Heads up: Your best defense against the Russian hacker data breach is still strong, unique passwords

The bad news: Russian hackers claim to have gotten their hands on a sizeable collection of login credentials and emails.

The semi-good news: the story might not add up. According to The Verge, most, if not all, the credentials may simply have been collected from previous breaches we already knew about, including Adobe, LinkedIn, and others.

The good news: strong, unique passwords for all your sites are still your best defense. If shady individuals nab one or even more of your accounts, 1Password’s unique passwords prevent them from using that information to break into all your accounts.

Unfortunately, we live in a world where data breaches are going to happen. As my colleague Jeff Goldberg likes to remind us: security is a process, not a destination.

Strong Password Generator hero

The best way to defend against breaches large and small is the same as it ever was: use 1Password’s Strong Password Generator on Mac, Windows, and iOS to create strong, unique passwords for all your accounts with a single click.

1Password’s Security Audit feature is also a great way to stay on top of your security. It shows you duplicate and weak passwords, and our built-in 1Password Watchtower service warns you to change your passwords for any of your Login’s sites that have recently been breached.

As usual, the headlines sound big, but the solution is simple. Use 1Password’s Strong Password Generator for the best defense against data breaches. As this matter is examined further, we’ll let you know more about breach sources or any other pertinent details.

Filling with your approval: On 1Password’s App Extension and iOS 8 security

App ExtensioniOS 8 has an incredible feature coming called App Extensions, and we’re thrilled to say we have a 1Password extension ready for developers to use right in their apps! In apps that gain support for our extension, you will no longer have to copy and paste passwords from 1Password. Yes, it really is a game changer, and you can see it in action for yourself.

Naturally, this new-fangled way for apps to interact in iOS 8 is leading people to ask how we do this in a secure manner:

  • Are we really letting third-party apps poke around inside of your 1Password data?
    • Answer: No, that is not how extensions work.
  • Can these third party apps ask 1Password for your PayPal password?
    • Answer: Well, they can ask, but you decide if they should get what they ask for.
  • Can they trick you into entering your 1Password Master Password into something that isn’t 1Password?
    • Answer: The very same mechanisms that prevent that today apply to application extensions.

TL;DR

I will elaborate on all of this below. But to summarize, all of my points and these safeguards in both iOS extensions and 1Password are built on an important design principle: Nothing happens without your explicit action.

Read more

Introducing the 1Password App Extension for iOS 8 apps

Throughout history, the greats have always sought a “holy grail.” The Dude really wanted that new rug. Indiana Jones searched for… well, the Holy Grail. Today, we’re happy to say we built our holy grail: automatic 1Password Logins right in iOS 8 apps.

The video embedded here, produced by our fearless co-founder Dave Teare, speaks for itself. Thanks to Apple’s incredible new developer features in iOS 8, third-party apps can let 1Password fill Logins without the user ever leaving the app. Yep, complete with Touch ID for unlocking the vault. Yep, it’s this awesome.

How easy is it for third-party apps to get in on this one-tap Login goodness? Extremely! Developers: check out our 1Password App Extension on GitHub with documentation and sample code.

App users: reach out to the developers of your favorite apps and help us spread the word! Show them the video and link this blog post and our GitHub project.

We want to share our holy grail with all apps: the convenience of one-tap Logins and the security of strong, unique passwords with 1Password.

Up your 1Password-fu with keyboard shortcuts

Vault lock shortcut 1000px

I don’t know about you, but constantly typing my login details is not my favourite part about visiting websites, and digging for my credit cards, then typing all those details takes all the fun out of shopping.

Fortunately, 1Password and some handy keyboard shortcuts are happy to save you a ton of time with all these less-than-thrilling parts of being online, so you can spend more time on the stuff that matters.

1Password’s bread ‘n butter

One of our best, long-standing shortcuts is Command-\ (for PC users, Command = Control). This game-changer instantly fills and submits your Login for the current page, so you get in and get going with a single shortcut. If you have more than one Login for the page, a 1Password menu will list them all so you can arrow up and down, then hit Return on the one you need.

Of course, many standard computing shortcuts work for 1Password, too: Command-N will create a new item for you, Command-E will edit an existing item, and Command-S will save the edits.

