1Password, the Microsoft Surface, and Windows 8

Have you seen the new Microsoft Surface? Judging from our email queues, a lot of you have and are pretty excited about it. We are too, and I’d like to clear up some confusion about 1Password for Windows and Microsoft’s new platform.

Long story short: last week Microsoft released Windows RT and the Surface, a slick new tablet it designed in-house. While Windows RT has “Windows” in the name, it’s actually an entirely new platform (based on ARM CPUs, similar to what’s in Apple’s iPhone and iPad) that has its own new way of working both behind the wheel for you, the users, and under the hood for us developers. The new interface, powered by colorful icon tiles that you can customize, is typically referred to as “Metro-style.”

There is a second flavor of Microsoft’s new OS on the way soon, one that most people will probably be more familiar with: Windows 8 Pro. While Windows 8 Pro contains the same new Metro-style interface of Windows RT, you can switch out to the traditional Windows desktop environment that most Windows users are familiar with, where most traditional Windows apps will work.

Right now, 1Password for Windows doesn’t work on the Surface or other Windows-RT-only tablets. However, 1Password for Windows will work in the traditional desktop mode on the upcoming Windows 8 Pro devices, and can even work in Google Chrome’s Metro-style version if you install our extension (but not IE). As for Firefox, we’re waiting for a Metro-style edition to test.

I know it’s a little confusing, but ambitious new projects like this usually are. We’re really excited to check out Microsoft’s new platform and see what is possible with 1Password. Stay tuned.

1Password Stories: Tips and Tricks from our customers

We hear a lot of great 1Password tips and stories from customers. Sometimes it’s a clever trick, others it’s a great story about helping a family member, friend, or coworker discover 1Password or make a feature click in just the right way. Eventually, one of our Agile folks asked a simple question: why keep all this great stuff to ourselves?

Enter 1Password Stories, a new series we want to use to share these nuggets of awesome so everyone can get more out of 1Password. To kick this off, I want to start with some clever tricks that customers shared in our Agile forums and our Facebook Page:

  • Nick Peelman says he started using 1Password to store serial numbers for all his hardware. “I used to keep the note stored in plain text in Dropbox,” Nick wrote in our forum, “but using 1Password makes it a little easier to access, and as expected, more secure.”But wait, there’s more to it: “It’s handy to have a running list of serials for your hardware should anything ever go missing or get stolen. Storing that list securely in a cloud-based system makes it that much handier. It’s also a good way to identify your stuff among other people’s, should similar items ever get jumbled together.”Nick’s trick can be useful for all sorts of other situations, like adding these things to your insurance policy or calling customer support for service.
  • “bbinder” says he stopped bookmarking sites in browsers and started relying on 1Password and trick involving a couple of third-party apps. After all, by saving a site for a Login, you’re already creating a bookmark in 1Password, right? bbinder fancies LaunchBar, which is a great productivity utility that lets you control your Mac and do all sorts of things with just a couple strokes of the keyboard. In June this year, LaunchBar added support for looking up and opening your 1Password Logins, which was right up bbinder’s alley: “With LaunchBar’s 1Password integration, I hit the shortcut to open LaunchBar, then type in “1p” > space bar > and start typing away to get to the 1,000+ sites I have, condensed to what I am looking for.”A similar trick works with the 1Password extension in Chrome, and bbinder is all over it: “Since Chrome is my default browser on my Mac, I get the site opened [via my LaunchBar process] and get to work after 1Password fills in the site credentials and I’m on my way. If there are other sites I need to get to in a hurry, It’s a quick Command+T to open a new tab, type in 1p and hit the tab key and start typing in the site name and 1P automatically shows the relevant sites I’m looking to access. Select the site and it directs me there and logs me in.”In other words: if you’re curious about getting more done on your Mac with just your keyboard, bbinder just might be a person to talk to.
  • Richard Gaywood, PhD, 1Password customer, and TUAW writer extraordinaire, also shared a smart idea that I’ve heard from other customers in the past: “Before my wife went into hospital last week with could-have-been-serious problems, she put her 1Password password in my 1Password. Just in case.”It’s better to be safe than sorry in unfortunate circumstances like this. Fortunately, Richard’s wife came home yesterday and I think it’s safe to say that, while this is a good idea, it’s also a good thing they didn’t have to get much use out of it.
  • Penelope Pitstop shared a great idea in our forum, too: “I use 1PW pronounceable random passwords for my security questions on any account that requires them and store them in the notes field along with the original questions — something Jeff already advocates on the Agile Blog. “I’m not going to lie, this is a great idea that we are indeed big fans of, and Penelope nails why: “It’s easier to provide them verbally if required and mitigates against social engineering attacks.”

