1Password 3.6.5 for iOS is out with PBKDF2 goodness!

1Password Pro icon1Password for iPhone, 1Password for iPad, and 1Password Pro (for both iPhone and iPad) have just been updated to version 3.6.5. All of the changes are behind the scenes, but they include a great security enhancement to how your Master Password is protected. Different versions may become available at different times in different locations, so if your free update isn’t ready for download just yet, try again in a little bit.

In addition to the security enhancements discussed below, there are a few bug fixes, more syncing in the background, and some images tailored for the Retina display in the new iPad. If you just want the cliffnotes, here we go:

★ Improved security. Now using 10,000 PBKDF2 iterations to protect the encryption key.
★ Dropbox authentication tokens are now stored in the system keychain.
★ Better support for iPad retina display.
★ Improved Login filling.
☂ Bug fixes.

But if you want to learn a little more about what we’re doing under the hood to protect your 1Password data, venture on.

10000 PBKDF2 iterations

Your Master Password on your device is now protected with 10,000 iterations of PBKDF2. What this means is that if an attacker were somehow to get hold of your encrypted 1Password data from your phone (not an easy thing to do if you take proper precautions), it will be even harder for them to run automatic password guessing software against your master password. PBKDF2 makes the mathematical process of checking whether a Master Password is correct much longer and more difficult.

Your secrets are very well encrypted and protected by your Master Password, but these new measures strengthen that protection. You can read about PBKDF2 in an old article, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too to get more details as it applies to 1Password on the desktop; the same ideas work on iOS devices.

Why change things now?

We’ve long considered using PBKDF2 in 1Password for iOS. The advantages of using it are clear: It provides substantial additional resistance to attacks by password guessing software if your encrypted data falls into the wrong hands. There are a few reasons why now was the right time.

We have faster devices

The principle reason this didn’t come sooner is that, with PBKDF2, unlocking your 1Password data on older devices will take noticeably longer and will consume more power than not using PBKDF2. People running 1Password on first generation iPhones will now have an unlocking delay that may last up to a couple of seconds, and a delay of about one second on the iPhone 3G and on the  first generation iPod touch. Delays should not be particularly noticeable on newer devices, and the vast majority of our customers now use 1Password for iOS on said newer devices.

A great feature of iOS 5 and OS X 10.7 is that the number of PBKDF2 iterations can be calibrated to the particular device. We will be making use of that in 1Password 4 for iOS, and we already make use of that in 1Password 3.9 on Lion.

Finding the right implementation

A lesser reason is that the development toolkits for iOS 3 don’t include functions for performing PBKDF2. We try to work with established tool kits as much as possible. iOS 4 (and particularly iOS 5) contain built-in features that make it easier to write programs that perform complicated encryption functions.

That said, we are still able to bring PBKDF2 to 1Password running on iOS 3. Yes, it will be slow and power hungry on older devices, but it is possible because we found a way to take the PBKDF2 function from the OpenSSL libraries and incorporate it into our code. So even though this isn’t in the Apple supplied SDK for iOS 3, we are able to use a well tested and reviewed implementation.

Changes in the threat landscape

There has also been a change in the threat landscape since we first developed 1Password 3 for iOS. There are several “forensic” tool kits on the market for breaking into iOS devices. As new ways in which data can be taken from iOS devices come to light, we need to provide even better protection against off-line attacks on your 1Password data.

It is probably far less likely that that someone will capture your encrypted 1Password data from your iOS device than your 1Password data from your computer. A stolen computer, unless you use FileVault or some other disk encryption, means that your 1Password data will be available to who ever gets a hold of your disk. This is why we built PBKDF2 into 1Password on the desktop a long time ago.

But it is also the case that most people use better Master Passwords on their desktop systems than on their mobile devices. And so, in the less likely event that the data gets captured from an iOS device, the master password could do with extra protection. If everyone had sufficiently strong Master Passwords, PBKDF2 wouldn’t be necessary. But let’s face it: a very strong Master Password on an iPhone is a Master Password that won’t get used much.

