1Password update out in Mac App Store now, website soon

Our Mac App Store 1Password customers have a small update waiting in the Updates tab, and our website customers will also get a little present soon too.

For Mac App Store customers, we’ve made some big improvements to our Passwords Plus importer so it can now create Secure Notes, Credit Cards, and Logins. We also updated our Chrome extension so that it should play well with the changes coming down the pipeline in the Beta, Developer, and Canary builds.

1Password 3.9.5 is available now in the Mac App Store and is a free update to all existing Mac App Store customers.

As for you wonderful website customers, 1Password 3.8.19 is coming soon with a few perks of its own. For starters, this version will play nicely with Apple’s upcoming release of OS X Mountain Lion and its new Gatekeeper app security feature (Jeff Goldberg is working on a good post explaining more about this). This release will also include the Chrome support we released in the Mac App Store update.

1Password 3.8.19 should be out later today for our website customers, so keep an eye on @1Password on Twitter and Facebook for the announcement. Because jamming on the 1Password > Check for Updates menu is not much of a way to pass the time.

1Password 3.6.5 for iOS is out with PBKDF2 goodness!

1Password Pro icon1Password for iPhone, 1Password for iPad, and 1Password Pro (for both iPhone and iPad) have just been updated to version 3.6.5. All of the changes are behind the scenes, but they include a great security enhancement to how your Master Password is protected. Different versions may become available at different times in different locations, so if your free update isn’t ready for download just yet, try again in a little bit.

In addition to the security enhancements discussed below, there are a few bug fixes, more syncing in the background, and some images tailored for the Retina display in the new iPad. If you just want the cliffnotes, here we go:

★ Improved security. Now using 10,000 PBKDF2 iterations to protect the encryption key.
★ Dropbox authentication tokens are now stored in the system keychain.
★ Better support for iPad retina display.
★ Improved Login filling.
☂ Bug fixes.

But if you want to learn a little more about what we’re doing under the hood to protect your 1Password data, venture on.

10000 PBKDF2 iterations

Your Master Password on your device is now protected with 10,000 iterations of PBKDF2. What this means is that if an attacker were somehow to get hold of your encrypted 1Password data from your phone (not an easy thing to do if you take proper precautions), it will be even harder for them to run automatic password guessing software against your master password. PBKDF2 makes the mathematical process of checking whether a Master Password is correct much longer and more difficult.

Your secrets are very well encrypted and protected by your Master Password, but these new measures strengthen that protection. You can read about PBKDF2 in an old article, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too to get more details as it applies to 1Password on the desktop; the same ideas work on iOS devices.

Why change things now?

We’ve long considered using PBKDF2 in 1Password for iOS. The advantages of using it are clear: It provides substantial additional resistance to attacks by password guessing software if your encrypted data falls into the wrong hands. There are a few reasons why now was the right time.

We have faster devices

The principle reason this didn’t come sooner is that, with PBKDF2, unlocking your 1Password data on older devices will take noticeably longer and will consume more power than not using PBKDF2. People running 1Password on first generation iPhones will now have an unlocking delay that may last up to a couple of seconds, and a delay of about one second on the iPhone 3G and on the  first generation iPod touch. Delays should not be particularly noticeable on newer devices, and the vast majority of our customers now use 1Password for iOS on said newer devices.

A great feature of iOS 5 and OS X 10.7 is that the number of PBKDF2 iterations can be calibrated to the particular device. We will be making use of that in 1Password 4 for iOS, and we already make use of that in 1Password 3.9 on Lion.

Finding the right implementation

A lesser reason is that the development toolkits for iOS 3 don’t include functions for performing PBKDF2. We try to work with established tool kits as much as possible. iOS 4 (and particularly iOS 5) contain built-in features that make it easier to write programs that perform complicated encryption functions.

That said, we are still able to bring PBKDF2 to 1Password running on iOS 3. Yes, it will be slow and power hungry on older devices, but it is possible because we found a way to take the PBKDF2 function from the OpenSSL libraries and incorporate it into our code. So even though this isn’t in the Apple supplied SDK for iOS 3, we are able to use a well tested and reviewed implementation.

