1Password 4.1 for Windows puts more control at your fingertips

1P icon 200I have to say, 1Password 4 for Windows has been our 1Passwordiest yet. You’ve given us a ton of great feedback, so we’re back with our first big, free update.

To put it simply, you get more control over some of 1Password’s little details that make a big difference. In v4.1, you can enable rich icons for an even prettier view of your items (View > Show Rich Icons) and lock 1Password when you close your browser (check File > Preferences (Ctrl+P) > Security).

For those who often have many Logins for a particular site, check File > Preferences (Ctrl+P) > Logins > Show X more items… to see more of them at a time.

We also made a ton of improvements across the board to everything from keyboard shortcuts to icon display, linking our fantastic new help guides, adding attachments to items and support for the Comodo Dragon browser, and much more. Check out our full v4.1 release notes for the quite the list of details.

The latest version of 1Password 4.1 for Windows is available now via our built-in automatic updater.

Watch what you type: 1Password’s defenses against keystroke loggers

1Password for WindowsI have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer, particularly keystroke loggers, could capture your Master Password.

Safe at rest

Let me clarify one thing before going on. 1Password does protect you from the attacker who breaks into your computer and steals your 1Password data. The 1Password data format is designed with just such attacks in mind. This is why your data is encrypted with keys derived from your Master Password. It is also why we’ve put in measures to make it much harder for an attacker to try to guess your Master Password in the event that they do capture your data.

Even if an attacker gains access to your computer and 1Password data, there is little she can do without your Master Password. In this article, I’m focusing on another kind of attack in which the attacker tries to “listen in” to you typing your Master Password. This attacker is running a program on your computer that attempts to record everything you type on the keyboard or enter through some sort of keyboard-like device.

Countering counter-counter measures

I will get to the details below, but this article aims to describe and explain a change in how 1Password for Windows secures its Secure Desktop, a counter measure against a common type of keystroke logger. This change was added recently to 1Password 1 for Windows and has been included in 1Password 4 for Windows since its launch.

Márcio Almeida de Macêdo and Bruno Gonçalves de Oliveira of Trustwave SpiderLabs have discovered a way that a keystroke logger could work around our use of Secure Desktop and reported this to us. They have now reported this publicly (link might be having trouble, but it’s listed among their Security Advisories). We have since added a mechanism which prevents that particular counter measure to Secure Desktop. We very much appreciate SpiderLabs for giving us the opportunity to put a fix in place before announcing their discovery to the public. Trustwave SpiderLabs might grab fewer headlines by having done the right thing, but they have done the right thing.

Secure Desktop itself is a counter measure to keystroke loggers. De Macêdo and de Oliveira’s discovery is a counter measure to our counter measure. We have now introduced a counter-counter-counter measure. All of this will be explained, but it requires a lot of background into how keystroke loggers work and various ways to defend against them.

Keystroke loggers

Keystroke loggers attempt to capture everything that is typed on a particular computer or keyboard and pass that information on to a third party.

There are one or two legitimate uses of these (such as in research on writing), but those all involve the consent of those whose key strokes are being logged. More typically, keystroke loggers run surreptitiously, and are an attack on user privacy. I know that people don’t come to this blog for relationship advice, but if you are seriously tempted to install a keystroke logger to spy on a spouse or lover – a popular use of these things – then I have my doubts about the future of your relationship. Since you didn’t come here for relationship advice (and if you did you came to the wrong place), let’s return to how keystroke loggers work.

Logger in the middle

There are many different ways that keystroke loggers can work, but one useful way to think about this is as something (either hardware or software) that sits between your keyboard and the program you are typing into, something which shouldn’t be there.Hardware PS/2 keylogger in action

For keyboards that are attached to a computer with a cable, the simplest keystroke loggers are little physical devices that the attacker plugs into the computer, and then plugs the keyboard cable into that.

The keystroke logger is, in this case, sitting between the keyboard and the computer. The computer thinks it is talking directly to the keyboard, and the keyboard thinks it is talking to the computer, but the keystroke logger is sitting between them.

