1Password for Mac 3.8.21, the browser extension, and the Chrome Web Store

Peanut butter & jelly. Penn & Teller. Peas & pods—such incredible pairings are rare in this age, but today we are delighted to announce a new one.

The 1Password extension and the Chrome Web Store.

1P extension Chrome Web Store

Available for Mac users and soon out of beta for Windows users, you can now install the Chrome version of our 1Password extension from the Chrome Web Store. You still need 1Password for Mac installed, of course (or PC, when it’s ready), but this will make installing our Chrome extension much easier. I should also point out this is our official method of installing the Chrome extension from here on out.

We released 1Password for Mac 3.8.21 for our website customers with support for installing the new Chrome extension, and the Mac App Store version already supports it. This update also includes a couple other good changes you can view in the changelog.

If you already have our Chrome extension installed, you need to remove it before installing from the Chrome Web Store. To remove a Chrome extension, right-click it in the toolbar and choose “Remove from Chrome.”

We hope you enjoy our new, friendlier, more Chrome-ier extension install process. As for other browsers, stay tuned.

1Password for Mac wins About.com Readers’ Choice Award!

About.com Reader's Choice 2013 award

We couldn’t have done this without you—literally! After all, this is a reader’s choice award, and we only won because of you!

Thanks to your votes, 1Password for Mac won About.com’s Reader’s Choice Award for 2013 in the Best Mac System Utility category. We were up against some great competition, but in the end, the people have spoken.

Thanks again to everyone who voted, and don’t worry, we won’t let it go to our head. We have plenty of reasons on the way in 1Password 4 to earn your vote in the next contest.

Did the 1Password browser extension just appear in Facebook’s News Feed video?

Yes! Take that, Betteridge’s Law of Headlines!

Of course, we’re on the Facebooks just like the Tweeters and even the Google+es. It’s a great way to stay in touch with us, and it’s great to see that Facebook seems to agree.

1P in Facebook video

If you haven’t seen the news, Facebook announced a pretty big change coming to the News Feed, the place where everyone posts their deep, personal journal entries right next to their Instagramed lunches.

I’ll let you head over and read all about it on your own time, because the real news from all this appears at 1:16 in the video Facebook made (at the bottom of the page). As eagle-eyed AgileBits Caffeinated Problem Solver Chris De Jabet noticed, the 1Password Chrome extension makes a cameo. While I don’t have security clearance to know whether 1Password is company policy over there, it is at least a great reminder that your Facebook account should really have a good, strong password to protect your personal space!

1Password is part of the Mac App Store Get Stuff Done Productivity Sale!

MAS Get Things Done Productivity Sale

Have you been feeling… not so get-stuff-done-y? Like you could really use a fantastic tool to create and effortlessly use strong, unique passwords for all your sites, save time by filling web forms with a click, and jot down ideas and other sensitive information you don’t want lying around in sticky notes?

Would you perhaps like to acquire said fantastic tool at 50 percent off?

Then head on over to the Mac App Store’s Get Stuff Done Productivity Sale, because 1Password is part of it! For a limited time you can pick up 1Password for 50 percent off, along with a number of other fine Mac apps!

Don’t forget, though: limited time is not synonymous with “indefinitely.” Run, don’t walk.

Available_on_the_Mac_App_Store_Badge_US-UK_165x40_0824

We listened: Direct sync in 1Password 4 for iOS

The response to 1Password 4 for iOS has been fantastic, and we can’t thank everyone enough! While reviewing all the great feedback and requests, we heard loud and clear that direct syncing between iOS and Mac is important for many people, and we plan to do something about it.

1Password 3 provided direct syncing between Mac and iOS via Wi-Fi syncing, and while it was great in it’s day, it was never perfect. Between the need for manual syncing and networking issues, it did not provide a great user experience. Over the years, our team fell in love with the ease of Dropbox and stopped using Wi-Fi sync altogether. Since none of us used it, and in light of the feature’s problematic nature for many of our users, we decided not to include Wi-Fi syncing when we rewrote 1Password 4 from the ground up.

When we released 1Password 4 for iOS, many people wrote in to explain that direct syncing was critical to their workflow. Some need it because of work rules, some because of regional restrictions that prevent access to sync solutions like Dropbox. Others simply prefer to keep all their data locally without depending on the cloud.

If you’re one of the people who requires the ability to sync directly, rest assured that we’ve heard from you that this is critical to your needs.

We’ve started on a new way to sync data directly over USB and it is already in private beta testing. We’re pretty excited about this because almost all of the support issues caused by Wi-Fi syncing were related to weird network configurations. By syncing directly over USB, we can avoid all those issues. Hopefully, we will never have to ask a customer to reboot their router again :)

We don’t have an ETA on when USB syncing will be available, but beta testing results so far have been promising. If you rely on direct syncing, please stick with 1Password 3 for a little while longer until the USB sync solution is completed.