So that’s it for now, I don’t want to drown you in too many awesome 1Password ideas from our customers all at once.

If you have your own creative use for 1Password or a great story to share about how you helped a friend, family member, or coworker discover it, please tell us on our Facebook Page or in this Agile forums thread! The best part (besides helping everyone get even more out of 1Password!) is that we’re going to send t-shirts to some of our favorite storytellers!

Thanks to everyone who has shared so far, and we’ll be back soon with more 1Password Stories.

1Password users should wait a bit before trying Dropbox’s two-step verification

1Password in DropboxDropbox has just released a new, optional, two-step authentication process. 1Password 3 (Mac and iOS) and 1Password for Windows use Dropbox for synchronizing your 1Password data across systems and platforms. So anything that has to do with Dropbox security is of interest to us and to 1Password users.

The bottom line is that I recommend 1Password users not be early adopters of this. Early adopters should:

  • understand the data security gains and risks thoroughly (discussed below)
  • take steps to reduce those risks (have great backups), and
  • be very comfortable using pre-release systems

My recommendation does not reflect any criticism of Dropbox’s experimental system. It looks (from my brief exploration) like it is done extremely well. But for the large majority of 1Password users, it’s just a little early to start using their two-step authentication system.

If you would like to know more about the two-step authentication system Dropbox has just rolled out and why I am recommending a “wait-and-see” approach at this point, read on.

Stop trying to scare us away from it. What does it do?

I will return to scaring 1Password users away from jumping on Dropbox’s beta two-step authentication system later in this article. But it will be easier to do so after I’ve outlined how it works. There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies. I will be describing how things may superficially appear to users, not how it really works.

Dropbox calls their system “two-step verification”, and that is an excellent name for communicating what it does. I will continue to use the term “two-step authentication” because I will need to make use of the more technical term, “authentication”, further on.

Logging in

Google Authenticator

Once you have set up two-step authentication with Dropbox, then every time you log
into Dropbox with a web browser or authorize a new computer or service to use Dropbox, you will be prompted to enter a special six digit code. It will be a different six digit code each time, and the code that you need to enter will be sent to your phone. So in addition needing your Dropbox username and password to connect to Dropbox, you will also need access to your phone.

There are a number of ways that Dropbox can send the six digit code to your phone. I have been testing with Google Authenticator, and so far (I’ve only been playing with this for a few hours), it works as advertised and is easy to use.

Already authorized devices

When you first set up Dropbox on your computer or set up 1Password on your iPhone to sync with Dropbox you do not need to authenticate those again. The ability to connect remains until you take specific steps break that link. Enabling two-step authentication doesn’t break those existing links. So if you already have 1Password on your iPhone syncing with Dropbox, you will not need to enter in a six digit code into 1Password to allow that syncing.

Linking new devices

Dropbox has just released a new version of their desktop software which is capable of dealing with their two-step authentication directly.  This is great for the desktops, but you might find that you need to download the latest version from Dropbox’s download page.  It looks like version 1.4.17 is the first non-beta version that natively supports two-step authentication.

