essentials is something I can unequivocally recommend for those using Windows 7. In Windows 8, Windows Defender is automatically built in and enabled.

4. Understand what software can and can’t do for you

The core security design of 1Password is extremely strong. Quite simply: if you have a good Master Password, nobody who gets a copy of  your 1Password data will be able to decrypt it. 1Password can and does offer outstanding security.

At the same time, 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race. As you see, we have had to put into place a counter measure to a counter measure to our counter measure against common keystroke loggers.

This is why the first two items on this list are so important.

In conclusion

1Password takes extraordinary and effective steps to protect your data. This is built into every aspect of its design. But you have to help protect 1Password from malware running on your machine. We do what we can to make things harder for the malware writers, but we can’t do it alone. You must try to provide a safe environment for 1Password and all of your software to run in.

This shared responsibility is similar to that which we have with your Master Password. We provide excellent encryption and protections and defenses against automated password guessing. But you have to pick a good Master Password and treat it well. For those who might be wondering, displaying your password on a giant screen is not treating a password well.

wold-cup-wifi

1Password 4.1 for Android brings new features and new freemium pricing!

1P4 Android bot 230Since the release of the all-new 1Password 4 for Android, we’ve been thrilled with your feedback and our developers immediately got to work on our first free update. Now we’re back with version 4.1 (rolling out through Google’s servers as you read this!), which packs some powerful new features and our brand new freemium pricing so everyone can get secure, convenient security!

Features and Fun

1Password 4.1 for Android includes some big improvements:

  • Create your 1Password datafile right within the app – You no longer need an existing agilekeychain file to enable sync
  • Stay secure, whether you pronounce it asegurar, sichern, garantir or обеспечить. Version 4.1 has localizations for 17 languages – including Spanish, German, Portugese and Russian
  • Freemium pricing – 1Password 4 for Android is now free for anyone to try with premium features unlockable via a one-time, in-app purchase. Read on for details!
  • Full release notes with all the features, improvements and fixes are available via the Settings pane within the app

Choose your own adventure with the Freemium model

Do you just need quick access to a password on the go? Or are you a mobile security ninja adding passwords and organizing your data in exotic locations on your Android phone or tablet?

Either way, our new freemium pricing in 1Password 4.1 for Android has you covered. You can now get 1Password 4 for free in the Google Play Store, and everyone can try all premium features for 30 days.

1Password 4 for Android, the Reader version

As a free app, 1Password 4 for Android can:

  • View all items in the vault
  • Delete items from the vault
  • Browse your favourite sites with 1Password’s built-in web view
  • Access all options in Settings (including PIN code and Rich Icons)
  • Configure sync with Dropbox or Folder Sync – both to an existing vault created with one of our other editions or by creating a brand-new vault
  • A whole lot more!

1Password 4 for Android, the premium version

The paid edition unlocks the full power of 1Password for Android, right in your pocket:

  • Create and add an unlimited number of new items
  • Modify existing items
  • Organize items into Folders
  • Mark (and unmark) items as Favourites for quick access… or ‘Favorites’ for our friends south of the border

All 1Password 4 premium features are available for a single in-app purchase of $9.99 and will apply to all devices using the same Google Play Store account.

Did someone say “Sale!”?

You may have noticed that 1Password 4 for Mac, 1Password 4 for Windows and 1Password 4 for iOS are currently on sale, so we certainly couldn’t leave 1Password 4 for Android out of the fun!

For a limited time, you can unlock the premium features of 1Password for only $7.99 – a 20% discount! We do mean limited time, though, so snag those premium features, keep your 1Password data organized, and get simple, convenient security at an incredible price!

Announcing the Get Secure With 1Password Now But Also Stay Secure This Fall When Our Free Updates Arrive Sale

fireworksOk, so maybe our Director of Naming Sales is still in bed, but that changes nothing: in light of this purportedly massive Russian data breach, now is a great time to get yourself, your friends, your coworkers, and that random stranger you always seem to pass on the way to work more secure online.

That’s why we’ve put 1Password for desktops on sale for 30 percent off, and 1Password for iPhone and iPad on sale for a whopping 40 percent off (1Password 4 for Android remains free-to-try through August 18!).

Get 1Password for Mac or Windows for just $34.99 (or both for $48.99!) and Get 1Password for iOS for just $9.99. Family Packs of five licenses also start at just $48.99.

But as the title here suggests, one of our most long-winded sales in AgileBits history is not all that you, your friends, your coworkers, and that random-stranger-turned-friend get. We are announcing that, for Mac and iOS users, our updates coming this fall for Apple’s OS X Yosemite and iOS 8—yes, including our awesome new Safari and in-app extension—will be free for current owners.

So, TL;DR: buy now at an incredible price, get more incredibleness later for free.

Maybe we should keep the crazy sale title after all.

Heads up: Your best defense against the Russian hacker data breach is still strong, unique passwords [Update: And a sale!]

The bad news: Russian hackers claim to have gotten their hands on a sizeable collection of login credentials and emails.

The semi-good news: the story might not add up. According to The Verge, most, if not all, the credentials may simply have been collected from previous breaches we already knew about, including Adobe, LinkedIn, and others.

The good news: strong, unique passwords for all your sites are still your best defense. If shady individuals nab one or even more of your accounts, 1Password’s unique passwords prevent them from using that information to break into all your accounts.

EVEN MORE good news: To help everyone get more secure online with strong, unique passwords for all their accounts, we’re putting 1Password for iOS on sale for just $9.99! For how long? We’re not sure yet, so act fast and spread the word. Bonus points: our upcoming update for iOS 8 will be free to existing owners!

Unfortunately, we live in a world where data breaches are going to happen. As my colleague Jeff Goldberg likes to remind us: security is a process, not a destination.

Strong Password Generator hero

The best way to defend against breaches large and small is the same as it ever was: use 1Password’s Strong Password Generator on Mac, Windows, and iOS to create strong, unique passwords for all your accounts with a single click.

1Password’s Security Audit feature is also a great way to stay on top of your security. It shows you duplicate and weak passwords, and our built-in 1Password Watchtower service warns you to change your passwords for any of your Login’s sites that have recently been breached.

As usual, the headlines sound big, but the solution is simple. Use 1Password’s Strong Password Generator for the best defense against data breaches. As this matter is examined further, we’ll let you know more about breach sources or any other pertinent details.