Alternatively, software keystroke loggers sit between components deep within the operating system and silently grab data. Things that are embedded that deeply or are using hardware loggers are not things that user software can detect or defend against.

Most keystroke logging is shallow

Most keystroke loggers take a simpler approach, rather than inserting themselves deep within the system. It is much simpler to write a program that says “hey, I am a program that needs to know everything that is coming in from the keyboard.” Operating systems provide hooks for programs to do exactly that.

You might be asking why operating systems might make writing keystroke loggers so easy. What business does any program running in the background have in seeing the input to some other program? One reason is to help my poor dog Molly, who suffers from (among other things) diabetes. This has led to sufficient necrosis in her paws so that she cannot easily type using a standard keyboard. The specialized device that she uses involves some clever software that looks at the input and uses various predictive technologies to replace the actual input with the intended text. This system intercepts (and changes) input bound for any program running on her computer; however, as far as most programs know, they are just getting input from a “keyboard”. Assistive technologies similar to the one Molly uses are a big part of making computing and communication accessible to more people.

Not only is a basic keystorke logger easy to write, it doesn’t require a complete break into a system. Different processes on a computer run with different privileges. When Molly logs in to her account and runs a program on a computer, the program is run under her user ID and with her privileges. This means that she isn’t able to interfere with processes that are run by Patty (the other dog). She also isn’t able to interfere with the system as a whole. If Mr Talk (the neighbor’s cat) tricks Molly into running a malicious program, that malware will be limited in the damage it can do.

The really deep and hard-to-avoid keystroke loggers would require full power over the system to install. But one of these simpler keystroke loggers requires only the privileges of the user whose keystrokes are to be recorded. So if Molly gets tricked into running a keystroke logger, it won’t affect Patty even if they use the same computer (as long as they are using different accounts). As you can imagine, the bulk of malicious keystroke loggers that spread through computer infection are of this shallower sort.

Counter measures

Now that we have some idea of how the typical keystroke logger works, it’s time to look at some counter-measures. The two most important counter-measures are:

  • keep your system and software up to date
  • exercise caution in what software you install and run

But let me focus a couple of the counter-measures that 1Password takes.

Counter measures on Mac: Secure Input

On Mac OS X, there are two simple provisions that makes it easy to thwart those shallow key loggers. The first one of these is called “Secure Input” and was introduced with OS X 10.3 Panther in 2003. A program—1Password for example—can say, “when the user types something into this particular input field, it must be done in a way that other processes can’t interfere.” Secure Input needs to be used sparingly, as it blocks all of the sorts legitimate activity, including assistive technologies that many people (and a few dogs) rely on. And Secure Input blocks TextExpander, which I rely on.

1Password declares the field in which you type your Master Password as a “Secure Input field”, then ordinary key loggers won’t have access to it. Since last year’s OS X 10.9 Mavericks, there is another defense built into the operating system. A program can only capture all of a users’ keystrokes if the user has explicitly granted it that permission in System Preferences > Security & Privacy > Privacy under Accessibility. As I described earlier, most (but not all) such software are components of assistive technologies designed to make computers accessible to more people. That is why this system preference is ultimately under Accessibility.

Between these two mechanisms – Secure Input and that any application which has the capacity to log keystrokes must have explicit user approval to do so – OS X defends against these otherwise common sorts of keystroke loggers.

Counter measures on Windows: Secure Desktop

1P Win unlock secure desktop

Windows doesn’t offer the same sorts of defenses that OS X has, but it does allow for the creation of somewhat isolated environments called “Desktops”. On Windows, one can set up different Desktops in which only your program is running (along with system processes). A program running in one Desktop will not be able to listen in on keyboard input in a separate Desktop.

You will find a button that says “Unlock with Secure Desktop” in the upper right corner of the lock screen in 1Password 4. Clicking on that launches the Secure Desktop in which you will be prompted for your Master Password. You can take a look at Unlock with Secure Desktop in action.