As I mentioned, if you have already set up Dropbox syncing for 1Password on your mobile device it will continue to sync after you turn on Dropbox two-step authentication. If you do need to setup Dropbox syncing from 1Password after you have enabled two-step authentication, there are some additional steps you need to take. I talk about those in a separate section.

What happens when you lose your phone?

The people at Dropbox know full well that people lose access to their phones. It would be terrible if having your phone lost, stolen, or drenched meant that you could no longer get to your Dropbox data. So when you first set up two-step authentication, you will be given a “backup code”. This is a long, random, sixteen character, and impossible-to-remember code. You need to keep this someplace secure because you will need it to reset two-step authentication if you lose your phone.

The obvious place to keep such an important and hard to remember backup code is in 1Password. I set up a Generic Account under Accounts for this and added it as a Note to my Login for Dropbox in 1Password.

Now, suppose you are traveling and your phone gets stolen or damaged. If you don’t have access to a computer or device that is already linked to your Dropbox account, you won’t be able to reset two-step authentication. You won’t be able to access your 1Password data, which in turn means that you won’t be able to access many of the accounts and services you need. At least, you won’t be able to until you either get to the piece of paper where you wrote down your backup code or get to a computer or device that is already linked to your Dropbox account.

Data availability is part of data security

Dropbox’s two-step authentication eliminates one particular risk—someone breaking into your Dropbox account because they’ve discovered your Dropbox password. But it would not, for example, protect against a general Dropbox breach. Also, your 1Password data is already designed to withstand sophisticated attacks if someone does get a copy of it. Thus, the actual security gain for your 1Password data that Dropbox’s two-step authentication adds is minimal. It is of most use to people who have poor password practices and have secret, but unencrypted, data stored on Dropbox.

Data availability is just as much a part of data security as data secrecy. It is the ability to get and use your own data when you need it. For a dramatic case of what it means when people lose access to their own data, consider what happened to Mat Honan. If he had not found a way to get back into his Dropbox account after all of his personal devices and computers were wiped clean, he would have lost all access to his 1Password data.

Because phones can be easily lost, stolen, or damaged, using Dropbox’s two-step authentication increases the risk to data availability. In opting to enable two-step authentication, you are balancing one risk against another. Indeed, most security trade-offs involve balancing one kind of security with another. In this case we are considering a very small gain in protecting data secrecy against a potentially larger, but hard to estimate, risk of losing data availability.

If you insist

If you insist on trying Dropbox’s new two-step authentication process, here are a few recommendations.

1. Be obsessive about data backups

You should have backups of your 1Password data that will:

  1. be recoverable before you have access to your 1Password data. For example, if your backup is encrypted, you will need a way to get to that password before you have restored your 1Password data
  2. be recoverable if your house burns down
  3. be recoverable if your computers and devices are subject to the kind of “remote wipe” attack that Mat Honan experienced

Another way of looking at this is, if you enable two-step authentication, you should not think of Dropbox as a backup system (you shouldn’t anyway for other reasons). I know that I’ve gotten lazier about personal backups since using Dropbox (despite the fact that I shouldn’t). Any such laziness needs to be reversed if you enable tw0-step authentication.

One option is to make a copy of your 1Password data and burn it to a CD. Your 1Password data should include your Dropbox credentials, including the backup code. You may wish to keep a copy of that CD in your car or some location away from your other backups.

2. Write down your Dropbox backup code

Keep copies of the Dropbox rescue or backup code in a variety of places, including on paper. You need this if you lose your phone. And if you lose your phone and have serious loss of access to data on your computers, you will need to reset two-step authentication without having access to what is on Dropbox.

Setting up and using Dropbox’s two-factor authentication with 1Password

To enable Dropbox’s two-step verification, check out this document in their help center. Dropbox wants everyone who uses two-step verification to participate in their discussion forums. You should join that discussion to see instructions for enabling two-factor authentication in the first place. That is where help, updates, and important changes are discussed.