Fill forms with the 1Password menu

“Password” might be in the app’s name, but 1Password also fills things like registration forms and shopping carts. First, you’ll want to open the main 1Password app and create a couple Identities and Credit Card items.

Then, on a page with a form you want to fill, press Command-Option-\ (Control-Alt-\ on PC) to display the 1Password menu. There you can arrow to the Identities or Credit Cards section, arrow right to find the item you need, and hit Return to sign up for a new service or checkout online faster than you can say “Siri, remind me to review our monthly budget.”

Switch vaults (Mac)

switching vaults

switching vaults

We introduced Multiple Vaults in 1Password 4 for Mac, allowing you to securely share and sync items with a team at work, your family members, and monthly D&D squad.

Each vault gets a numbered keyboard shortcut. To switch between them, open the 1Password app or 1Password mini’s menu in your browser and use Command-2 for your second vault, Command-3 for the next, etc. Command-1 is always your primary, personal vault.

Lock 1Password

Control-Option-Command-L on your Mac or Control-L on your PC will lock 1Password and keep it safe from any prying eyes.

Copy an item’s password

Command-Shift-C on your Mac in 1Password or 1Password mini, Control-Shift-C on your PC in 1Password, to copy the password for the selected item.

Reveal a password

If you’re a cautious sort and prefer to keep your passwords safely obscured behind dots, simply hold down the Option key on your Mac, or Control-R on your PC to sneak a peek at the password.

The whole enchilada

Find the full list of keyboard shortcuts for 1Password 4 for Mac here and 1Password 4 for Windows here.

1Password 4.1 for Android is coming, we extended the freemium date and have a price!

1Pa premium featuresOver the past six weeks, we’ve seen a tremendous response to the all-new 1Password 4 for Android and our free trial experiment. Our team has been hard at work on a number of updates and great new features, and today we’re happy to say that v4.1 is coming soon, we extended the trial date, and we can now announce a price!

v4.1 for Android

Coming soon, 1Password 4.1 for Android will allow new users to create their first vault right on the device, no existing sync or vault required.

We added localizations for German, Spanish, Portuguese (European and Brazilian), Romanian, Russian, and Swedish. We are also finishing up translations into Chinese, Japanese, French, and Italian. Finally, we added some fixes and improvements that lay the groundwork for goodies that are on their way.

Free trial deadline extended, and a price!

Since our experiment is going so well, we extended the final day through Monday, August 18. Now everyone can have a few more weeks to check out 1Password 4 for Android and all its security awesomesauce.

On Tuesday, August 19, our Android version will switch to a freemium model. You can download it for free and use it as a 1Password reader, a great sync companion with 1Password for Mac or Windows, so you can take all your items on the go. To unlock all editing, organizing, and creating features, make a one-time, in-app purchase of just $9.99 USD to get the full power of 1Password right in your hands.

But wait there’s more

Since we’re just that excited about 1Password 4 for Android, we’ll start this off on August 19 with a $7.99 USD Awesome Android Launch Sale! This 20-percent-off sale will run for just two weeks, so when the sale starts mid-August, move fast.

To make sure you don’t miss it and stay in touch with us, be sure to follow 1Password on Twitter and Facebook!

Things to know about beta testing OS X Yosemite [Updated]

As we’ve said before, we’re pretty thrilled about the operating system updates that Apple has in store. There are a lot of great new features coming this fall in OS X Yosemite, who could blame folks for being eager to get their hands on this?

For those of you who are keen to help Apple test Yosemite in this rare public beta, there are a few things we’d like you to keep in mind.

Yosemite’s iCloud sync may not work for many apps, including 1Password

iCloud sync, under constructionWe know that many of our users rely on iCloud to keep their 1Password data synced up across all their devices, so it is very important to note that iCloud on Yosemite and iOS 8 is being completely overhauled. This means it does not work for 1Password and many other apps.

Most third-party apps will have issues with iCloud sync in Yosemite and iOS 8, not just 1Password. Unfortunately, there are no workarounds available at the moment. Developers are eagerly working with Apple’s many, many new technologies, but we are only able to release App Store updates compatible with Yosemite and iOS 8 when Apple ships those OSes publicly (as in: not beta).

