1Password 4.5 for iOS and 4.3 for Mac are out and on Launch Celebration Sale!

One could say we’ve been busy these last couple of months, but that would only be the half of it. We have two great releases today that are packed with so much stuff, we had to cut down on our What’s New text just to fit it within the App Store requirements.

1Password 4.5 for iOS

1Password 4 for iOS iconCompletely redesigned. Multiple Vaults and Sharing. AirDrop. Search always where you need it. A unified AutoFill tool in 1Browser. This is our biggest free update for iOS ever and you can get the full details on why in the App Store.

Plus, all versions of 1Password are 50% off through the 4/26-27 weekend for our Launch Celebration Sale! Pick up 1Password for iOS now for just $8.99!

1Password 4.3 for Mac

1Password 4 for Mac icon1Password mini can now search everything, use a healthy dose of keyboard shortcuts, and show your Secure Notes. Go full screen. Sync your data file on a USB drive. Mac App Store customers also get all the great stuff from our 4.2 web release, like AutoSave updating existing Login items when you change passwords (that’s a big one!), editing items right in 1Password mini, and more.

Check out the full details in our changelog or on the Mac App Store, and don’t miss the Launch Celebration Sale here too. Through April 27, pick up 1Password for Mac in our web store or the Mac App Store for just $24.99!

Introducing the 1Password Watchtower service for Heartbleed and beyond

1Password Watchtower

When news of the internet’s Heartbleed bug broke last week, we published what we knew about it and the implications for 1Password and 1Password users.

To recap: 1Password is not affected by Heartbleed, but there are steps you need to take to protect your passwords from sites that may have been affected.

Today, we’re introducing a new service to help you check vulnerable sites and stay on top of your online security. We call it 1Password Watchtower.

A way to check if the bleeding has stopped

Your password data remains safe and secure within 1Password, but when your web browser sends a password to an insecure website, that particular password can be captured.

Most, but not all, websites have had some period of being insecure because of Heartbleed, and this is why so many passwords need to be changed.

Since those first few hours on April 7, we’ve gone from “what is this all about?” to “which sites do I need to change my password, and when?” Today, the 1Password Watchtower service will help you answer that question.

1Password Watchtower: Check this website

The categories of sites

With respect to Heartbleed, the 1Password Watchtower service will try to categorize websites into one of the following five categories.

1. Vulnerable

SiteChecker vulnerable example

Sites that are still exhibiting the Heartbleed bug should be avoided until they’ve fixed it. Once fixed, you should change your password.

If you reused a password for one of these sites, then all of those websites are also at risk. You should change your passwords on those other websites as soon as appropriate, and be sure to set up a different password for each of these sites.

2. Not currently vulnerable but needs new certificate

SiteChecker Needs new certificate

This is where things get complicated. While these sites have stopped the bleeding, their master keys may have been stolen while the site was vulnerable.

To protect against this, websites need to get new certificates signed by certification authorities, which simply takes time (especially when nearly every site needs to do it). It took two days to get our new certificate, and I would not be surprised if others will have to wait longer, especially if they submitted their requests after us.

For these sites we recommend that you change your password twice. Changing your password now will prevent an attacker from using any previously stolen passwords. Then you can change your passwords again once the site’s certificates have been reissued to guarantee that the new password is only known by you.

3. Not currently vulnerable and has a new certificate

SiteChecker new certificate example

These sites were vulnerable to Heartbleed at one time but have been completely fixed. You can go ahead and change your passwords on these sites.

You may find yourself with many sites for which you need to change passwords, but don’t let yourself get overwhelmed. Focus on changing passwords for your most important websites first.

1Password can help you through the process, and of course, this is a great opportunity to use 1Password’s Strong Password Generator to create a strong and unique password for each site.

4. Never vulnerable

SiteChecker Never Vulnerable example

Some sites and services were never vulnerable to Heartbleed, typically because they never used OpenSSL or had disabled various features.