Once you have set things up and Dropbox is working correctly on your desktops, there is nothing that you need to do with 1Password on your Desktop. 1Password on the desktop doesn’t actually talk to Dropbox; it just makes use of what is in your Dropbox folder.

As I’ve mentioned before, if 1Password on your phones or iPads is already configured to do Dropbox syncing, then again, you are all set to go. Nothing changes. Dropbox has already given a token to the 1Password app which it can use for logging in. It is only if you need to set up Dropbox syncing that you need to take a few extra steps:

Step 1: Follow the normal instructions for setting up Dropbox syncing in 1Password on your device. Note that after you enter your Dropbox username and password, the login attempt will fail.

Step 2: Check your email (the email address that is your Dropbox username). You should get some email from Dropbox that looks like thisDropbox 2-step email

Step 3: When you follow the link in that email you will (once you’ve logged onto Dropbox in your web browser) get to a page that looks like thisDropbox one-time password page

Use the one time password presented on that page as a temporary Dropbox password back in 1Password on your mobile device.

Why am I such a downer?

I am delighted that Dropbox is rolling out a two-step authentication system. This is a good thing for Dropbox to be doing. It is particularly beneficial to those Dropbox users who use the same password for Dropbox as they do at other sites though, naturally, I hope few 1Password users are among them.

It is also early days for this feature. As development and experiences progresses, we will come to better understand the risks of data loss and so be able to provide advice better tuned to the actual risks. But until that time, I have to take the most pessimistic view. I wouldn’t be surprised if weeks from now I’d be encouraging pretty much everyone to sign up.

A note on multi-step authentication and 1Password

Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. I’m planning to write a more detailed explanation of our developing thoughts on that, but I would like to take this opportunity to discuss the difference between authentication and decryption.

When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. But one disadvantage is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an authentication process, but unlocking your 1Password data is not an authentication process at all. Because there is no 1Password server, there are no (additional) steps we can insist on as part of a (non-existent) login process.

There are approaches that we could take which would approximate the effect of multi-step authentication for what is actually a decryption process. But I will save discussion of those for another day.

Updated on 8/27 to:

  1. Reflect that Dropbox has fully released two-factor verification. When I was writing this article, it was in “beta”. But at about the same time that this article was first published, Dropbox had released released version 1.4.17.
  2. Tell fewer lies about how the second step authentication works. It still pretend that data is transmitted to your phone, but I’ve at least toned down that implication.
  3. In conjunction with Dropbox moving this out of beta and the experience of lots of 1Password users switching over to two-step authentication, I’ve become much more optimistic about when we will feel more comfortable recommending this to 1Password users. I changed my guess of “months” to “weeks”

1Password for Windows tips: Control your clipboard, run in the system tray, quickly reveal passwords

1Password for Windows sports a whole bunch of customizability to fit into your workflow. But since I don’t want to throw so much awesome at you all at once, I’d like to highlight just a few of its perks—for now.

Control your clipboard

1Password has a handy “Copy to Clipboard” button next to many of the important things, such as passwords, that you might want to manually paste into other apps. But by default, 1Password is designed to protect those secure items from falling into the wrong text boxes by clearing your clipboard after 90 seconds or once you exit the app, whichever comes first.

But is 90 seconds too long of a window? Do you keep 1Password open all day and prefer it to clear your clipboard on minimize, not exit? Or maybe you want 1Password to get out of your way immediately after using the Copy to Clipboard button. You can control all of these behaviors by opening 1Password’s preferences and visiting the Security pane.

Run in the System Tray

Some people just prefer the system tray, and 1Password is happy to oblige. If you open the Preferences > General pane, you’ll see two System Tray options. The first allows you to enable the System Tray icon to begin with, while the second lets you minimize 1Password to the System Tray and hide it entirely from the taskbar.

Reveal passwords quickly

Sometimes you just need a quick glance at a password or other sensitive piece of information, maybe for a quick review or perhaps to confirm you need to update it using our Strong Password Generator. Whatever the case, when you have a Login or other item selected that has hidden information,  just hit Control-R to briefly unveil what it is. When you let go of that shortcut, your information will once again be hidden.