We’ll post more information about USB syncing soon. Stay tuned!

Apple says 1Password for Mac goes “Better Together” with iPhone and iPad

I mean, it’s one thing for us to say 1Password for Mac works great with 1Password Pro for iOS.  But then, it’s a whole ‘nother thing to hear it straight out of Apple!

In the Better Together section of the Mac App Store that highlights apps that work and sync well across OS X and iOS, Apple listed 1Password among some excellent company. Thanks Apple! It’s always nice to get a second opinion.

1Password Stories: Tips and Tricks from our customers

We hear a lot of great 1Password tips and stories from customers. Sometimes it’s a clever trick, others it’s a great story about helping a family member, friend, or coworker discover 1Password or make a feature click in just the right way. Eventually, one of our Agile folks asked a simple question: why keep all this great stuff to ourselves?

Enter 1Password Stories, a new series we want to use to share these nuggets of awesome so everyone can get more out of 1Password. To kick this off, I want to start with some clever tricks that customers shared in our Agile forums and our Facebook Page:

  • Nick Peelman says he started using 1Password to store serial numbers for all his hardware. “I used to keep the note stored in plain text in Dropbox,” Nick wrote in our forum, “but using 1Password makes it a little easier to access, and as expected, more secure.”But wait, there’s more to it: “It’s handy to have a running list of serials for your hardware should anything ever go missing or get stolen. Storing that list securely in a cloud-based system makes it that much handier. It’s also a good way to identify your stuff among other people’s, should similar items ever get jumbled together.”Nick’s trick can be useful for all sorts of other situations, like adding these things to your insurance policy or calling customer support for service.
  • “bbinder” says he stopped bookmarking sites in browsers and started relying on 1Password and trick involving a couple of third-party apps. After all, by saving a site for a Login, you’re already creating a bookmark in 1Password, right? bbinder fancies LaunchBar, which is a great productivity utility that lets you control your Mac and do all sorts of things with just a couple strokes of the keyboard. In June this year, LaunchBar added support for looking up and opening your 1Password Logins, which was right up bbinder’s alley: “With LaunchBar’s 1Password integration, I hit the shortcut to open LaunchBar, then type in “1p” > space bar > and start typing away to get to the 1,000+ sites I have, condensed to what I am looking for.”A similar trick works with the 1Password extension in Chrome, and bbinder is all over it: “Since Chrome is my default browser on my Mac, I get the site opened [via my LaunchBar process] and get to work after 1Password fills in the site credentials and I’m on my way. If there are other sites I need to get to in a hurry, It’s a quick Command+T to open a new tab, type in 1p and hit the tab key and start typing in the site name and 1P automatically shows the relevant sites I’m looking to access. Select the site and it directs me there and logs me in.”In other words: if you’re curious about getting more done on your Mac with just your keyboard, bbinder just might be a person to talk to.
  • Richard Gaywood, PhD, 1Password customer, and TUAW writer extraordinaire, also shared a smart idea that I’ve heard from other customers in the past: “Before my wife went into hospital last week with could-have-been-serious problems, she put her 1Password password in my 1Password. Just in case.”It’s better to be safe than sorry in unfortunate circumstances like this. Fortunately, Richard’s wife came home yesterday and I think it’s safe to say that, while this is a good idea, it’s also a good thing they didn’t have to get much use out of it.
  • Penelope Pitstop shared a great idea in our forum, too: “I use 1PW pronounceable random passwords for my security questions on any account that requires them and store them in the notes field along with the original questions — something Jeff already advocates on the Agile Blog. “I’m not going to lie, this is a great idea that we are indeed big fans of, and Penelope nails why: “It’s easier to provide them verbally if required and mitigates against social engineering attacks.”

So that’s it for now, I don’t want to drown you in too many awesome 1Password ideas from our customers all at once.

If you have your own creative use for 1Password or a great story to share about how you helped a friend, family member, or coworker discover it, please tell us on our Facebook Page or in this Agile forums thread! The best part (besides helping everyone get even more out of 1Password!) is that we’re going to send t-shirts to some of our favorite storytellers!

Thanks to everyone who has shared so far, and we’ll be back soon with more 1Password Stories.

Even Apple recommends 1Password for your new 13-inch retina MacBook Pro!

You’ve probably heard the news by now that Apple did the retina thing to the 13-inch MacBook Pro. But did you see Apple’s recommendation for apps you should run on its second resolutionary MacBook? Yeah, that’s right: 1Password, among others.

