The 1Password browser extension puts a little dance in Safari’s web forms (Firefox and Chrome coming soon!)

Besides releasing 1Password 4 for iOS in December and working on a new local sync solution, we’ve been a little quiet on desktop front lately.

I assure you it’s with good reason.

While today is not the day to start talking about all the great stuff we’re planning, we can offer a glimpse, and it starts with making it easier for you to see when 1Password fills a form.

Today we released version 3.9.10 of the 1Password browser extension. It brings a whole bunch of improvements and tweaks for all supported browsers, but the headlining feature is that it will now animate filled forms in Safari for Mac.

1Pe form fill animation

When you use 1Password to fill a Login, Identity, or Credit Card, the actual form fields that 1Password fills will quickly expand and contract, helping you to see where 1Password works its magic. It’s a small touch, but it is often the tiny details that make all the difference.

If you use Chrome or Firefox, fret not. We’re working on bringing this touch to your browser in a future update.

As for the other improvements in this extension update, you can see our full browser extension changelog.  Your browser should automatically update to the new version, but if you need help with updating your extension, checking its version, or installing it in the first place, please see this document.

Mountain Lion Update: 10.8.1 is out today

Apple has released the first update to Mountain Lion, version 10.8.1, as of today. So if you’re one of the more cautious folks who never install the “dot zero” update, now’s your chance to pull the trigger. If you already made the leap, you can go to the Mac App Store and get your update from the Updates tab, or you can use the manual installer if you prefer. Either way, you’ll need to restart when it’s done.

This is an update of particular importance to 1Password users because it includes a fix for the Safari crashing bug we’ve seen with Safari 6, Mountain Lion, and our Safari browser extension.

As with all system updates, usual disclaimers apply here. You’ll need to make sure your other applications (and in our case, browser extensions) are up to date, and it’s always a good idea to have a backup of some sort before you click install, because you never know.

1Password extension goes Retina for Mac

A little while ago, one of our fearless founders, Roustem Karimov, jumped into our Campfire room and said “RETINA ALL THE THINGS!” And our designer, Dan Peterson, responded “OK SURE.”

Hot on the tail of our Retina update to 1Password for Mac, our browser extension version 3.9.5 is now also Retina-ized, with a fresh coat of paint to boot! The extension’s icons have been redesigned in the process, giving you a much clearer indication of the individual sections: Logins, Wallet, Identities, and Strong Password Generator.

We also made some great improvements to autosave and general performance, updated to Firefox SDK 1.8, and added a few other nips and tucks.

As long as your browser is set to automatically check for extension updates, you may very well already have this 3.9.5 update. If not, you can open your extensions manager and check manually to get our fresh extension Retina-ness.

Only you should 0wn your data, Part 1: 1Password and Flashback

Over the last couple weeks, a topic in tech news has been Flashback, malware that seems to have gotten itself installed on (at least) about 600,000 Macs running OS X. Although there has been malware for Mac OS X for a long while, Flashback is the first to reportedly affect a substantial number of users. In at least one respect, it does represent an important change in the kinds of security threats facing Mac users.

This article is the first installment of a three-part series about the state of Mac malware and what all this means to you as a Mac and 1Password user. In today’s first part, I’ll discuss what kind of threat malware like Flashback does or does not pose to your password data. Part 2 will talk about malware more generally, with concrete tips about keeping yourself safe. Part 3 will talk about changes in threat landscape, and provide some ways of understanding the differences and similarities between the threats that Mac and Windows users face.

First things first

If you haven’t tested whether your system has been infected with Flashback, you should. By installing the latest security updates to Lion and Snow Leopard, you will get Apple’s Flashback removal tool. Just use Software Update on your Mac. I write more about keeping your system up to date in Part 2 of this series.

Mac Software UpdateApple, to say the least, has not been the most fleet of foot in addressing the threat, so you may be tempted to look elsewhere for detection and remove tools. Every anti-virus vendor offers free (or free trial) tools that will detect and remove Flashback. I’ll talk a bit more about anti-virus software in Part 2, but for now let me just point out that they have an incentive in scaring people and publishing hyperbolic claims. I haven’t (and won’t) evaluate the various products they have to offer, but personally I would be more trusting of those companies who provide useful, level headed information over those that try to scare you.