If you beta test Yosemite or iOS 8 and 1Password, we recommend switching to Dropbox sync.

Update: Yosemite testers, there are a few things to note:

  1. Whether it’s our shipping version or beta, ensure only one copy of 1Password is on your Mac (if you want the beta, go to 1Password’s Preferences > Updates pane, enable “Include beta builds”, and check for updates)
  2. When you restart Yosemite, give 1Password a little time to connect to 1Password mini. It can be slow sometimes, and we’ll have a fix soon. If you seen an alert that 1Password mini failed to start, please quit 1Password and start it back up to try again
  3. In System Preferences > Security & Privacy > General, make sure “Allow apps downloaded from” is not set to “Mac App Store” only. The “Mac App Store and identified developers” is probably best

Are you a bug hunter?

This Yosemite beta is meant primarily as a testing ground for developers, and as such, there will be bugs that we cannot fix on our own. As Apple says on their beta program page:

“This is beta software that is still in development, which means some applications and services may not work as expected.”

Please be prepared to have a lot of issues, not just with 1Password but also with Yosemite and probably other apps. Early betas should not be installed on production systems nor should you expect any developers to issue updates quickly to fix issues. If you don’t have a separate machine, you could consider creating a new partition on your current machine and test there, properly separating it from your current version of OS X, apps, and data.

For our current 1Password beta testers: 1Password beta for Mac now requires OS X Yosemite, and 1Password beta for iOS requires iOS 8. If you are unable to install the Yosemite or iOS 8 betas, please stick with our current, shipping versions of 1Password.

If you are currently testing OS X Yosemite and would like to help us polish up 1Password for Mac’s latest and greatest features as well, we’d love to have you in our beta family! Sign up for the 1Password for Mac beta newsletter to join. Unfortunately, we are unable to add any users to our iOS beta program at this time.

For more discussion on how 1Password is adapting to its new environment, check out our beta forums!

1Password is a very safe basket

—–
The right way to build reliable systems is to put all your eggs in one basket, after making sure that you’ve built a really good basket.
—–

When you use a password manager, you are putting a great deal of valuable and sensitive information in one place. The expression, putting all your eggs in one basket is apt. When you put all your very valuable eggs in one basket, it is absolutely fit and proper to ask how secure that basket is.

The question becomes more salient when there are press reports of past security problems in a number of password managers (1Password was not among them). Those reports are based on some excellent research on web-based password managers by Zhiwei Li and his colleagues at the University of California, Berkeley, (“Go Cal!”).

What does that report mean for 1Password?

The Berkeley team looked at threats that affect web-based password managers. 1Password is not a web-based password manager and so, by and large, is not subject to the threats discussed in that paper. Different security architectures face different threats.

We made our choice of security architecture with this in mind. As a consequence of our design decisions, the particular threats and vulnerabilities discussed in the Berkeley paper are simply not applicable to 1Password.

(Most) Vendors acted swiftly and responsibly

Before I elaborate on some of the distinctions between web-based password managers, I would like to emphasize a point that I feel has not been sufficiently stressed in the public discussion of the Berkeley team’s analysis. The problems were fixed almost a year ago and apparently before any damage was done.

Although some of the problems were severe, four out of the five products studied fixed the problems quickly:

We reported all the attacks discussed below to the software vendors affected in the last week of August 2013. Four out of the five vendors responded within a week of our report, [...] Aside from linkability vulnerabilities and those found in [the one that didn't respond], all other bugs that we describe in the paper have been fixed by vendors within days after disclosure.

There is no denying that some of the disclosed bugs were severe, but they were reported responsibly and acted on promptly. Both the vendors and the researchers should be commended for how they handled this.

Because of its distinct security architecture, 1Password doesn’t face the specific threats in that particularly study, though it does face other threats which we try to defend against. Anyone who claims that they are completely invulnerable and bug free shouldn’t be in the security business. We strive to be bug free, and we strive for a fully secure design, but part of the process of security is making improvements in response to external discoveries of problems.

If I may quote something we wrote three years ago:

If you build a tough lock on a door, it is easy to imagine that you have now secured that door and don’t need to think about it anymore. But in the security business life is rarely that simple. Both the “threat landscape” and our understanding of the locks we’ve built earlier changes. The renowned security expert, Bruce Schneier is famous for (among other things) saying more than a decade ago that security is a process, not a product.