One piece of good news is that, as far as we can tell, most banks fall into this category. However, to the annoyance of security researchers, banks are not telling us why they weren’t vulnerable; they are merely repeating that their customers are and have been safe.

For  sites that were never vulnerable, no special action is needed. You do not need to change those passwords if your passwords were unique to those sites.

But (and you will hear us repeating this often) if you used the same password on a “never vulnerable” site that you used on one which was vulnerable, then you should change your passwords to be strong and unique on both sites.

This illustrates why password reuse on multiple sites is so dangerous. Even services that have had excellent security on their own can be broken into with a password stolen from elsewhere. 1Password’s Security Audit will help you find duplicate passwords.

5. No SSL/TLS

SiteChecker: No SSL

Sites in this category are in no way affected by Heartbleed, but these are the services where it is most important that you don’t reuse passwords.

Some sites and services do not use SSL/TLS to secure connections between your web browser and their service. Because they have no transport security to break, their security can’t be “broken” by Heartbleed. Any password—or, really, any data—sent to such a site can be easily captured. If you have a password for one of these sites, make sure that you don’t use the same password for any other service.

Subdomains matter: It is important to remember that 1Password Watchtower checks the exact domain you tested. So even if go.com doesn’t use SSL, subdomains such as disney.go.com, may. It does not appear that one ever sends passwords to go.com itself, so its lack of SSL does not put passwords at risk.

How do we know which sites fall into which category?

Sorting hatAs 1Password Watchtower checks for Heartbleed, it performs a number of tests on a domain and its certificate, as well as looking at the results of earlier tests. But even with all of the tests that we run, there is some substantial “guess work” in the categorization.

We can reliably tell which sites are currently vulnerable and which sites aren’t. We can also check the start date for the validity of a certificate. We run other tests, but whether they produce results or not, they only offer hints at which category we should put a domain into.

If you are a site administrator and find that we are reporting incorrect results for your site or service, please make use of Heartbleed HTTP Headers to announce your condition or let us know.

Uncertainties

Never vulnerable or needs a new certificate?

The biggest uncertainty is that we have no reliable way to distinguish between sites waiting for new certificates and sites which were never vulnerable. Both such sites will not be currently vulnerable and will not have new certificates. We look at fragmentary results of previous scans as well as web server software to try to form a guess, but it remains a guess.

Is an old certificate really old?

Every certificate has a validity period. They have a “valid from” date and a “expiry” date. We are (mostly) using the date from which they are valid to see if they are old or new. However many recently reissued certificates have the same validity period as the one that they replaced. As a consequence, certificates that appear as if they are in need of replacement aren’t.

Are we talking to the right service?

Many high traffic web sites use load balancers, which don’t actually process your web request, but send off your request to a one of many back-end servers. The software on a load balancer is meant to be invisible, but it will often be different than what appears on the backend. The tests we perform involve a number of queries, some of which will be handled by the back-end servers and some by the load-balancer. For example, a load-balancer that was running an affected version of OpenSSL might be using IIS as a back end, and thus we might false report as “never vulnerable”.

Wrapped Heartbeed Heart: Strong, Unique, New Passwords

Use strong, unique passwords and carry on

Heartbleed is an astonishingly serious thing, but it isn’t cause to panic. Indeed, frightened people tend to make poor security decisions. The bulk of the work is being done by system administrators, and there are changes to come in the ways critical software is scrutinized. But for most people like you and me, the job is to improve our password practices.

Many—I’d like to think nearly all—1Password users are good about having strong, unique passwords for each site and service. That habit should already make the current task easier for you. Heartbleed and this initial version of 1Password Watchtower gives you another opportunity to improve even more. Doing so will make you safer now and long into the future.