Elcomsoft analysis

Although we have long been aware of the benefits of using PBKDF2, a recent report (PDF) by researchers at Elcomsoft highlighted how quickly a master password could be cracked without the additional protection of PBKDF2. We discussed that report in a recent blog post, “Strong Security Requires Strong Passwords“.

Other security improvements

Dropbox OAuth tokens

1Password stores your Dropbox username and password very securely on iOS for automatic syncing, but it hasn’t been quite as careful with the OAuth tokens used when connecting with Dropbox. If this data is copied and used on another device, it would grant access from that other device to a Dropbox account. We have fixed this in 1Password 3.6.5 for iOS.

We’ve discussed this issue extensively in a recent blog post: OAuth, Dropbox, and your 1Password data.

Padding, integrity, and standards

We try to stick to standards when it comes to encryption and protocols, but even well established standards can later be discovered to be flawed. There turns out to be a design problem with the padding scheme used as parts of the PKCS standards. Introducing PBKDF2 (also defined in the same set of standards) gets around the problem.

I won’t go into much detail, but here is a little background into the issue. An encryption algorithm like AES works on a block of data at a time. In the case of AES the blocks are 16 bytes (128-bits) long. Because the data to be encrypted won’t always be a multiple of 16 bytes, some extra data gets added to the end to “pad” it out to a multiple of 16 bytes. The details of the padding scheme have to include some clever tricks so that when the data in decrypted, the decryption process can recognize where the pad begins, so it knows what to remove.

The problem is that the padding scheme has also been used as an integrity check. That is, it provides a signal to the one decrypting the message whether the data has been modified. Padding is not well suited to that purpose, but that usage means that under certain circumstances it can be used to very quickly verify whether something has been decrypted correctly. The attacker is saved an extra decryption trial in testing whether they have “guessed” the right password.

The simple solution is to make use of cryptographically appropriate integrity checks, Message Authentication Codes (MACs) after encrypting the data. That is, the integrity check is performed on the encrypted data instead of on the plaintext. By using PBKDF2 we are forcing an attacker to go through a large number of extra steps with each “guess”, overwhelming any advantage an attacker might gain through the PKCS padding problem.

Processes and products

All this allows me to bring up a point that we’ve made before but will continue to make: Security is a process, not a product. One aspect of this is that a tool that your security depends on is never “done”. This is not the first security improvement we’ve made over the years, and it certainly won’t be the last. But process isn’t only in updating product. Process is about how people do things. That includes our own testing procedures, and it also includes always working to understand how people use 1Password so that we can continue in our effort to make the easy thing to do also the secure thing to do for people.

[Update April 11: Several people, including Quirks In Tech, have correctly pointed out that I should have been much more explicit in this post about the role that the Elcomsoft report played in our decision to start using PBKDF2. Earlier drafts of this included an extensive section on exactly that, but it got lost as I tried to cut this down to size. I've added a short section back into this post. -jeff]

OAuth, Dropbox, and your 1Password data

1Password in DropboxA number of iOS apps, including 1Password, have a security problem in how they handle OAuth tokens. 1Password 3.6.5, which was submitted to Apple several days ago, fixes this. This will be a free update for all owners of 1Password for iPhone, 1Password for iPad, and 1Password Pro (for iPhone and iPad). We can’t predict how long Apple’s approval process will take, but the update should be available soon, if it isn’t already by the time you read this.

Because of this bug, someone who gains physical access to your device may be able to copy authentication tokens off of it, then install those tokens on their own device to access your Dropbox data. It is not entirely clear at the moment under what circumstances an attacker will also need the device passcode. It appears that if the device has previously been synced with the computer the passcode isn’t required. In any case it is important to protect your iPhone, iPad, or iPod Touch protected with a good passcode.

We have been extremely careful in how we store your Dropbox username and password for automatic syncing, but like many others, we didn’t take the appropriate precautions when it came to OAuth tokens. These tokens allow quick connection to Dropbox (Facebook and other services also use OAuth). Of course, any 1Password data that an attacker fetches from your Dropbox account is still encrypted by 1Password.

In 1Password 3.6.5, which we submitted to Apple at the beginning of the week, we store OAuth tokens securely in the iOS keychain, where they are properly encrypted and cannot be copied to other devices. However, if other apps that use Dropbox have the same problem (and it looks pretty common), then OAuth tokens can be copied from those apps as well.