Changes in the threat landscape

There has also been a change in the threat landscape since we first developed 1Password 3 for iOS. There are several “forensic” tool kits on the market for breaking into iOS devices. As new ways in which data can be taken from iOS devices come to light, we need to provide even better protection against off-line attacks on your 1Password data.

It is probably far less likely that that someone will capture your encrypted 1Password data from your iOS device than your 1Password data from your computer. A stolen computer, unless you use FileVault or some other disk encryption, means that your 1Password data will be available to who ever gets a hold of your disk. This is why we built PBKDF2 into 1Password on the desktop a long time ago.

But it is also the case that most people use better Master Passwords on their desktop systems than on their mobile devices. And so, in the less likely event that the data gets captured from an iOS device, the master password could do with extra protection. If everyone had sufficiently strong Master Passwords, PBKDF2 wouldn’t be necessary. But let’s face it: a very strong Master Password on an iPhone is a Master Password that won’t get used much.

Elcomsoft analysis

Although we have long been aware of the benefits of using PBKDF2, a recent report (PDF) by researchers at Elcomsoft highlighted how quickly a master password could be cracked without the additional protection of PBKDF2. We discussed that report in a recent blog post, “Strong Security Requires Strong Passwords“.

Other security improvements

Dropbox OAuth tokens

1Password stores your Dropbox username and password very securely on iOS for automatic syncing, but it hasn’t been quite as careful with the OAuth tokens used when connecting with Dropbox. If this data is copied and used on another device, it would grant access from that other device to a Dropbox account. We have fixed this in 1Password 3.6.5 for iOS.

We’ve discussed this issue extensively in a recent blog post: OAuth, Dropbox, and your 1Password data.

Padding, integrity, and standards

We try to stick to standards when it comes to encryption and protocols, but even well established standards can later be discovered to be flawed. There turns out to be a design problem with the padding scheme used as parts of the PKCS standards. Introducing PBKDF2 (also defined in the same set of standards) gets around the problem.

I won’t go into much detail, but here is a little background into the issue. An encryption algorithm like AES works on a block of data at a time. In the case of AES the blocks are 16 bytes (128-bits) long. Because the data to be encrypted won’t always be a multiple of 16 bytes, some extra data gets added to the end to “pad” it out to a multiple of 16 bytes. The details of the padding scheme have to include some clever tricks so that when the data in decrypted, the decryption process can recognize where the pad begins, so it knows what to remove.

The problem is that the padding scheme has also been used as an integrity check. That is, it provides a signal to the one decrypting the message whether the data has been modified. Padding is not well suited to that purpose, but that usage means that under certain circumstances it can be used to very quickly verify whether something has been decrypted correctly. The attacker is saved an extra decryption trial in testing whether they have “guessed” the right password.

The simple solution is to make use of cryptographically appropriate integrity checks, Message Authentication Codes (MACs) after encrypting the data. That is, the integrity check is performed on the encrypted data instead of on the plaintext. By using PBKDF2 we are forcing an attacker to go through a large number of extra steps with each “guess”, overwhelming any advantage an attacker might gain through the PKCS padding problem.

Processes and products

All this allows me to bring up a point that we’ve made before but will continue to make: Security is a process, not a product. One aspect of this is that a tool that your security depends on is never “done”. This is not the first security improvement we’ve made over the years, and it certainly won’t be the last. But process isn’t only in updating product. Process is about how people do things. That includes our own testing procedures, and it also includes always working to understand how people use 1Password so that we can continue in our effort to make the easy thing to do also the secure thing to do for people.

[Update April 11: Several people, including Quirks In Tech, have correctly pointed out that I should have been much more explicit in this post about the role that the Elcomsoft report played in our decision to start using PBKDF2. Earlier drafts of this included an extensive section on exactly that, but it got lost as I tried to cut this down to size. I've added a short section back into this post. -jeff]

A fix for Safari 5.1.4 for Mac and 1Password Helper problems

Good news, everyone! Well, bad news, then good news. To keep things short: Apple just released Safari 5.1.4, and it’s causing some ruckus with our 1Password browser extension for a few of our Mac users. That’s the bad news.