Countering Secure Desktop

What de Macêdo and de Oliveira have discovered is that there is a way to set up a keystroke logger that does operate in all desktops, not just the one it was started in. Quite simply, their system launches a process that is able to listen for the creation of new desktops and add a process to each desktop created.

The ease at which they were able to do this (well, everything looks easy in retrospect) reflects the fact that the SwitchDesktop function in Windows was not designed for security purposes. We and others who use Secure Desktop as a mechanism for evading keystroke loggers have been taking advantage of the relatively isolated environment of a separate Desktop. Once the authors of keystroke loggers take our counter measures into account, they can launch counter-counter measures like the one Trustwave describes.

Knowing your environment

We want nothing but system processes and 1Password’s Master Password entry to be running in a Secure Desktop. We don’t want other, probably malicious, processes joining that Desktop. And so, our counter-counter-counter measure is to simply look around and see if there is anything running in the SecureDesktop that is unexpected.

If some unexpected process is found in the Secure Desktop environment, you’ll be prompted to close the Secure Desktop.

Secure Desktop: 1Password has detected an unknown process

Lessons

1. Keep your system and software up to date

The single biggest thing you can do for your computer security is to keep your system and
software up to date. The overwhelming majority of actual break-ins are through vulnerabilities that have already been fixed by the software vendors.

2. Pay attention to what software you install and where you get it from

Keystroke loggers and other malware are often installed unwittingly by the victims themselves. Try not to be one of those victims. Be particularly careful of anything that tries to frighten you into installing it. Fake security software and alerts are a common way to get people to install malicious software.

The move toward curated app stores offers additional protections, but it isn’t a complete solution. Still, using those where available will reduce your risks.

3. Use Windows Defender on Windows

I have long been skeptical of most anti-virus software, but Microsoft Security Essentials is something I can unequivocally recommend for those using Windows 7. In Windows 8, Windows Defender is automatically built in and enabled.

4. Understand what software can and can’t do for you

The core security design of 1Password is extremely strong. Quite simply: if you have a good Master Password, nobody who gets a copy of  your 1Password data will be able to decrypt it. 1Password can and does offer outstanding security.

At the same time, 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race. As you see, we have had to put into place a counter measure to a counter measure to our counter measure against common keystroke loggers.

This is why the first two items on this list are so important.

In conclusion

1Password takes extraordinary and effective steps to protect your data. This is built into every aspect of its design. But you have to help protect 1Password from malware running on your machine. We do what we can to make things harder for the malware writers, but we can’t do it alone. You must try to provide a safe environment for 1Password and all of your software to run in.

This shared responsibility is similar to that which we have with your Master Password. We provide excellent encryption and protections and defenses against automated password guessing. But you have to pick a good Master Password and treat it well. For those who might be wondering, displaying your password on a giant screen is not treating a password well.

wold-cup-wifi

Up your 1Password-fu with keyboard shortcuts

Vault lock shortcut 1000px

I don’t know about you, but constantly typing my login details is not my favourite part about visiting websites, and digging for my credit cards, then typing all those details takes all the fun out of shopping.

Fortunately, 1Password and some handy keyboard shortcuts are happy to save you a ton of time with all these less-than-thrilling parts of being online, so you can spend more time on the stuff that matters.

1Password’s bread ‘n butter

One of our best, long-standing shortcuts is Command-\ (for PC users, Command = Control). This game-changer instantly fills and submits your Login for the current page, so you get in and get going with a single shortcut. If you have more than one Login for the page, a 1Password menu will list them all so you can arrow up and down, then hit Return on the one you need.

Of course, many standard computing shortcuts work for 1Password, too: Command-N will create a new item for you, Command-E will edit an existing item, and Command-S will save the edits.

Fill forms with the 1Password menu

“Password” might be in the app’s name, but 1Password also fills things like registration forms and shopping carts. First, you’ll want to open the main 1Password app and create a couple Identities and Credit Card items.

Then, on a page with a form you want to fill, press Command-Option-\ (Control-Alt-\ on PC) to display the 1Password menu. There you can arrow to the Identities or Credit Cards section, arrow right to find the item you need, and hit Return to sign up for a new service or checkout online faster than you can say “Siri, remind me to review our monthly budget.”