You can already stream Apple’s October 2012 event online, and around 21 minutes into it, Phil Schiller recommended a collection of retina-friendly apps in the Mac App Store. Naturally, 1Password for Mac is included since it went retina-ready for the 15-inch retina MacBook Pro back in July.

Thanks Phil! We can’t wait to check out 1Password for Mac on the beautiful new 13-inch retina MacBook Pro.

1Password users should wait a bit before trying Dropbox’s two-step verification

1Password in DropboxDropbox has just released a new, optional, two-step authentication process. 1Password 3 (Mac and iOS) and 1Password for Windows use Dropbox for synchronizing your 1Password data across systems and platforms. So anything that has to do with Dropbox security is of interest to us and to 1Password users.

The bottom line is that I recommend 1Password users not be early adopters of this. Early adopters should:

  • understand the data security gains and risks thoroughly (discussed below)
  • take steps to reduce those risks (have great backups), and
  • be very comfortable using pre-release systems

My recommendation does not reflect any criticism of Dropbox’s experimental system. It looks (from my brief exploration) like it is done extremely well. But for the large majority of 1Password users, it’s just a little early to start using their two-step authentication system.

If you would like to know more about the two-step authentication system Dropbox has just rolled out and why I am recommending a “wait-and-see” approach at this point, read on.

Stop trying to scare us away from it. What does it do?

I will return to scaring 1Password users away from jumping on Dropbox’s beta two-step authentication system later in this article. But it will be easier to do so after I’ve outlined how it works. There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies. I will be describing how things may superficially appear to users, not how it really works.

Dropbox calls their system “two-step verification”, and that is an excellent name for communicating what it does. I will continue to use the term “two-step authentication” because I will need to make use of the more technical term, “authentication”, further on.

Logging in

Google Authenticator

Once you have set up two-step authentication with Dropbox, then every time you log
into Dropbox with a web browser or authorize a new computer or service to use Dropbox, you will be prompted to enter a special six digit code. It will be a different six digit code each time, and the code that you need to enter will be sent to your phone. So in addition needing your Dropbox username and password to connect to Dropbox, you will also need access to your phone.

There are a number of ways that Dropbox can send the six digit code to your phone. I have been testing with Google Authenticator, and so far (I’ve only been playing with this for a few hours), it works as advertised and is easy to use.

Already authorized devices

When you first set up Dropbox on your computer or set up 1Password on your iPhone to sync with Dropbox you do not need to authenticate those again. The ability to connect remains until you take specific steps break that link. Enabling two-step authentication doesn’t break those existing links. So if you already have 1Password on your iPhone syncing with Dropbox, you will not need to enter in a six digit code into 1Password to allow that syncing.

Linking new devices

Dropbox has just released a new version of their desktop software which is capable of dealing with their two-step authentication directly.  This is great for the desktops, but you might find that you need to download the latest version from Dropbox’s download page.  It looks like version 1.4.17 is the first non-beta version that natively supports two-step authentication.

As I mentioned, if you have already set up Dropbox syncing for 1Password on your mobile device it will continue to sync after you turn on Dropbox two-step authentication. If you do need to setup Dropbox syncing from 1Password after you have enabled two-step authentication, there are some additional steps you need to take. I talk about those in a separate section.

What happens when you lose your phone?

The people at Dropbox know full well that people lose access to their phones. It would be terrible if having your phone lost, stolen, or drenched meant that you could no longer get to your Dropbox data. So when you first set up two-step authentication, you will be given a “backup code”. This is a long, random, sixteen character, and impossible-to-remember code. You need to keep this someplace secure because you will need it to reset two-step authentication if you lose your phone.

The obvious place to keep such an important and hard to remember backup code is in 1Password. I set up a Generic Account under Accounts for this and added it as a Note to my Login for Dropbox in 1Password.

Now, suppose you are traveling and your phone gets stolen or damaged. If you don’t have access to a computer or device that is already linked to your Dropbox account, you won’t be able to reset two-step authentication. You won’t be able to access your 1Password data, which in turn means that you won’t be able to access many of the accounts and services you need. At least, you won’t be able to until you either get to the piece of paper where you wrote down your backup code or get to a computer or device that is already linked to your Dropbox account.

Data availability is part of data security

Dropbox’s two-step authentication eliminates one particular risk—someone breaking into your Dropbox account because they’ve discovered your Dropbox password. But it would not, for example, protect against a general Dropbox breach. Also, your 1Password data is already designed to withstand sophisticated attacks if someone does get a copy of it. Thus, the actual security gain for your 1Password data that Dropbox’s two-step authentication adds is minimal. It is of most use to people who have poor password practices and have secret, but unencrypted, data stored on Dropbox.