1Password, Heartbleed, and You

Heartbleed icon 200pxOur co-founder, Dave Teare, sent an AgileBits newsletter to our subscribers Friday night about the internet’s Heartbleed bug and how you can use 1Password to defend yourself and change all your passwords. We had a surprising number of requests to republish it here, so I’m happy to oblige!

If you want to receive our occasional AgileBits newsletter with news and tips about 1Password and Knox, as well as other goodies, hit the button below.


And now, our Heartbleed newsletter, republished here for our blog readers.


Hello everyone,

I’m writing to you today with some very important news. A vulnerability named Heartbleed was discovered in the software that protects most web sites.

Please read on to see what actions you need to take.

What is Heartbleed?

Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.

Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.

I found this XKCD comic explained perfectly how the Heartbleed exploit works.

1P4 Mac icon

1Password is Not Affected

There is a lot of work to be done as a result of Heartbleed, but lets start by talking about what this vulnerability does not mean.

1Password does not rely on OpenSSL to secure your data. Your data in 1Password is protected using Authenticated AES 256-bit encryption and can only be unlocked with your Master Password.

This means 1Password is not affected by the Heartbleed bug and there is no need to change your Master Password.

With that said, there is still a lot of work to be done…

update passwords 200px

Update Your Passwords, Phase 1

While your data is safe within 1Password itself, there is a good chance websites you used were vulnerable and did not protect your username and password.

The knee jerk reaction to this news is to change all your passwords immediately. While I will be recommending you change your passwords, not all websites have been updated yet to protect against this vulnerability.

The best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.

After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.

How to Change Your Passwords

Changing your passwords on every website is a chore. On the bright side, 1Password makes it easy to upgrade all your website passwords.

How to Update Your Passwords

Heartbleed is a very serious issue so I hope you will take the time needed to update your passwords. Ideally you would change all your passwords, but at the very least, please update the most important ones.

heartbleed sale 200px

Stop The Bleeding

New, strong, unique passwords are your best defense against Heartbleed. 1Password makes this easy.

To make it easier for everyone to improve their security we decided to put 1Password on sale.

Save 50% Off 1Password and Stop the Bleeding

Please share news of Heartbleed with your friends and families. Simply forwarding this email is a great first step to helping them know that this is a serious issue.

I know I will be using this opportunity to finally convince my mother that she needs to take her internet security more seriously. Hopefully you will also be able to turn this crisis into an opportunity for good.

Stay Tuned

The Heartbleed story is continuing to evolve. I’ll be in touch again soon with an update.

While I normally send these newsletters infrequently, given the gravity of this situation, I’ll likely be sending a few extra this month. I hope you find this helpful.

To get updates even faster, be sure to friend us on Facebook or follow @1Password on Twitter.

Please keep in touch and let us know if there is anything we can do to help.

Where’s Eddy?

You may remember that AgileBits won a Macworld Eddy Award in 2013 for 1Password 4 for Mac (We were a little bit excited about it). 1Password 4 has been a labour of love for the entire team, from developers to support, and it was a true honour to be singled out for such a prestigious award.

Well, because the powers-that-be at AgileBits are pretty awesome, they decided to share the honour. So, not only is there a shiny new Eddy from 2013 sitting next to his friend from 2010 on our office shelf, but Eddy is also gracing the shelves and homes of every AgileBits employee! I was completely blown away by this generosity, and it got me thinking: how were the rest of the AgileBits team celebrating the arrival of this shiny award?

As it turns out, there’s some excitement, a little bit of weirdness, and a whole lot of smiles. Check out some of our photos here and give us a like on Facebook to check out the full gallery!

The 1Password at Macworld/iWorld 2014 megastravaganza post!

MW iW 2014 pre-conf team

We’re in San Francisco for Macworld/iWorld 2014—and for you! We love hearing from our customers, and we have booth #39 in the Appalooza so we can hear from you in person this week! We’ve spent the day getting the booth ready and tracking down that one thing we need to make it all work. Now we’re just excited to get the show on the road.