Switch vaults (Mac)

switching vaults

switching vaults

We introduced Multiple Vaults in 1Password 4 for Mac, allowing you to securely share and sync items with a team at work, your family members, and monthly D&D squad.

Each vault gets a numbered keyboard shortcut. To switch between them, open the 1Password app or 1Password mini’s menu in your browser and use Command-2 for your second vault, Command-3 for the next, etc. Command-1 is always your primary, personal vault.

Lock 1Password

Control-Option-Command-L on your Mac or Control-L on your PC will lock 1Password and keep it safe from any prying eyes.

Copy an item’s password

Command-Shift-C on your Mac in 1Password or 1Password mini, Control-Shift-C on your PC in 1Password, to copy the password for the selected item.

Reveal a password

If you’re a cautious sort and prefer to keep your passwords safely obscured behind dots, simply hold down the Option key on your Mac, or Control-R on your PC to sneak a peek at the password.

The whole enchilada

Find the full list of keyboard shortcuts for 1Password 4 for Mac here and 1Password 4 for Windows here.

1Password 4 for Windows Tip: How to upgrade from the previous version

1P4 Windows hero banner 600pxLet’s face it: the new 1Password 4 for Windows is awesome. Everybody’s upgrading, and I want to make that process as seamless as possible. You can see more details on our upgrade policy and process in this support document, but here’s the cliff notes version.

If you purchased in 2013 or 2014, version 4 is free!

Nope, not a typo. Our free upgrade window for 1Password 4 for Windows is a whopping one-and-a-half years wide. All you need to do is:

  1. Download and install 1Password 4 for Windows
  2. open 1Password and go to Help > Enter License Key
  3. Enter your existing license key
  4. Enjoy 1Password 4 for Windows!

If you purchased before 2013, take advantage of our upgrade pricing!

There’s an extra step, but it’s still super simple. Before you install 1Password 4:

  1. Open 1Password, find your 1Password license item, and copy it, OR
    1. Go to Help > Enter License Key and click the Replace License button
    2. Select and copy your entire license from that window
  2. Visit AgileBits.com/Store/Upgrade
  3. Paste your license code, click ‘Search’, and check out your upgrade options
  4. Download and install 1Password 4 using your spiffy new license
  5. Enjoy 1Password 4 for Windows!

This should get you on your way, but you can follow a more detailed process in our support document if you like. As always, thanks for using 1Password!

1Password 4 for Android and Windows are a hit!

Windows Android hero

June has been quite the month for us! We released 1Password 4 for Android and Windows, and we’re thrilled that you like us. You really, really like us!

For the v4 Android debut, Android CentralBoy Genius Report, Lifehacker, and PCMag were excited, with SlashGear saying it “does justice to its namesake.” The Next Web went in-depth with the new version, The Verge says “this is the password manager you should be using,” and then there’s GreenbotGotta Be Mobile, International Business Times, and plenty more.

On the Windows side, InfoWorld called v4 a “strong password manager” and lists it among the best. SlashGear and Engadget are excited, and TechCentral says it’s an “impressive password management tool”. Then there’s PC & Tech Authority, SoftonicTechgear, iPhoneclub… and that’s probably enough links for one day.

We are absolutely delighted to get these major releases out there, and the feedback to support and in our forums has been fantastic! We put “Agile” in our name for a reason, so there’s plenty more where this came from. To see what we have coming next, follow us on Twitter, Facebook, and our newsletter!

1Password 4 for Windows is here

1P4 Windows hero banner 600px

After months of beta testing, a small lake’s worth of coffee, and a possibly illegal number of pizzas, 1Password 4 for Windows is here.

The goods

This is a huge release for us, as it brings many of our latest features to Windows and a cleaner, more intuitive interface. Windows users can enjoy Favorites, Multiple Vaults, Wi-Fi Sync, and Security Audit, as well as our new, free 1Password Watchtower service that warns you when a Login’s site has been compromised and helps you decide when it’s safe to update your passwords.