I am not trying to diminish the severity of the bugs discovered and fixed. They were anything but “routine”, but this case is an example where responsible disclosure and appropriate action kept user data safe.

Not Applicable

As I said above, 1Password is not a web-based password manager. You do not log into some web service that is managing your passwords. As a consequence, we don’t face the same kinds of security concerns that web-based services may face. A partial exception to that involves our 1PasswordAnywhere features, which I will return to below.

Nothing is impenetrable, but we have chosen a different security design deliberately. Our security design reduces the number of fronts on which we need to fight to defend your data. In slightly more technical jargon, we designed 1Password to minimize the “attack surface.” Let me run through a couple of examples of what I mean by certain sorts of threats not being applicable to 1Password.

With no authentication, no authentication errors are possible

One type of error discussed in the paper has to do with how the user authenticates (logs into) the particular web service. There are opportunities for bugs or design flaws to be introduced in that process. 1Password does not involve any authentication or web-based service, and therefore this isn’t a part of 1Password (at all) and so isn’t a part that can go wrong.

We can’t hand out data we don’t have

Another issue that came up in the Berkeley analysis of several of those web-based password managers is with how the service could be tricked into handing out data to the wrong person. Again, we don’t have your data in any form whatsoever, so even if we could be tricked into handing it out, we’ve got nothing to hand out.

Fewer phishing opportunities

Phishing is the trick where an attacker lure you into entering a password (or secret) that you would wish to give one service into a service under the attacker’s control. For example, most of us have received spam claiming to be from PayPal asking us to log in to reset our PayPal passwords. The actual website this spam directs you to is not the real PayPal site, but instead is something under the attacker’s control. This, for some reason, is called “phishing.”

You never type your 1Password Master Password into the web browser (with the exception of 1PasswordAnywhere). With 1Password 4, you never type your Master Password into a browser extension, either. You only type it into the 1Password program itself or into 1Password Mini (on Mac) or 1Password Helper (on Windows). Because of this, it is very unlikely that a malicious website could trick you into giving it your Master Password.

This is a consequence of the fact that 1Password doesn’t do authentication, but it is distinct enough that I listed it separately.

Goodbye to bookmarklets

Browser extensions and browser bookmarklets live in a hostile environment. They live in an environment that is partially created by the web pages you happen to be visiting (and things that those web pages may load from elsewhere). Browser extensions are sandboxed in a way that gives them more protection than bookmarklets. Bookmarklets are highly exposed, and so they need very very strong defenses.

Years ago, 1Password did offer a bookmarklet to provide some ability to use your 1Password data within browsers that didn’t support the 1Password extension at the time. But in 2011 we phased it out, saying:

It’s time to say good-bye to a couple of features that won’t stand up to the anticipated threat environment. One feature, loved by many, is the Login Bookmarklet. This was originally designed as a way to get some 1Password functionality into browsers we didn’t support at the time. Before we had 1Password for iOS, this could be used to kinda-sorta get 1Password data into browsers that didn’t support 1Password directly.

The data in the 1Password Bookmarklet is very well encrypted, but the password for it is not secured using PBKDF2. This means that if the Bookmarklet were to be captured it would need a very strong password on it to resist attack. Because the Login Bookmarklet lives in the browser’s bookmarks, there are more opportunities for it to be captured. Given these two issues, it is time to phase the bookmarklet out.

We weren’t saying back then in 2011 or saying now that it would be impossible to find a way to keep the bookmarklet both usable and sufficiently secure. But we were in a position, given our security architecture, to withdraw from having to defend your data on that particular front.

Linkability

Li’s team raised concerns about “linkability”. Linkability isn’t about revealing the content of your data, but it is a threat to your ability to remain anonymous. If you have a Login with username “Alice” on one site, and “Bob” on another, you may not wish those sites to be able to figure out that those two accounts belong to the same person. That is, you may not wish anyone to be able to “link” those two accounts.

1Password leaks no such information. We don’t have the ability to link those, and even someone who captured your encrypted 1Password data (new format) wouldn’t be able to perform such linking. Again, this is largely a consequence of the fact that we don’t store your data in any form.