The OAuth problem

The problem of how OAuth tokens are stored was first discussed Tuesday (April 3) by Gareth Wright reporting on the Facebook iOS app.OAuth logo Since then, it became clear that the Dropbox app itself has the same problem. Presumably there are many other apps that connect to services like Facebook or Dropbox that are unfortunately in the same boat.

Dropbox have told The Next Web that:

[Our] Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same.

Facebook’s initial statements have been less clear, but no doubt they will be submitting a fix soon.

For one of the best discussions of this whole thing, please see the report and analysis by The Next Web.

What this means for you and your 1Password data

1Password Pro iconThis design problem, both in versions of 1Password prior to 3.6.5 and in other apps, means that it is easier for an attacker to get hold of and manipulate your 1Password data stored on Dropbox than we had anticipated. I used to say that it was far more likely that someone could get hold of your 1Password data by stealing your Desktop computer than by getting it off of Dropbox. I certainly have to revise that assessment.

The good news is that your usernames and passwords  (along with notes and attachments) are well encrypted. Even if someone gains full control of your Dropbox account they will not be able to get at the secrets encrypted in your 1Password data. We have also been busily working on an updated version of our data format that is even better suited for life in the cloud.

You can also manage which devices are allowed to connect to Dropbox. That is, you can instruct Dropbox to reject certain OAuth tokens and also view the the last few times each authorized device has connected.

To manage your Dropbox devices, log in to your Dropbox account with a web browser, and under your account name, go to Settings and then “My Computers”. If you suspect that an OAuth token has been stolen, you can unlink the computer or device. After that you will need to relink the computer or device to your Dropbox account using your Dropbox username and password.

Alternatives to Dropbox

Every time there is a security issue with Dropbox, people rightfully suggest that we offer alternative syncing mechanisms. At this point, there is nothing that I’m in a position to say beyond what we’ve said earlier in “Dropbox Terms“. There are developments, but nothing I am even willing to hint at just yet.

More security changes to come in 3.6.5

The changes coming in 3.6.5 are all about security and bug fixes. Please see “1Password 3.6.5 for iOS is out with PBKDF2 goodness!” for details.

Appendix: When is a passcode required for this attack?

When an iOS device is connected to a computer that it hasn’t connected to previously, the user will be prompted to enter the passcode on the iOS device. After that first connection, the computer will store some keys that will allow it to unlock the iOS device for future connections.

So once you have unlocked your iPhone for a particular computer, when you plug it in later, you do not need to unlock it for the file system on the device to bevisible to tools like iExporer. This is presumably why initial reports of this issue claimed that no device passcode was necessary to extract the files containing the OAuth tokens.

There is, unfortunately, one further complication. iTunes will automatically unlock the device for any user account on the same computer that the device has previously been unlocked on. That is, if Alice and Bob both have user accounts on the same Mac, and Alice has at one point entered the her passcode on her iPad to allow syncing, then Bob will be able to gain access to most of Alice’s iPad simply by using iTunes in his account on the Mac. What is worse is that Bob’s account on the computer can also be a guest account, and he will still have access.

All of the testing I have done has been with iTunes 10.6.1 on Mac OS X 10.7.3 (Lion). I have not tested this with iTunes on Microsoft operating systems.

What is worrisome here is that exactly the same people (co-workers, family members) who have the easiest access to your iOS devices are very likely to have some account on the same computer that you have used.

Still, passcodes do matter so please remember that a good device passcode is a good idea.

Data protection classes

As of 1Password 3.6.5 we put the OAuth information into the iOS keychain using the “ThisDeviceOnly” data protection class that will not allow the OAuth token to be copied from the device unencrypted. There is a bit of terminological muddle in that “ThisDeviceOnly” and “ProtectionComplete” mean the same thing except that the former is used with keychain items and the latter used with files. I prefer the term “non-migratable” to cover both.

The application property lists files, plists, contain app preference settings, and this plists do not have the non-migratable restriction on them; they are fully accessible once the device has been unlocked. Note that data with the non-migratable restriction  cannot be restored from an iTunes or iCloud backup to a different device. So if you replace your iPhone or iPad, you will need to re-enter your Dropbox credentials to reestablish automatic syncing.