All together, this release includes 374 new features, improvements, and fixes spread over 85 betas. You can comb through the full beta release notes, learn more in our documentation, or check out our feature overview down below the gallery.

1P4 Win new extensionAll-new browser extension

Perhaps best of all, our legendary browser extension is now on Windows. You can drill down to view vault items, search your vault, access your Favorites, change extension settings, and, of course, it’s still just a single click to open a new site, fill your credentials, and login.

The extension looks and behaves the same in Firefox, Chrome, Safari, and Opera, and it’s even a great experience in Internet Explorer! It now resembles its Mac brother while still being all Windows.

The prices

You can get 1Password 4 for Windows now in the AgileBits Store. It requires Windows 7 or 8, and here’s how pricing breaks down:

  • If you bought 1Password for Windows anytime in 2014 or even 2013, v4 is free! Your current license will just work
  • Upgrade price for all other customers is $24.99
  • Single user regular price is $49.99
  • Family 5-pack is $69.99
  • Multi-seat business licenses are also available

What’s new in 1Password 4 for Windows

Our latest features

  • Watchtower – if a Login’s website has had a security breach, our new, free Watchtower service alerts you to whether it’s safe to change your password
  • Favorites – give your VIP items the VIP treatment so they’re just a click away
  • Security Audit – new categories that point out Weak Passwords & Duplicate Passwords to help you stay on top of your security
  • Tags – a flexible way to organize and find items with one or more keywords
  • Sharing – Send an obfuscated copy of a Login or any other item to someone you trust via email
  • New toolbar – a simplified, powerful, and beautiful new toolbar puts all the important features at your fingertips, including search!
  • Demo Vault – show off 1Password without showing off your personal information
  • Multiple URLs per Login item – sometimes one just isn’t enough
  • Custom fields – store all the information you need in each item

Sync

  • Wi-Fi Sync for mobile – you can now sync with an iPhone or iPad on your network, no cloud required
  • Vault awareness – during setup, 1Password detects all vaults in your Dropbox

All-new browser extension

  • One extension, many browsers – our extension now looks and behaves the same way in all browsers 1Password supports
  • Analog to Mac – our extension features, design, and overall awesomeness are now nearly identical across Mac and PC
  • Multiple Vaults – switch vaults right from the extension
  • Detect password change – when you change an existing Login’s password, the extension will verify that you want to update the existing Login
  • Auto-Type in all web browsers
  • Unlock on Secure Desktop
  • Tray icon is now more informative about 1Password’s status

The 1Password at Macworld/iWorld 2014 megastravaganza post!

MW iW 2014 pre-conf team

We’re in San Francisco for Macworld/iWorld 2014—and for you! We love hearing from our customers, and we have booth #39 in the Appalooza so we can hear from you in person this week! We’ve spent the day getting the booth ready and tracking down that one thing we need to make it all work. Now we’re just excited to get the show on the road.

Swing by anytime Thursday, Friday, or Saturday during the conference to say hi. Bring a friend if you like! In fact, we’re bringing a friend on Friday from 11am-12pm—Joe Kissell, he of the Take Control of 1Password book.

Our co-founder Dave Teare is also going to be on the Main Stage Thursday, March 27 in Mac Gems: Meet the Developers. He’ll join Jennifer Bell of Prosoft Engineering, John Chaffee of BusyMac, and Greg Scown of Smile to talk everything from ‘where do the great ideas come from?’ to ‘the risks and rewards of the Mac App Store and developing software in general’. Be sure to catch the panel and learn from some of the best in the Apple community.

Last but not least, 1Password 4 for Mac (and Windows!) is 50 percent off to celebrate Macworld/iWorld! You can get the sale price in our web store and in the Mac App Store, so it’s up to you!

Whether you pick up 1Password on sale or not, be sure to swing by our booth at the conference to say hi!

1Password 4 for Windows is coming. Want to help beta test?