Canada Day, Independence Day, and AgileBits 30 Percent Off Day! Erm… week!

AgileBits calls both Canada and the U.S. home (and other countries too!), so we have a couple of national celebrations coming up next week. But besides fireworks and traditional cuisine, we figured we could add something to the Canada Day and Independence Day festivities, so we’re having a sale!

Through July 8 (for you last-minute-ers, that’s 11:59pm two Sundays from now), all our products are 30 percent off! This goes for 1Password in the Mac App Store, 1Password Pro for iPhone and iPad, 1Password for WindowsKnox for Mac, and everything from our own web store.

Enjoy the festivities next week. But whether you’re celebrating a national holiday or not, enjoy 30 percent off of 1Password and Knox!

The Fellowship of the 1Password Extension completes its mission

Ages ago, in a land far from this one, our merry band of developers and designers, known as The Fellowship of the 1Password Extension, set out to complete two missions: destroy some gold ring with a creepy, invisible inscription, and rebuild our 1Password browser extension from byte-one for Safari, Chrome, and Firefox on OS X and Windows. The journey was long, and much code was lost and reborn along the way. But at long last, we are pleased to announce that our new extension now works for all the major browsers with its arrival on Firefox for Windows.

Oh, and the aforementioned ring is also toast.

With our recent release of 1Password extension version 3.9, we now support Firefox for Windows. That means we now have one powerful, core code base that makes it much easier for us to support Safari, Chrome, and Firefox across both OS X and Windows.

All of the main 1Password extension features are here in Firefox for Windows (save for any browser-specific perks like the 1Password Omnibar trick in Chrome). To get it, all you need to do is open 1Password for Windows, click Preferences in the toolbar, then click the Browsers tab, and click the Firefox option. Our extension download page will open in Firefox, and you can follow the brief instructions there.

This completes an important chapter in our saga, and the Fellowship of the 1Password Extension can finally rest, or perhaps grab a beer with the Elves in Rivendell. But, of course, 1Password’s journey is never truly over—there is still much work to be done, and the Fellowship will stand ready for action.

A big 1Password extension 3.9 update is out!

Are you sitting down? Ok, you folks who stand while you work—don’t answer that. Regardless, if you’re reading this in Safari, Chrome, or Firefox, we have a great new 1Password browser extension release for you.

Fresh out of beta is version 3.9 of our browser extension, and boy it’s a doozy. We added support for multiple profiles to Firefox and Chrome, and domain matching is, as they say in the car industry, “all new,” except we actually mean it. We completely rewrote it to watch out for things like subdomains and international domains.

All told, we added over 20 new features, changes, fixes, and bits of TLC in this extension update, and you can read all the details if so inclined. As for how to get it:

  • If you already have our new 1Password browser extension installed, your browser should update automatically, if it hasn’t already
  • If you need to install our extension on Mac or PC (Windows Firefox users—your wait is almost over, promise!), just open 1Password’s Preferences to the Browsers pane, click Install Browser Extensions, and follow the instructions on the webpage that opens

We hope you enjoy the new extension, and let us know what you think!

1Password for Windows: our new Safari extension is out of beta!

1Password extension - LoginsGreetings Windows-slinging Agile Readers! Remember that all-new 1Password extension we began testing with Safari a couple weeks ago? I’m happy to say that you may feel free to remove its beta badge at your earliest convenience.