The quick answer

We do not see the Flashback infection as a significant threat to your 1Password data. But the single best thing you can do to protect your 1Password data if your machine is infected in any way is to have a good Master Password.

The encryption on your 1Password data has been designed from the outset to withstand concerted attack if it gets captured. Whether it is captured through your computer being stolen, a compromise of a syncing service, or through a compromise of your computer through malware, it can’t be decrypted without your Master Password.

The second thing about 1Password’s design is that it only decrypts the smallest amount of information needed at any one time. Even when your 1Password data is unlocked, all of the information is encrypted except for the particular item you are dealing with at the time. This means that there are no decrypted temporary files. This is an important – and often overlooked – security feature. 1Password never decrypted usernames and passwords while just sitting around.

Of course, when it comes to security questions, there really are no quick answers. So the rest of this article goes into more detail.

Theory and Practice

It’s a wonderful day when I can meaningfully quote Yogi Berra:

In theory there is no difference between theory and practice. In practice, there is.

In principle, once your computer is compromised it is no longer “your” computer. In some juvenile jargon your system is ownedIn theory, if malicious software is running (with sufficient privileges) on your computer, then everything you do and see belongs to the attacker. This could, in principle, involve modifying all of the software (including the Operating System) that you use. So in theory, once your computer is taken over, there is pretty much nothing that can protect you. Fortunately, practice is much different than theory.

In practice, malware tries to remain small. It makes only the minimal changes to your system that are required for its specific job, and most of those changes are attempts to cover its tracks. Because we know the kinds of things that malware–in practice–does, we have been able to design 1Password to protect your data against those sorts of attacks.

Flashback, for the most part, opens a back door that allows its operator to install or modify things on the infected computers later. That is, computers that are infected become part of what is called a botnet. These are often used to relay or to launch certain attacks on more high-value targets. By using machines in a botnet, the attackers can cover their tracks and leverage huge numbers of machines to make their attacks more powerful.

Because machines in a botnet are awaiting commands from those who control the botnet, it is hard to answer the question “what does Flashback do?”  Symantec has just published a fascinating analysis of  how Flashback has made money for its operators. It inserts itself into web browsers to hijack certain advertisements and clicks, so ad revenue that would otherwise go to Google goes to the operators of Flashback.

Even with our better understanding of what the Flashback operators were after, we still have to ask what the operators of a botnet could, in practice, do with an infected computer. Here I will focus on two things that malware can do that pose a risk to password data, even if this isn’t primarily what Flashback was after. One thing is that malware can install software that would scan your computer for lists of passwords. The other point of concern is that is can install malicious software into browsers that try to capture passwords as you use them.

Hunting for lists of passwords

One thing that can be installed through the backdoor is a system that searches your computer for lists of passwords. There is a history of this in Windows malware, so we should assume that those who have a back door into your computer have the same capabilities and interests.
The good news for 1Password users is that such malware goes after “home-grown” password management systems. They are not at all prepared for a well-designed system like 1Password.

Many people, faced with the problem of remembering lots of passwords, develop their own password management system. Often people will simply list their passwords in a word processor document, such as Microsoft Word, or in a spread-sheet. It is those files that this sort of malware goes after. Even when people encrypt those files, the password that they use to encrypt that data is often not protected by measures to resist automatic password cracking tools. Furthermore, when people decrypt those files to work with them, often temporary files are created with the data decrypted. Password collecting malware goes after those too.

1Password’s design resists those sorts of attacks. We use PBKDF2 to make it much much harder for an attacker to run a program that tries to guess your Master Password. We’ve also been beefing up this defense to keep ahead of developing threats.

We are also very careful to only decrypt small amounts of data at a time instead of decrypting everything. This means that (with the exception of file attachments) decrypted data is never written to disk. This means that there are no temporary or cache files that could be picked up by an attacker on your system. These are some of the behind-the-scenes considerations that go into 1Password, but are rarely considered in home-grown systems, which makes them such ripe target for malware.