Please join the discussion of this on our forums.

Strong Security Requires Strong Passwords

Elcomsoft just published a very informative review of the state of the mobile password manager landscape. They investigated the defences applications provide and how long it would take to discover someone’s Master Password. In their findings, they found that if on iPhone or iPad your 1Password Master Password contained only numbers and was 12 digits long, then it could be found in one day, assuming the attacker got ahold of your device or a copy of your data file.

Note that this discovery time is for passwords that only use digits. As Dmitry and Andrey pointed out, this would be equivalent to a 6 character password (lowercase and uppercase characters, digits, as well as symbols):

To quickly convert this value to a comparable length of a password composed of random ASCII characters one can simply divide the former number by two (since number of ASCII characters is 95 ≈ 102).

The main reason the password can be determined so quickly is because 6 characters provide relatively few possible password combinations. To put this into perspective, here’s how the password length affects the discovery time:

Password Length Possible Combinations Discovery Time
6 956 1 day
7 957 3 months
8 958 24 years
9 959 2,348 years
10 9510 223, 152 years
11 9511 21, 199 centuries
12 9512 20 million centuries
13 9513 2 bln centuries
(42 times the age of the earth)

The discovery times are extrapolated from the numbers provided by Dmitry and Andrey in Table 2: Password recovery speeds and recoverable password lengths.

As you can see, it would take quite a while to discover a ten character password. Personally, I use a 13 character password as I have a lot of very sensitive data within 1Password and I want to ensure it remains safe, even if my iPhone was lost. It would take an attacker a very long time to iterate through all the possible combinations, and that is why the discovery time is so inconceivably huge.

With that said, as Dmitry and Andrey point out, 1Password could do more to slow the password discovery process, thereby making it take even longer. For example, on the desktop (both Windows and Mac), 1Password uses PBKDF2 to significantly slow down attackers. Currently this is not available on iOS as we needed to support older devices. The next major release of 1Password will only support iOS 5 and at that time we will be incorporating these additional defences.

You may be wondering why we think strengthening is required; after all, even a 10 character password would require hundreds of thousands of years to crack. The reason is 3 fold:

  1. Some users are using shorter passwords and we want to provide them as much protection as possible.
  2. All these numbers are based on the same hardware described by Dmitry and Andrey. Depending on the attacker’s resources, more powerful machines could be available.
  3. As time goes on, machines will continue to get faster.

To help guard against faster hardware and to strengthen shorter passwords, we are planning to update 1Password’s defences with several significant changes:

  1. 1Password 4 for iPhone will no longer allow items to be protected by just the PIN code. The PIN code was meant for less sensitive items and we always expected the Master Password protection to be enabled on important items. To simplify things, all items will be protected with the Master Password, just like on iPad, Mac, and Windows.
  2. In 1Password 4, we will be switching from 128 bit AES encryption keys to 256 bit.
  3. In 1Password 3 for iPad and iPhone, the password verification process will be significantly slowed down. Specifically, PBKDF2 will be added to iOS to match the Desktop versions. We will also remove the PKCS#7 padding mentioned by Dmitry and Andrey so attackers will be forced to perform two AES decryptions instead of just one.

Updates for 1Password 3 will be submitted to Apple within the next few weeks. Work on 1Password 4 is ongoing and it will be published later this year.

In sum, it is great that Elcomsoft took the time to analyse mobile password managers and draw attention to how critical password length is when protecting your data, and at how easy it is to “pick” a 4 digit PIN code. It’s important that everyone knows this.

What you can do today to ensure your data is protected is the same thing we have recommended all this time: use a Master Password on iPhone and iPad that is long enough to provide adequate protection for your needs. You can refer to the table above to determine the length of password that makes you feel most comfortable. Also, on iPhone, be sure to go through your items and ensure you have enabled Master Password protection.

For tips on how to pick or update to a good, strong Master Password, see our blog posts like Towards Better Master Passwords and its accompanying Geek Edition.

Lastly, all of the calculations assume the attacker has full access to your data. To protect against this, secure your iOS device with a passcode and if you are still backing up with iTunes, be sure to encrypt your backups.