Swing by anytime Thursday, Friday, or Saturday during the conference to say hi. Bring a friend if you like! In fact, we’re bringing a friend on Friday from 11am-12pm—Joe Kissell, he of the Take Control of 1Password book.

Our co-founder Dave Teare is also going to be on the Main Stage Thursday, March 27 in Mac Gems: Meet the Developers. He’ll join Jennifer Bell of Prosoft Engineering, John Chaffee of BusyMac, and Greg Scown of Smile to talk everything from ‘where do the great ideas come from?’ to ‘the risks and rewards of the Mac App Store and developing software in general’. Be sure to catch the panel and learn from some of the best in the Apple community.

Last but not least, 1Password 4 for Mac (and Windows!) is 50 percent off to celebrate Macworld/iWorld! You can get the sale price in our web store and in the Mac App Store, so it’s up to you!

Whether you pick up 1Password on sale or not, be sure to swing by our booth at the conference to say hi!

Apps that Love 1Password: Unread, Fantastical, Tonalli

This is another particularly delightful edition of Apps that Love 1Password since it’s so diverse. This time we have a hot new newsreader, one of the best calendar apps for iPhone, and a slick utility for tracking your project time with Tick.

Unread iconUnread

Unread for iPhone from Jared Sinclair is a beautiful, minimal newsreader for Feedly, FeedWrangler, and Feedbin. Jared cut out a lot of buttons and toolbars in favor of simple gestures to let you focus on reading and (optionally) sharing articles.

Unread’s login forms for FeedWrangler and Feedbin features a 1Password button so you can quickly find your accounts. The sharing feature also lets you open the current article or webpage in our 1Browser so you can use Identities to quickly register for services, or even Credit Cards so you can insta-buy what you just read about!

Unread is available for iPhone in App Store.

Fantastical iconFantastical 2

The Sweet Setup declared Fantastical 2 the best calendar app for iPhone, and it’s easy to see why. Fantastical is fast, a native iOS 7 citizen, and has optional support for Apple’s Reminders. One of its best features is that you can use natural language to create events and tasks, like “Lunch with Amy at 12:30″ to create an event, or “get milk /p” to add a Reminder to your Personal list.

As of Fantastical 2.0.5, you now have the option to open links in our 1Browser, making it much easier for you to securely log into services, register at new sites with 1Password Identities, and fill out shopping carts with one tap.

Fantastical 2 is available for iPhone in App Store.

Tonalli iconTonalli

For all you folks out there who need help tracking projects and the time you put into them, Tonalli is a minimal and free iPhone client for Tick. You can see your daily timecard, manage said timecards, and view reports and charts for all your projects.

A new 1Password button in Tonalli’s login screen should make it faster to log into your Tick account. You’ll switch to 1Password with an AutoSearch for Tick. Swipe the item to open the Action Bar, copy your password, then switch back to paste and get to tracking time.

Tonalli is available for iPhone in App Store.

As always, we thank the developers behind these and all the Apps that Love 1Password for making it easier to work, play, and stay secure both on- and offline with 1Password.

1Password – No More Sticky Notes

Ever wanted a succinct video with a catchy soundtrack to help explain what 1Password is all about to friends, family, and coworkers? Now you got it!

We wanted to make a video that explains the overall problems and challenges of passwords and staying secure online, then how 1Password is the best way this side of the sun to solve it all. I might be biased, but I think we nailed it, and we’d like to thank the wonderful folks we worked with at Sandwich Video for making it happen.

Apps that Love 1Password: Capitaine Train

Capitaine Train 9 icon1Password has built its name, in part, on three syllables. For the other part, it excels in helping you get around online more securely and conveniently, and it can be plenty useful off-line too. In fact, don’t take it from our past and future blog posts about all this, our Apps that Love 1Password has gained another real-world feather in its cap with the release of Capitaine Train, a transit booking app for iPhone.