Does anything in that paper apply to us?

From the above, you could be left with the feeling that there is nothing for us to learn from Li et al.’s paper. But there are lessons for us. We do have a browser extension, and while it is very different from the kinds of extensions used by web-based password managers, it still needs to remain secure in a hostile environment.

The paper offers two general recommendations that would help provide layers of defense for bookmarklets and extensions. One of them is to specify a restrictive Content Security Policy (CSP) within the extension. The other is to restrict what sorts of JavaScript language features are used within the extension or bookmarklet.

Good advice on Content Security Policies

Content Security Policies is a relatively new and not fully standardized technology. It is most useful for websites to state a CSP which browsers should then enforce. But it is also possible for browser extensions to state a policy. One important policy statement could say that no scripts from outside of the extension should be loaded. When CSP was first introduced, We had jumped on this but found that each browser did things differently, and at the time, even the most advanced didn’t behave as documented.

Here is an excerpt of something I wrote to some of the authors of the paper last Friday (July 11).

Our earlier attempts to specify a [strong] CSP within our [1Password version 3] extension left us with a bad taste in our mouth, but that was a few years ago and browser implementation was erratic, particularly of CSPs within extensions. Your paper is a nice reminder to attempt this again

We do currently use the default CSP that comes with Google Chrome’s  manifest version 2 specification, but it is time to test again how well CSPs work in other browsers.

Defensive JavaScript

Zhiwei and co-authors also point developers to Defensive JavaScript. Roughly speaking this involves avoiding certain features of the JavaScript language, while at the same time encapsulating your own JavaScript functions to protect them from outside tampering.

We had already been aware of the specific recommendations. Although we may not be following the letter of those recommendations, our practices have long been in line with the spirit of them. We avoid “eval”-like operations, and anything we inject into the web page is wrapped up in closures.

Again, their paper is a nice reminder for us to take a look at this again, to ensure that we are doing everything we can to protect our browser extension from compromise.

The exceptional 1PasswordAnywhere

1PasswordAnywhere is an optional, but useful, feature for many users of 1Password. It is useful when you don’t have 1Password itself with you. If you synchronize your data with Dropbox using the Agile Keychain Format, you will have a file within your Agile Keychain folder called 1Password.html. That file contains the JavaScript necessary to give you read access to your 1Password data stored on Dropbox in your Agile Keychain.

1PasswordAnywhere is as secure today as the day we introduced it. Its security has not diminished in any way. But it does remain an exception to much of what I have said above. It does involve a great deal of cryptography in JavaScript; it is an instance where you do enter your 1Password Master Password into the browser, its security relies on TLS/SSL in a way that the rest of 1Password does not, and it is subject to active attacks (data tampering) in ways that the latest version of 1Password is not.

Again, let me stress that 1PasswordAnywhere remains as secure as ever. But because it is cryptography in JavaScript delivered over SSL/TLS and stored on a third party system, it faces threats that other uses of 1Password do not face.

Continuing the discussion

Zhiwei Li will be presenting his results at the 23rd USENIX Security Symposium August 20–25, which I will be attending. I am very much looking forward to continuing my discussion with him and his co-authors in person. I will have a busy August. I will be presenting a paper at PasswordsCon14 August 5–6. In between these two conferences is my 25th wedding anniversary. (If Lívia can put up with me talking about security concepts for 25 years, you, Dear Reader, can manage to wade through some of my long-winded explanations on occasion.)

Baskets are inevitable

I would like to return to the concerns about “putting all of your eggs in one basket”. With a password manager, you are, indeed, putting all of your eggs in one basket. And so it is important that you read articles like this so that you can get a better sense of how well that basket is protected. But I would like to point out that the likely alternative to using a password manager is to resue passwords. Reusing passwords involves putting multiple eggs into multiple, very fragile baskets.

Password reuse

Regular readers of the Agile Blog know that I can’t avoid speaking of the dangers of password reuse. When you use the same password on more than one site or service you are putting yourself at risk. A breach of security with one of those sites leads to your password being discovered, allowing attackers to compromise all the other services for which you use the same password.