1Password for iOS gets updated, prepares for the future

Big things are afoot, dear 1Password iPhone and iPad users. While we’re not quite ready to talk specifics just yet, I can talk about the small yet shiny updates we released in the App Store and some of our plans for the future.

The updates

Available now are updates to all three iOS versions of 1Password: for iPhone, for iPad, and the universal Pro version for all devices (they’re all version 3.6.1 for those keep track at home). They improve Login filling on websites and fix a handful of iOS 5 bugs like the Login popover, a crasher on iOS 3.1, and an unresponsive search box.

The future

Speaking of iOS 3.1, though, we want to get the word out that this is the last update to support iOS 3 and iOS 4. If you can’t upgrade to iOS 5 for whatever reason, I recommend downloading these version 3.6.1 updates, making a backup copy on your Mac or PC for safe keeping, and simply not opting to update 1Password for iOS until you can upgrade to iOS 5. For a quick way to get a copy of the 1Password for iOS app file (note: this does not backup your actual data. See this guide for that), you can:

  • Select your copy of 1Password in iTunes, from the Apps section in your Library (pictured below)
  • Go to File > Show in Finder/Explorer. This will open a new file browser window to where iTunes stores copies of your apps and automatically the file for 1Password for iOS
  • Copy (don’t move!) this file somewhere safe, or ensure that its folder is backed up by whatever backup software or service you use. Also: +50 points to you for using a backup app or service

ITunes Show in Finder

The why

So why are we going all-in with iOS 5 for the next versions of 1Password for iPhone and iPad? Because iOS 5 adoption is off the charts, and it will let us bring you a more secure and reliable 1Password experience, especially when it comes to some key new features. These enhancements are going to require a lot of work, which means we could add a bunch of extra code to support both iOS 5 and previous versions. But as you’ve probably heard before, extra code means more complexity, and complexity is the enemy of creating a rock solid, fantastic experience.

One of the biggest perks of iOS 5 is, of course, iCloud. Apple’s providing developers with a fantastic cloud service that should simplify a lot of challenges when it comes to sync and backup, and we’re all over that. However, iCloud is only compatible with Lion and iOS 5, as well as Windows Vista and 7.

Another major, though more under-the-hood, change in iOS 5 is something called Automatic Reference Counting. Long story short, this new tech in iOS 5 simplifies a lot of tough problems for developers when it comes to managing memory and making sure apps perform well and don’t crash. Again, we’re all over that. In fact, I think you’d be hard pressed to find someone who isn’t.

The ‘stay tuned’

As far as more details about our next major updates to 1Password for iOS, those will have to wait for another blog post. To be the first to know, be sure to subscribe here to our Agile Blog, follow @1Password and @AgileBits on Twitter, and like the 1Password Fan Page!

On 1Password and iCloud

Just in case this is the first blog post you’ve checked since swearing off reading tech news for the past ten months or so: this is a pretty massive week for new Apple goodies (also: thanks for making this the first post you’ve read in almost a year!). Yesterday, Apple released iOS 5 and its many fantastic new features to the world, as well as a bunch of new apps like Find My Friends, AirPort Utility for iOS, and Cards. Tomorrow, the iPhone 4S becomes available, and Apple’s new service that ties it all together—iCloud—offers some great potential to third-party apps like 1Password.

NewImage

Naturally, we’re getting a lot of questions about whether we will offer iCloud as a sync option in 1Password for Mac, Windows, iPhone, iPad, and Android, either as a replacement or an alternative to our current preferred sync service, Dropbox.

What I can say so far is that we’re just as excited about iCloud as you are, and we’re definitely looking into what it can do for 1Password and you. Fortunately, you can actually enjoy one of iCloud’s perks if you upgraded your iPhone, iPod touch, or iPad to iOS 5 and created an iCloud account: automatic, once-a-day, over-the-air backup and restore of all your iOS app data, which includes 1Password for iOS. Go to Settings > iCloud to learn more and configure.

Without us having to do anything, iOS 5 can at least wirelessly backup your 1Password data, and let you restore that data should you ever need to wipe your device or replace it with a new one. So really, the million dollar question is whether iCloud can function as a great solution for syncing 1Password data between computers and devices.