Wait, scratch that. Safari should automatically do it for you, if it hasn’t already. Hooray for automatic extension updates! To make sure Safari has you covered, you can hit the gear menu and to go Preferences > Extensions. Click the Updates panel and make sure “Install Updates Automatically” is enabled. If you haven’t grabbed the new extension yet, here’s how:

  • Make sure you have the latest version of 1Password by going to Help > Check for Updates
  • Click the Preferences button, go to the Browsers pane, and click the Safari option
  • Follow the instructions on our extension download website that opens

Yes, the new version of our extension has gone official for Safari for Windows, and so have its many slick new features. User feedback was great, so we’re getting to work on bringing it to the other Windows browsers we support. As far as a timeline goes, though, I can’t say anything just yet. You’ll just have to stay tuned here on the blog, on Twitter @1Password and @AgileBits, and on Facebook!

1Password for Windows: Our new extension is ready to try in Safari

Sometimes, a browser extension comes along that changes everything. Your philosophy on life is forever altered. The way you experience the internet fundamentally shifts. Your dog and cat go apartment hunting together. Nothing is the same.

Our new 1Password browser extension will not do any of those things to your world, valiant Windows users, but it will make a huge improvement to the way you browse the internet with 1Password. We’ve re-imagined our 1Password browser extension to bring you a better, faster experience, and put more of your 1Password data than ever before at your fingertips, right inside your browser.

Today we’re releasing the new version of our 1Password browser extension in beta for Windows users to test, and we’re starting by supporting one of our most requested browsers: Safari for Windows. Of course, support for more browsers will follow soon.

How to get it

To get it, you’ll need to opt into our beta testing process:

  • Open 1Password
  • Click the Preferences toolbar button (or press Control-P)
  • Go to the Updates pane, enable the Beta option, click Check Now, and update to the latest beta (it should be at least version 1.0.9.BETA-237 or higher)

Now, to get the new Safari extension:

  • Visit our Windows extension page to download and install our new Safari extension
  • Enjoy testing our new Safari extension!

Note: the first time you unlock the extension, the initial sync might take a little longer than usual. That’s normal, and the next time you unlock shouldn’t take nearly as long.

How to use it

So, what’s the big deal about the new extension? The redesign allows it to be much more flexible and make more of your information available, even editable, right in your browser—no need to stop what you’re doing and open the main 1Password app. Here are some quick highlights and tips to help you get the most out of the new extension:

  • Control-\ is your one-stop-shop: The new default Logins pane does double-duty, displaying “Logins for the Current Site” at the top, and a list of “All Logins” just below. Just hit Control-\ to open the extension on any webpage (you can configure this shortcut in the 1Password app’s settings)
  • Arrow keys are your friend: If you’re a keyboard ninja, you can arrow up and down the list of Logins. If you hit return on a Login in the ‘Submit Login’ section, 1Password will fill it into the current site. If it’s in the ‘All Logins’ section below, 1Password will open a new tab, take you straight to the site, and log you in
  • Type to search: If mousing around and arrow keys aren’t your style, you can type in any pane to start filtering on the fly. A search box will appear at the top, and the item list will instantly slim down to just what you’re looking for (note: this is basically a quick way to enable the new search icon in the upper left)
  • View, copy item details in your browser: Say you need to copy a password for a Flash site, or you need to paste a 1Password detail into some other app. You can click the right arrow next to any item in the new extension, or hit your keyboard’s right arrow key, to view most of its details right within the extension. Mouse over any detail and click it to quickly copy it to your clipboard for pasting elsewhere
  • Click headers to change behavior: Do you need to complete a CAPTCHA on some sites before logging in? Or perhaps you prefer to open new windows instead of new tabs. You can click the headers in the Logins pane to change how they behave. You can chose to just fill a Login instead of fill and submit (in case you need to do other things on the page), and instead of opening Logins in a new tab, you can choose to open them in a new window or even the current tab
  • Fill Credit Cards and Identities: Any Credit Cards and Identities you’ve added to the main 1Password app are available in their own panes below Logins. Filling them into websites is just as easy: you can open the 1Password extension, mouse or arrow your way to the Credit Card or Identity you need, and click or hit Return to fill it into the site’s form
  • Tab between panes: You can use the Tab key to quickly switch between the Logins, Credit Cards, Identities, Strong Password Generator, and Settings panes

Check out more screenshots in our gallery at the end of this post!