Reuse baskets

Suppose that you use the password “2b|kn0t2b” on five different sites. Say, PayPal, Amazon, Dropbox, MyKittyPictures, and TheNewBarkTimes. By doing so, you are putting the security of those five eggs into a single basket. Sure, that isn’t all your eggs in one basket, but it is still five. The more you reuse a password the larger the basket grows.

Furthermore, the bigger your reuse basket grows, the weaker it becomes. This is because the more sites and services that you use the same password for, the more likely it is that that password will be exposed. Suppose that one of the sites doesn’t use SSL/TLS to security your connection. Your password for that site (and for the whole basket) will travel over the network unencrypted. Suppose another site suffers a breach in which its (hopefully hashed) password database is stolen. Your password for your whole basket will depend on the strength of the password and how well that particular site hashes the password. Perhaps one of the sites that you use that same password for is in the habit of sending passwords through email (it happens). The larger your reuse basket becomes, the greater the opportunity for it to be compromised.

So far, I have met one person with many logins who does not need to put multiple eggs into a single basket. She credibly claims to have memorized about 80 unique and reasonably secure passwords. Her superpower is a photographic memory and specific security training in password choice. The rest of us, however, do not share her superpower, and inevitably must put multiple eggs into single baskets. It’s better to pick a basket like 1Password that has been carefully designed for the purpose and subject to scrutiny.

Secure your desktop with 1Password wallpaper

I might be a little biased here, but I think 1Password’s lock screen looks pretty sharp. If you agree, this post is for you!

We’ve had requests for 1Password wallpaper, and there have been a few made over the years. We thought it was about time to start collecting and sharing them all in one gallery, much like the one you see below.

If you have any ideas for more 1Password wallpapers (a classic version 3 lock screen or another nerdy mash-up perhaps?), let us know on Twitter, Facebook, or our forums!

1Password 4 for Windows Tip: How to upgrade from the previous version

1P4 Windows hero banner 600pxLet’s face it: the new 1Password 4 for Windows is awesome. Everybody’s upgrading, and I want to make that process as seamless as possible. You can see more details on our upgrade policy and process in this support document, but here’s the cliff notes version.

If you purchased in 2013 or 2014, version 4 is free!

Nope, not a typo. Our free upgrade window for 1Password 4 for Windows is a whopping one-and-a-half years wide. All you need to do is:

  1. Download and install 1Password 4 for Windows
  2. open 1Password and go to Help > Enter License Key
  3. Enter your existing license key
  4. Enjoy 1Password 4 for Windows!

If you purchased before 2013, take advantage of our upgrade pricing!

There’s an extra step, but it’s still super simple. Before you install 1Password 4:

  1. Open 1Password, find your 1Password license item, and copy it, OR
    1. Go to Help > Enter License Key and click the Replace License button
    2. Select and copy your entire license from that window
  2. Visit AgileBits.com/Store/Upgrade
  3. Paste your license code, click ‘Search’, and check out your upgrade options
  4. Download and install 1Password 4 using your spiffy new license
  5. Enjoy 1Password 4 for Windows!

This should get you on your way, but you can follow a more detailed process in our support document if you like. As always, thanks for using 1Password!

1Password 4 for Android and Windows are a hit!

Windows Android hero

June has been quite the month for us! We released 1Password 4 for Android and Windows, and we’re thrilled that you like us. You really, really like us!

For the v4 Android debut, Android CentralBoy Genius Report, Lifehacker, and PCMag were excited, with SlashGear saying it “does justice to its namesake.” The Next Web went in-depth with the new version, The Verge says “this is the password manager you should be using,” and then there’s GreenbotGotta Be Mobile, International Business Times, and plenty more.

On the Windows side, InfoWorld called v4 a “strong password manager” and lists it among the best. SlashGear and Engadget are excited, and TechCentral says it’s an “impressive password management tool”. Then there’s PC & Tech Authority, SoftonicTechgear, iPhoneclub… and that’s probably enough links for one day.

We are absolutely delighted to get these major releases out there, and the feedback to support and in our forums has been fantastic! We put “Agile” in our name for a reason, so there’s plenty more where this came from. To see what we have coming next, follow us on Twitter, Facebook, and our newsletter!