1Password, Heartbleed, and You

Heartbleed icon 200pxOur co-founder, Dave Teare, sent an AgileBits newsletter to our subscribers Friday night about the internet’s Heartbleed bug and how you can use 1Password to defend yourself and change all your passwords. We had a surprising number of requests to republish it here, so I’m happy to oblige!

If you want to receive our occasional AgileBits newsletter with news and tips about 1Password and Knox, as well as other goodies, hit the button below.


And now, our Heartbleed newsletter, republished here for our blog readers.


Hello everyone,

I’m writing to you today with some very important news. A vulnerability named Heartbleed was discovered in the software that protects most web sites.

Please read on to see what actions you need to take.

What is Heartbleed?

Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.

Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.

I found this XKCD comic explained perfectly how the Heartbleed exploit works.

1P4 Mac icon

1Password is Not Affected

There is a lot of work to be done as a result of Heartbleed, but lets start by talking about what this vulnerability does not mean.

1Password does not rely on OpenSSL to secure your data. Your data in 1Password is protected using Authenticated AES 256-bit encryption and can only be unlocked with your Master Password.

This means 1Password is not affected by the Heartbleed bug and there is no need to change your Master Password.

With that said, there is still a lot of work to be done…

update passwords 200px

Update Your Passwords, Phase 1

While your data is safe within 1Password itself, there is a good chance websites you used were vulnerable and did not protect your username and password.

The knee jerk reaction to this news is to change all your passwords immediately. While I will be recommending you change your passwords, not all websites have been updated yet to protect against this vulnerability.

The best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.

After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.

How to Change Your Passwords

Changing your passwords on every website is a chore. On the bright side, 1Password makes it easy to upgrade all your website passwords.

How to Update Your Passwords

Heartbleed is a very serious issue so I hope you will take the time needed to update your passwords. Ideally you would change all your passwords, but at the very least, please update the most important ones.

heartbleed sale 200px

Stop The Bleeding

New, strong, unique passwords are your best defense against Heartbleed. 1Password makes this easy.

To make it easier for everyone to improve their security we decided to put 1Password on sale.

Save 50% Off 1Password and Stop the Bleeding

Please share news of Heartbleed with your friends and families. Simply forwarding this email is a great first step to helping them know that this is a serious issue.

I know I will be using this opportunity to finally convince my mother that she needs to take her internet security more seriously. Hopefully you will also be able to turn this crisis into an opportunity for good.

Stay Tuned

The Heartbleed story is continuing to evolve. I’ll be in touch again soon with an update.

While I normally send these newsletters infrequently, given the gravity of this situation, I’ll likely be sending a few extra this month. I hope you find this helpful.

To get updates even faster, be sure to friend us on Facebook or follow @1Password on Twitter.

Please keep in touch and let us know if there is anything we can do to help.

We'd love to hear your comments in our forum!