We don’t want to say anything more about iCloud right now or whether it will turn out to be the great sync solution we know 1Password customers demand. But rest assured, we’re definitely looking into it. As soon as we have more to say, you’ll hear about it here, on our @1Password and @AgileBits accounts, and on our 1Password Facebook page.

1Password in iLounge’s 100 Essential iOS Apps of 2010!

We just got word that 1Password for iPhone and iPod touch made it into the 2011 iPod/iPhone/iPad Buyer’s Guide as one of the 100 essential apps of 2010. In fact, we’re first on the list in the productivity section! You can check out the guide at iLounge and see what other treasures are on the list.

We work hard to make 1Password—and everything we offer—the best it can be, and our users’ feedback makes it all worthwhile. Keep letting us know what you think (and what we can improve) and we’ll keep churning out new features. Thanks to iLounge for making our day!

Updates, Updates, Updates!

In an unprecedented move, Apple approved three updates yesterday: 1Password for iPad 1.2, 1Password for iPhone/iPod touch 3.1.1, and 1Password Pro for iPhone/iPod touch and iPad 3.1.1.

1Password touch updates

Wondering what’s changed? Well, the iPad-specific version has been brought up-to-date with the non-Pro improvements introduced in 1Password Pro 3.1, like a “Show All Login Fields” setting and a reveal/conceal menu option for password fields. There are auto-lock and web view improvements, and that pesky portrait-mode bug1 has been fixed.

1Password (standard) for iPhone/iPod touch (only)’s version is now 3.1.1, which matches 1Password Pro’s version. You can now also send us feedback from within the application, instead of having to launch the Mail application, first.

A changelog accompanies each update, so if you’re interested in the specifics, be sure to check it out, either in iTunes on your computer or in the App Store app on your touch device.

Haven’t purchased yet? You can find more information about each version in our user guide. When you’re ready, you’ll find the applications—1Password Pro, 1Password for iPad, and 1Password for iPhone/iPod touch—in the iTunes App Store.

1 The “Go & Fill” arrow was broken in portrait mode. Sorry about that.

1Password for iPad one of Computerworld’s top eight

1Password for iPad

1Password is an extremely useful app for both the Mac and the iPhone, and now it’s available for the iPad too. The iPad version is more like a grownup application…

We’re stoked that Computerworld consider 1Password for iPad one of the device’s top applications. This is going to be a wild, wild ride, and it’s fantastic that you’ve joined us for it!

iPad Feature Sneak Peek

Feature Sneak Peek: A much easier way to browse and login on your iPad

We’re toiling away on updates to 1Password for iPad and 1Password Pro, so we thought we’d show off a little. Obviously, one of the bummers of Mobile Safari is that Apple does not (yet) let developers plug into it. This means that 1Password for iPhone OS cannot integrate with Mobile Safari as tightly as it does with most browsers on your Mac.

But who says you have to browse in Safari?

We’re bringing “Available Logins” to the browser built into 1Password for iPad and 1Password Pro. This means that when holding your iPad in landscape mode, you can open 1Password’s browser, visit a site, then tap the Available Logins menu to see any of your Logins that match the site. Tap one, and 1Password will fill the form and log you in.

Browsing the web and logging into your sites on an iPad, iPhone, or iPod touch cannot get any easier than this. You will be able to enjoy this feature once Apple approves our next updates to 1Password for iPad and 1Password Pro, which we hope to submit in the next day or three.

We're working through some iPad bugs (Updated)

Update: 1Password Pro 3.0 and 1Password for iPad 1.1 are now available in the App Store! See this post about the changes in these two updates, or just visit the App Store in iTunes or on your device to update!

Original post:

Some of our users are reporting some bugs in 1Password for Mac, such as problems when syncing with the requisite 1Password for Mac 3.1 update, Go & Fill quirks, and crashes. Now that we actually have iPads on which to test our software (the simulator Apple provides unfortunately isn’t enough), we are squashing these bugs with the determination of an Olympic Games finalist.

We hope to submit a new build to Apple by either today or tomorrow that resolves most of these issues. We’ll keep you posted here and on Twitter.