The good news is that we have a fix, and it’s pretty darn easy. We have a support document that explains everything with an accompany screenshot, but in short: for the vast majority of customers experiencing this problem, it seems to be an issue with running Safari in 32-bit mode instead of 64-bit. To get Safari and our 1Password Helper playing nicely together again, you can:

  • Quit Safari
  • Right-click Safari in your Applications folder and choose Get Info
  • Uncheck the “Open in 32-bit mode” option
  • Restart Safari and live happily ever after

So far, we’ve seen only one instance where a customer also had to restart their Mac for this fix to actually stick. But on the whole, this seems to solve the problem. If you still experience trouble, though, please get in touch with our support team and they’ll get you squared away!

A big 1Password extension 3.9 update is out!

Are you sitting down? Ok, you folks who stand while you work—don’t answer that. Regardless, if you’re reading this in Safari, Chrome, or Firefox, we have a great new 1Password browser extension release for you.

Fresh out of beta is version 3.9 of our browser extension, and boy it’s a doozy. We added support for multiple profiles to Firefox and Chrome, and domain matching is, as they say in the car industry, “all new,” except we actually mean it. We completely rewrote it to watch out for things like subdomains and international domains.

All told, we added over 20 new features, changes, fixes, and bits of TLC in this extension update, and you can read all the details if so inclined. As for how to get it:

  • If you already have our new 1Password browser extension installed, your browser should update automatically, if it hasn’t already
  • If you need to install our extension on Mac or PC (Windows Firefox users—your wait is almost over, promise!), just open 1Password’s Preferences to the Browsers pane, click Install Browser Extensions, and follow the instructions on the webpage that opens

We hope you enjoy the new extension, and let us know what you think!

1Password 3.9.4 is waiting for Mac App Store customers

Fire up those Mac App Stores and click those Updates tabs ladies and gentlemen, because 1Password 3.9.4 is waiting to do your bidding.

This is a minor (and free) update that brings a few bug fixes and one key new feature: support for multiple browser profiles for Chrome and Firefox users. This has been a big request lately, and we’re happy to answer the call. We also improved a number of localizations in this release.

If you want to start rolling with multiple profiles in Chrome and Firefox right away, you’ll need the 3.9 beta version of our browser extension (we’re wrapping up work on it and hope to ship the final version soon). To opt into our beta extension, open 1Password and go to 1Password > Install Browser Extensions to open our extension download page. Click the beta option on that page and install any extensions you need. Alternatively, you can just wait a little bit and we should have the 3.9 version of our browser extension out soon.

Check out our forum for the rest of 1Password 3.9.4’s changelog, or just open Mac App Store to see the release notes and grab your copy.

1Password updates are out with some nice new perks

They say “good things come in pairs.” Or maybe it’s “to those who wait.” Hang on, who is “they” anyway?

Before we get wrapped up in colloquialisms, let’s tackle something a little easier: the new perks that both our Mac App Store and website customers can enjoy in a pair of 1Password updates we released. We’ve added the usual round of all-natural performance enhancements and polish (honest: AgileBits is a steroid-free company!). Mac App Store customers can check the “What’s New” section in the store, and website customers can check our version history page.

These updates are waiting for you, right now, up in the Agile Cloud. Here’s how to grab them:

  • Mac App Store customers: Open the Mac App Store and go to the Updates tab
  • Website customers: Go to 1Password > Check for Updates

1Password 3.8.13 for Mac is out

We have a small post-Christmas gift for owners of 1Password for Mac from our web store. It’s not a huge update, but there are some handy additions and tweaks for you:

Changed

  • Removed Firefox from Import options as the current extension imports it directly within Firefox.
  • Updated Diagnostics Report to log the extension’s database schema information.
  • Adding Available Disk Space to diagnostics report.
  • Added more logging to 1Password Helper to help investigate situations involving sync issues.

Fixed

  • Now handling escaped quotes when importing CSV / Delimited files.
  • Fixed problem re-importing deleted data from 1Password Interchange (.1pif) files.