How to get in touch

Since this is a beta, we’re hoping to hear some feedback in our Windows beta forum with your thoughts on how it’s going, and especially when you run into bugs. After all, there’s a reason we’re using the beta badge.

In case you didn’t catch that, yes: it was a wink wink, nudge nudge to please leave feedback in our Windows beta forum.

How to stay tuned

We’ll update 1Password and this new extension based on your feedback, and we’ll have announcements of more Windows browser support soon. Until then, follow us on Twitter @1Password and @AgileBits, like us on Facebook, and subscribe here to stay on top of all our update news!

Defending against 1Password harvesters

We have some bad news and good news today about the state of Mac security. The bad news is that there’s a new malware variant out for the Mac, a trojan called DevilRobberV3, that tries to collect various pieces of data, including your 1Password data file. The good news is that your 1Password data is very well encrypted, but we still want to take this opportunity to review a few details of what’s going on.

We don’t think this poses any real danger to 1Password users. But because our knowledge of DevilRobberV3 is still fairly limited, I want to revisit some of our long-standing recommendations for ensuring your 1Password data stays safe.

What do we know about DevilRobberV3?

At this time, we know little about DevilRobberV3 beyond what has been reported by F-Secure. It is a trojan that can be installed when someone tries to download and install a pirated version of Pixalmator from websites that offer stolen software. The fake Pixalmator installer instead installs DevilRobber3, which mostly just gathers system information and sends it off to the malware’s creators.

The main business of DevilRobber3 is that it steals time on an infected computer to engage in creating bitcoins, a type of virtual currency used by some internet services. But what matters to us here is the system information that is also gathered, and that list can vary depending on variant of DevilRobber3. So far, here is a rough list of information that might be collected if DevilRobber3 gets onto a Mac: OS X Keychain; Safari browsing historynumber of files with “truecrypt” in the name, “pthc”, and “vidalia”; shell command history; bitcoin wallet contents; 1Password file contents; system log file; external IP address of the infected machine; downstream and upstream bit rate of the infected network; malware’s port mapping attempt status; and time the malware was executed. Earlier versions also took a screenshot.

Because they are collecting so much information along with running the bitcoin farming, I expect that this is more of a fishing (not phishing) expedition. They are trying to learn about systems in general and do not have a plan of attack using any collected data. I am speculating, of course, so let’s take a look at the worst an attacker could do with your 1Password data.

Defending against the worst case

First I’d like to reassure everyone that your key 1Password data is extremely well encrypted. Our Strong Password Generator tool creates extremely strong passwords for websites, and we use the best encryption tools and protocols available for encrypting those passwords (learn more about how 1Password encrypts your information in our support doc). I doubt that anyone is actually specifically trying to exploit 1Password data files they might obtain, but because we can’t rule it out, we need to consider what bad guys could do with captured data.

1. Guessing your Master Password

Since day one, we’ve highlighted how important it is to have a strong, memorable Master Password. If you want some help to create a great Master Password or improve the one you have, please see one of our many  previous blog posts with tips and tricks, the geek edition of that post, or this help doc. Note that changing your master password after your data file is stolen will not protect the captured data. So don’t wait until there is some sort of breach on your machine before making sure you have a good Master Password.

2. Attacking the websites you visit

In our current 1Password data file format, the URL of a Login is not encrypted. If you have an account on Amazon.com, an attacker who has obtained your data file can see that you do, but cannot see your username or password.

The password strength indicator (whether 1Password considers your password to be strong or weak) is also not encrypted in the current form of the database. Generally, this lets us strike a good balance between securing your most important data (such as usernames and passwords), allowing the 1Password data file to be stored and synced securely with cloud services like Dropbox, and still offering features like sorting your Logins by URL or by password strength. You can learn more about why the 1Password data file has been designed this way in our cloud storage security doc.