1P4 Win beta

I’m going to be honest: I can’t tell you anything about 1Password 4 for Windows. Technically speaking, I’m not even supposed to confirm it exists. But I can tell you that, if it did, we’d be accepting beta testers who want to help us polish it at a webpage like this.

So, if you like to live on the wild side, test Windows apps, and offer feedback in super special forums, you might want to add your email address to our beta Windows newsletter signup page.

1Password keyboard shortcuts for the Mac and PC power user in all of us

photo via pj_vanf

photo via pj_vanf

Let’s face it, we call them keyboard “shortcuts” for a reason. Shortcuts help you get from point A to point B faster, and in your daily work and play on a computer, you have a lot of point As and Bs. Fortunately, 1Password is packed with quite a few shortcuts to help, so here are some of our favorites for Mac and PC.

Mac

  • Command-\ – A staple of any shortcut fan, this triggers the 1Password browser extension to AutoFill and AutoSubmit your Login for the current site. If you have multiple Logins for the current site, the extension displays them together at the top. From there you can arrow up and down, then press Return to AutoFill and get in
  • Option-Command-\ – This triggers the browser extension, but no AutoFill or AutoSubmit. This allows you to use some other shortcuts listed below (you can customize these two extension trigger shortcuts under Preferences)
  • Type to Find – While viewing any list in the browser extension (Logins, Credit Cards, Identities), you can type a couple letters of the item you want. If it’s a Login, you can arrow to it and hit Return to open the website, AutoFill, and AutoSubmit to log right in. How’s that for saving some time?
  • Tab – In the browser extension, this cycles through the main sections—Logins, Credit Cards, Identities, Strong Password Generator, Settings
  • Right/Left Arrow – With an item selected in the browser extension (a Login or Credit Card), the right arrow will show its details. Use the Left Arrow to get back out to the list
  • Option-Command-C – In 1Password for Mac, this copies the password for the selected Login to your clipboard
  • Option – In 1Password for Mac, this will reveal the password field(s) in any item including Account items like Email Account, Server, and Database. Hold it to view passwords, let go to obfuscate them again with those little dots
  • Command-E – In 1Password for Mac, this switches to Edit mode for the currently selected item. Use it a second time to save the item, confirm your changes, and switch out of edit mode

PC

  • Ctrl+\ – Triggers the browser extension to AutoFill and AutoSubmit a Login. On a German keyboard layout, this shortcut defaults to Ctrl+#
  • Ctrl+R: In 1Password for Windows, this reveals the password(s) for the currently selected item. Hold to view, let go to conceal
  • F2: In 1Password for Windows, this changes the selected folder name
  • Enter/Return: In 1Password for Windows, this will edit a Login item or, depending on your preferences, open login item’s URL in web browser
  • Ctrl+C: In 1Password for Windows, the 1st time you press it will copy the Login item’s password to the clipboard. Press it again, and it will copy the login item’s username to the clipboard

How’d I do? Be honest. Did I miss your favorite shortcut? Let us know on Twitter, Facebook, or in our forum and I can update the post with a shout out to you!

1Password for Mac 3.8.21, the browser extension, and the Chrome Web Store

Peanut butter & jelly. Penn & Teller. Peas & pods—such incredible pairings are rare in this age, but today we are delighted to announce a new one.

The 1Password extension and the Chrome Web Store.

1P extension Chrome Web Store

Available for Mac users and soon out of beta for Windows users, you can now install the Chrome version of our 1Password extension from the Chrome Web Store. You still need 1Password for Mac installed, of course (or PC, when it’s ready), but this will make installing our Chrome extension much easier. I should also point out this is our official method of installing the Chrome extension from here on out.

We released 1Password for Mac 3.8.21 for our website customers with support for installing the new Chrome extension, and the Mac App Store version already supports it. This update also includes a couple other good changes you can view in the changelog.

If you already have our Chrome extension installed, you need to remove it before installing from the Chrome Web Store. To remove a Chrome extension, right-click it in the toolbar and choose “Remove from Chrome.”

We hope you enjoy our new, friendlier, more Chrome-ier extension install process. As for other browsers, stay tuned.