If you own 1Password for Mac from our web store (not the Mac App Store), open it and go to 1Password > Check for Updates to get this new version.

1Password 3.8.12 for Mac fixes Chrome, snack pack issues

Hello again, Agile Readers, and welcome to another episode of 1Password Updates! We have another minor yet exciting episode for you today—will that Chrome bug get squashed, could that fix get… fixed? Read on for the exciting conclusion!

Ok, let’s put that theme on hold and just cut to the chase. 1Password 3.8.12 for Mac for our web store customers isn’t a big feature release, but it’s a good bug fix release. In particular, we fixed a few lingering problems related to communicating with the Chrome extension, a few other general quirks in the 1Password Helper, and we are happy to say that 1Password weighed in at 1MB lighter on the file scale!

The full changelog goes a little something like this:

  • Now verifying 1PasswordAgent files exist within the 1Password.app package before removing and upgrading existing agent
  • Improved 1PasswordAgent communication with Google Chrome to avoid timeouts
  • Improved logging in 1PasswordAgent when communicating with web browsers
  • Reduced download size by just over 1 MB
  • Now opening the correct url when using the Help > Release Notes menu
  • Fixed crash of helper when attempting to unlock browser extension with a blank master password
  • Fixed problem preserving aspect ratio of software license icon images
  • Fixed problem deleting software item icon with the keyboard Delete key
As you might guess, if you use 1Password for Mac from our website, you can open it and go to 1Password > Check for Updates to grab this new version.

1Password 3.8.11 for Mac brings improvements and fixes

We have some good news right now, and some more in-depth good news about this good news on the way. To kick things off: 1Password 3.8.11 for Mac is out for our website customers, and it brings some important under-the-hood changes.

For our Mac App Store customers: 1Password 3.9.2 already contains all of these fixes except for the password strength indicator change. That should come in a future update. To give you a better understanding of what these changes mean, our Chief Defender Against the Dark Arts, Jeff Goldberg, is whipping up a blog post right now. So until then, I’ll just leave our release notes right here:

Changed

  • Improving defence against brute force attacks by increasing PBKDF2 iterations from 1000 to 10000. Currently this applies only to newly created data files. For more information on PBKDF2, please see this blog post.
  • Removed deprecated “New Logins Bookmarklet” feature. Users of this feature are encouraged to use the iOS edition of 1Password or 1PasswordAnywhere.
  • Removed Export to Encrypted Web Page feature. Users of this feature are encouraged to use 1PasswordAnywhere or the iOS edition of 1Password.
  • Improved defence against data harvesters by not including the password strength indicator. This only applies to new and edited items; to update all your old items, the Help > Troubleshooting > Rebuild Data File menu can be used.
  • Several updates and improvements to the Diagnostics Report.
  • Updated to latest Growl framework.
  • When downloading website previews 1Password now correctly downloads Apple touch icons from non-standard locations.

Fixed

  • Fixed issue where empty items and deleted folders would appear in the 1PasswordAnywhere Trash.
  • Now clearing caches after rebuilding data file.
  • Fixed the problem where 1Password could freeze when deleting a Smart Folder.

1Password 3.9.2 now in the Mac App Store

Mac App Store customers have a great reason to swing over to the Updates tab, because 1Password 3.9.2 is out! This isn’t quite as large of an update as 3.9.1 just two weeks ago, but its key fixes and performance improvements go a little something like this:

Improvements:

  • Improved performance when deleting a folder.
  • Added ‘Quit’ item to 1Password Helper menu.

Bug fixes:

  • Fixed problem where item data could be lost in certain scenarios.
  • Fixed problem where “Restore from Backup” window would not show the latest backups.
  • Fixed the problem where 1Password could freeze when deleting a Smart Folder.
  • Fixed problem creating saved search for Unfiled folder (items that not in any folder).
  • Now clearing cache after data file is rebuilt.
As you might guess, 1Password 3.9.2 for Mac is a free update for existing owners. Just open the Mac App Store app and click the Updates tab to start downloading!