Capitaine Train is a train ticket booking app for European systems, in particular France (SNCF, iDTGV, iDBUS), Germany (Deutsche Bahn), UK (Eurostar), Switzerland (Lyria), Belgium and Netherlands (Thalys) and more. You can search for trips, register multiple passengers, purchase tickets (of course), and even add your trips to your calendar and Passbook for easy access.

A new 1Password button in Capitaine Train 9.0 makes it easier to log into your account. Tap the button and you’ll switch to 1Password with an auto-search for your account. Swipe your Capitaine Train item to show the Action Bar, tap the clipboard to copy your password, then switch back to paste it in and get to booking.

Capitaine 1P button GIF

Apps that Love 1Password: Diet Coda, VSCO Cam

Our growing Apps that Love 1Password page got even more diverse recently with some great new additions: Diet Coda from the fine folks at Panic, and VSCO Cam.

Diet Coda iconDiet Coda

Diet Coda is an iPad-ified version of Coda for Mac, Panic’s venerable web code editor. Diet Coda speaks all the big web languages, sports a powerful text editor, and has great S/FTP tools to bring it all together.

In the new Diet Coda 1.5, adding a website you need to work on is easier than ever. When adding a new site, the password field has a new 1Password button that will switch over and automatically search your vault for the domain you entered. Just tap your item, tap the password field, tap “copy” in the popover that appears, and switch back to Diet Coda to enter your password and get editing.

VSCOcam iconVSCO Cam

VSCO Cam is a photo shooting, editing, and sharing app for iPhone from Visual Supply Co. It has its own unique sense of style and is backed by people who have done work for everyone from Apple to Levi’s to Nintendo. In other words: they know photography.

In a big VSCO Cam 3.0 upgrade, the company added quite the unique way to automatically search 1Password for your VSCO account password. Instead of a 1Password button in the password field, you can triple-tap the cam app’s login screen to make the switch. Once in 1Password, just swipe across your item to trigger the Action Bar, tap the clipboard to copy your password, then switch back to VSCO Cam to paste and get shooting and sharing.

We’d like to thank Panic and Visual Supply Co. for making it easier to login with 1Password. We really do appreciate it, and our mutual users love it.

1Password for Mac Tips: How to update your passwords

1P4 Mac update Login

In every password’s life, there comes a time to get changed. Maybe it was never a very good password to begin with, maybe you were a victim of password reuse, or maybe you were among the 200 million accounts stolen in the recent Adobe and Sony breaches.

Fact is: every password dies, not every password really lives.

When it’s time to change a password, the latest versions of our browser extension and 1Password 4 for Mac make it really, really easy. Give this a shot:

  • Use the extension to log into your service of choice
  • Go to the password reset page, it’s usually in Settings or Options somewhere
  • (Optional) If your current password is required, click our extension and mouse to the right of the Login you want to update. Your details will appear in a menu to the right. Mouseover your password and click to copy it to your clipboard, then paste it into the Current Password field in the webpage (keyboard shortcut fans will be happy to know you can do all this with arrows keys and Return to copy the password)
  • Click our browser extension and go to the Password Generator to get a unique, super strong new password. Customize any details you like (such as length or special characters), then click Fill to automatically fill it into the New Password fields on the page
  • Click the Save button in the password reset form, and the 1Password extension will offer to update your existing Login, much like that glorious window you see above. If you have multiple Logins for the current site, be sure to pick the right one to update

Click Update in that window, and your new password is now saved for your existing Login! But wait, there’s more, and you can see it if you click that little details arrow next to the Login name:

1P4 Mac update Login extra details

If you make use of 1Password’s tags and folders (you should, they’re really handy!), you can add tags and file this updated Login into an existing folder, all right from the extension. Plus, if you give 1Password 4 for Mac’s new Security Audit feature a whirl, you can get a good idea of which passwords you might want to update first. Super cool?

Very super cool.