Target of the DevilRobber

Poorly designed, home-grown, systems are the typical targets of malware data collection, but does that mean no malware would ever include 1Password data among its targets? Not at all. Indeed, I wrote about a case like that last November involving DevilRobber, another piece of malware. DevilRobber didn’t get much attention because it didn’t get very far, but it did collect a great deal of information from the few machines that were infected.

Whoever collected that data would still need to guess someone’s 1Password Master Password to get encrypted information out of the file. But once we learned that people were actively going after 1Password data files, we made some changes with some more to come.

If I can be forgiven for repeating myself, the single best thing you can do to protect your 1Password data is to have a good Master Password.

Password collection in Safari

Some versions of Flashback are reported to have added things into Safari to capture password you might enter for sites in the browser. If your browser had been infected this way, then passwords that you typed or pasted into web pages are likely to have been captured. This does not include your 1Password Master Password.

Passwords that were filled by 1Password (not pasted or manually typed) are unlikely to have been captured, but I can’t be absolutely certain of that. Although it may seem that 1Password is just pasting in or typing in your usernames and passwords for you, that’s not what is really going on. 1Password’s form filling mechanism works much closer to the bone, thus reducing the chances that something could intercept the data that 1Password fills in.

Still, because you may have pasted passwords instead of having 1Password fill everything, if your system has been infected, you should use Apple’s aforementioned Flashback removal tool and change some of your passwords. Start with your more important and frequently used ones. Passwords for email services are the first thing that attackers like to go after. After that, it’s banking and popular on-line retailers.

Even if your system was infected, there are a lot of unknowns that all act in your favor: whether you had a Flashback variant that monkeyed with Safari; whether passwords were entered in a way that the malicious software could capture; whether the people gathering that data have the resources to exploit it. One of the biggest unknowns is that many infected Macs have not been able to communicate with the command centers—the systems on the network that are set up to give instructions to infected Macs or collect data from them. Network operators and security companies substantially disrupted communication with the command centers.

Complacency or panic

Frightened people make poor security decisions, just as people who are overly complacent do. Flashback poses a non-negligible threat to your 1Password data, but “non-negligible” doesn’t mean “large”. It doesn’t even mean “significant” in this case, but it does mean that we shouldn’t ignore it. So let me repeat the advice I gave above that if your machine was, in fact, infected with Flashback, after you get it removed and your system up to date, do change your most important and frequently used passwords.

1Password extension update brings gifts, good tidings for Safari, Firefox, and Chrome users

We’ve seen a flurry of browser updates lately, so our developer ninjas sprang into action to respond accordingly. After some quick hacking and slashing of code, we have a couple of useful updates that your browser may have automatically installed for you already, but we figured they’re still worth mentioning here.

1Password extension 3.9.1 brought some key improvements for Safari users, including fixes for those of you who are running it in 32-bit mode. Version 3.9.2, however, brings gifts and good tidings for Firefox users in the form of much better memory management and overall performance. Form filling has been improved across the board, too, so 1Password should now fill sites like iCloud, Fidelity, Twitter, and others.

You can read up on the full details in our extension changelog. To make sure you have the latest version of the extension, click the 1Password button in your browser’s toolbar, then the Settings panel (with a gear icon), and look at the “About” box at the bottom.

A fix for Safari 5.1.4 for Mac and 1Password Helper problems

Good news, everyone! Well, bad news, then good news. To keep things short: Apple just released Safari 5.1.4, and it’s causing some ruckus with our 1Password browser extension for a few of our Mac users. That’s the bad news.

The good news is that we have a fix, and it’s pretty darn easy. We have a support document that explains everything with an accompany screenshot, but in short: for the vast majority of customers experiencing this problem, it seems to be an issue with running Safari in 32-bit mode instead of 64-bit. To get Safari and our 1Password Helper playing nicely together again, you can:

  • Quit Safari
  • Right-click Safari in your Applications folder and choose Get Info
  • Uncheck the “Open in 32-bit mode” option
  • Restart Safari and live happily ever after

So far, we’ve seen only one instance where a customer also had to restart their Mac for this fix to actually stick. But on the whole, this seems to solve the problem. If you still experience trouble, though, please get in touch with our support team and they’ll get you squared away!