Data availability is just as much a part of data security as data secrecy. It is the ability to get and use your own data when you need it. For a dramatic case of what it means when people lose access to their own data, consider what happened to Mat Honan. If he had not found a way to get back into his Dropbox account after all of his personal devices and computers were wiped clean, he would have lost all access to his 1Password data.

Because phones can be easily lost, stolen, or damaged, using Dropbox’s two-step authentication increases the risk to data availability. In opting to enable two-step authentication, you are balancing one risk against another. Indeed, most security trade-offs involve balancing one kind of security with another. In this case we are considering a very small gain in protecting data secrecy against a potentially larger, but hard to estimate, risk of losing data availability.

If you insist

If you insist on trying Dropbox’s new two-step authentication process, here are a few recommendations.

1. Be obsessive about data backups

You should have backups of your 1Password data that will:

  1. be recoverable before you have access to your 1Password data. For example, if your backup is encrypted, you will need a way to get to that password before you have restored your 1Password data
  2. be recoverable if your house burns down
  3. be recoverable if your computers and devices are subject to the kind of “remote wipe” attack that Mat Honan experienced

Another way of looking at this is, if you enable two-step authentication, you should not think of Dropbox as a backup system (you shouldn’t anyway for other reasons). I know that I’ve gotten lazier about personal backups since using Dropbox (despite the fact that I shouldn’t). Any such laziness needs to be reversed if you enable tw0-step authentication.

One option is to make a copy of your 1Password data and burn it to a CD. Your 1Password data should include your Dropbox credentials, including the backup code. You may wish to keep a copy of that CD in your car or some location away from your other backups.

2. Write down your Dropbox backup code

Keep copies of the Dropbox rescue or backup code in a variety of places, including on paper. You need this if you lose your phone. And if you lose your phone and have serious loss of access to data on your computers, you will need to reset two-step authentication without having access to what is on Dropbox.

Setting up and using Dropbox’s two-factor authentication with 1Password

To enable Dropbox’s two-step verification, check out this document in their help center. Dropbox wants everyone who uses two-step verification to participate in their discussion forums. You should join that discussion to see instructions for enabling two-factor authentication in the first place. That is where help, updates, and important changes are discussed.

Once you have set things up and Dropbox is working correctly on your desktops, there is nothing that you need to do with 1Password on your Desktop. 1Password on the desktop doesn’t actually talk to Dropbox; it just makes use of what is in your Dropbox folder.

As I’ve mentioned before, if 1Password on your phones or iPads is already configured to do Dropbox syncing, then again, you are all set to go. Nothing changes. Dropbox has already given a token to the 1Password app which it can use for logging in. It is only if you need to set up Dropbox syncing that you need to take a few extra steps:

Step 1: Follow the normal instructions for setting up Dropbox syncing in 1Password on your device. Note that after you enter your Dropbox username and password, the login attempt will fail.

Step 2: Check your email (the email address that is your Dropbox username). You should get some email from Dropbox that looks like thisDropbox 2-step email

Step 3: When you follow the link in that email you will (once you’ve logged onto Dropbox in your web browser) get to a page that looks like thisDropbox one-time password page

Use the one time password presented on that page as a temporary Dropbox password back in 1Password on your mobile device.

Why am I such a downer?

I am delighted that Dropbox is rolling out a two-step authentication system. This is a good thing for Dropbox to be doing. It is particularly beneficial to those Dropbox users who use the same password for Dropbox as they do at other sites though, naturally, I hope few 1Password users are among them.

It is also early days for this feature. As development and experiences progresses, we will come to better understand the risks of data loss and so be able to provide advice better tuned to the actual risks. But until that time, I have to take the most pessimistic view. I wouldn’t be surprised if weeks from now I’d be encouraging pretty much everyone to sign up.

A note on multi-step authentication and 1Password

Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. I’m planning to write a more detailed explanation of our developing thoughts on that, but I would like to take this opportunity to discuss the difference between authentication and decryption.

When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. But one disadvantage is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an authentication process, but unlocking your 1Password data is not an authentication process at all. Because there is no 1Password server, there are no (additional) steps we can insist on as part of a (non-existent) login process.

There are approaches that we could take which would approximate the effect of multi-step authentication for what is actually a decryption process. But I will save discussion of those for another day.

Updated on 8/27 to:

  1. Reflect that Dropbox has fully released two-factor verification. When I was writing this article, it was in “beta”. But at about the same time that this article was first published, Dropbox had released released version 1.4.17.
  2. Tell fewer lies about how the second step authentication works. It still pretend that data is transmitted to your phone, but I’ve at least toned down that implication.
  3. In conjunction with Dropbox moving this out of beta and the experience of lots of 1Password users switching over to two-step authentication, I’ve become much more optimistic about when we will feel more comfortable recommending this to 1Password users. I changed my guess of “months” to “weeks”