So even though your passwords are extremely well encrypted in your 1Password data file, an attacker might learn that you have a weak password for www.example.com. If the attacker can also guess your username (I, for one, use pretty much the same couple of usernames everywhere), and you used a weak password on a site instead of our Strong Password Generator, they may be able to use this knowledge to attempt a brute force (guessing lots of passwords) directly against www.example.com. Fortunately, the vast majority of websites will block or delay logins after some number of failed login attempts.

If you think you might have some weak passwords saved in 1Password, perhaps from The Old Days before you started using our Strong Password Generator, take a look at our previous advice on how to find and update weak passwords. This involves sorting your 1Password data by password strength in the 1Password application, then updating your password using 1Password’s Strong Password Generator feature. Note that sorting data by password strength may soon be removed (so that the strength is no longer stored unencrypted), which means that this specific tips may be limited to data created and viewed with 1Password for Mac (App store) version 3.9.2 and prior, 1Password for Mac (non-MAS) 3.8.10 and prior, and 1Password for Windows 1.0.9.235 and prior.

Those are steps you can take to increase your already high level of security. There is always a “weakest link”, which is what we need to look at when considering worst case scenarios.

What we can do

Although users need to pick good passwords, it is not our intention push the entire security responsibility on to users. Our goal has always been to make it easy and convenient for you to behave securely. So the question is: what are we doing to guard against the dangers listed above? First of all, the security is already extremely strong. But we are always looking at where we can improve upon the weakest link.

1. Moving ahead with new data format

We have already discussed how the data format currently used in 1Password 3 needs to be improved in the light of increased computer power and increased risk of data theft. Work on our new data format is coming along, but it is still not ready for all platforms (we need to make certain that it works on every platform that 1Password supports). So this doesn’t present an immediate solution to the news of malware that collects 1Password data. Once it does arrive though, our new data file format will offer some advantages, one of them being that even more of your data (including Login URLs) is encrypted.

2. Increasing PKBDF2 iterations

I’ve discussed the role that PBKDF2 plays in protecting your Master Password from automated password guessing systems. We are currently exploring increasing the number of PBKDF2 iterations, but, I don’t want to promise anything specific until we’re confident to release it. We need to work through compatibility across platforms, and performance specifically on mobile platforms when syncing data. But we are actively testing things as I write this. (We put in hooks into the code a while back anticipating the need to increase PBKDF2 iterations.)

3. Removing password strength information

We are also testing at the moment the consequences of removing unencrypted password strength information from the current data format. If we do this, it will have more visible consequences for users. This will almost certainly mean changes to how users will need to find weak passwords among their data.

So look for updates soon that will make 1Password your 1Password data even more resistant to attack.

In summary

If you become a victim of the DevilRobberV3 trojan, we have no reason to doubt the security of your 1Password data file. Ever since 1Password was just a few scribbles on bar napkins, we’ve designed and coded the 1Password data file to remain secure in scenarios such as your computer or mobile device getting stolen, or something like a trojan gets ahold of it. The particular changes that we are looking at for the immediate future are things that we’ve been working on for months.

Lessons

One lesson, if I can be forgiven for repeating myself, is that security is a dynamic process. We re-assess threats, our own design, and our implementation of that design. A security product is never really done; it is, instead, an on-going process.

Another lesson is that you should be part of that on-going process. The advice listed above isn’t new, and so regular readers of this blog will already have the extra level of security. My somewhat tautological advice, then, is that you should follow our advice.

Finally, and this should go without saying, don’t download and install software from unknown or untrustworthy sources. There are enormous numbers of reasons to not download pirated software, but one of those reasons is that the people you are downloading from are criminals. You never know what you might end up really installing. Even if you are not trying to pirate software be very careful of deals that “seem too good to be true”. It may be a topic for another day, but Wil Shipley has some nice recommendations about how Apple can help with software distribution in a way that would reduce the opportunity for trojans to be installed on OS X.