A big 1Password extension 3.9 update is out!

Are you sitting down? Ok, you folks who stand while you work—don’t answer that. Regardless, if you’re reading this in Safari, Chrome, or Firefox, we have a great new 1Password browser extension release for you.

Fresh out of beta is version 3.9 of our browser extension, and boy it’s a doozy. We added support for multiple profiles to Firefox and Chrome, and domain matching is, as they say in the car industry, “all new,” except we actually mean it. We completely rewrote it to watch out for things like subdomains and international domains.

All told, we added over 20 new features, changes, fixes, and bits of TLC in this extension update, and you can read all the details if so inclined. As for how to get it:

  • If you already have our new 1Password browser extension installed, your browser should update automatically, if it hasn’t already
  • If you need to install our extension on Mac or PC (Windows Firefox users—your wait is almost over, promise!), just open 1Password’s Preferences to the Browsers pane, click Install Browser Extensions, and follow the instructions on the webpage that opens

We hope you enjoy the new extension, and let us know what you think!

1Password Power Tip [Mac]: Create a 1Click Bookmark

Know what’s fast? Typing in a URL, then hitting Command-\ to automatically fill your 1Password Login and randomized password to get on with what you’re doing. Know what’s even faster? Clicking a single bookmark to have all that work done for you.

Nerd blogger Brett Kelly, productive podcast Back to Work, TUAW, and Lifehacker have recently mentioned one of our best “guy-behind-the-guy” features in 1Password for Mac, one that is super handy but probably doesn’t get enough of the credit it deserves: 1Password’s “1Click Bookmark.”

Long story short: you can add a button for any site to your browser toolbar that—in one fell swoop click—both opens a website and logs you into it. How do you attain such 1Password awesomeness? Simple:

  1. Find a Login in the main 1Password app that you want to access quickly
  2. Drag it from 1Password to the bookmarks bar of any browser we make an extension for

It’s. that. simple.

From now on, you can click your awesome new 1Click Bookmark (or bookmarks—create as many as you want!) to open its site in the current tab and login right away  (though if the 1Password extension is locked, you’ll need to enter your Master Password). This is especially handy if you have multiple Logins for a site, because the bookmark you create calls on the specific Login that you dragged from 1Password.

If you want to know more about 1Click Bookmarks, check out our help doc about them or swing on by posts at Nerd Gap, Lifehacker, and TUAW.

1Password updates are out with some nice new perks

They say “good things come in pairs.” Or maybe it’s “to those who wait.” Hang on, who is “they” anyway?

Before we get wrapped up in colloquialisms, let’s tackle something a little easier: the new perks that both our Mac App Store and website customers can enjoy in a pair of 1Password updates we released. We’ve added the usual round of all-natural performance enhancements and polish (honest: AgileBits is a steroid-free company!). Mac App Store customers can check the “What’s New” section in the store, and website customers can check our version history page.

These updates are waiting for you, right now, up in the Agile Cloud. Here’s how to grab them:

  • Mac App Store customers: Open the Mac App Store and go to the Updates tab
  • Website customers: Go to 1Password > Check for Updates

1Password How-To: Install the browser extension—what do you think?

Now that some other Agile duties have simmered down, I’m getting back to one of my passions: tutorial videos. I love working on our documentation and creating helpful videos, so here’s one of my first quick shots after dusting off my ScreenFlow license.

This is a how-to on installing the 1Password browser extension for Mac App Store customers (our website version has a slightly different process) and clocks in at just over two minutes. If you get a minute, give it a look and let me know what you think in the comments:

Some things to think about:

  • Is it more helpful than a hindrance?
  • Does it move too quickly or did you fall asleep?
  • Is this audio and video enough, or should I add visual descriptions of steps as I explain them? (think: some kind of an overlay with brief instructions like “Step 2: Click the whichamadinger below the thingie”)

I’d love to hear what you think of this initial attempt after being gone for a while. It’ll help me make more and more helpful videos like these.