Get 1Password for Mac, Fantastical, and more in the Parallels bundle!

Parallels bundle DEAL OF THE CENTURY

Hear ye, hear ye! Step right up and get yer Parallels Bundle with seven of the most incredible, irrefutably exceptional, absolutely indispensable apps this side of the moon!

That’s right, for a limited time—and I do mean “limited”—the good folks at Parallels are offering a Mac app bundle designed just for you! Naturally, the headliner is the full (non-upgrade) version of their own Parallels Desktop for running Windows, Linux, and any other OS right on your Mac, but accompanying it are:

  • 1Password 4 for Mac
  • Fantastical
  • Kaspersky Internet Security for Mac
  • CleanMyMac 2
  • MacHider
  • Parallels Access for iPad
  • all for just $79.99!

But wait, there’s more! if you already own Parallels Desktop version 7 or later, you can get a Parallels upgrade version of the bundle for just $49.99!

But keep waiting because there’s one more thing! If you’re looking to get everything but Parallels Desktop, you can get the bundle for the low, low price $39.99!

Ok, that’s enough exclamation points for one day. But seriously, the bundle is available only for a limited time, so run, don’t walk!

Fifth AgileBits team trip finishes with great 1Password plans but not enough labadoozies

Every year, AgileBits likes to gets its employees out of the home office. Also the new office, as it were. We want to get our increasingly global team, now over 40 members strong, together for all manner of trust falls, face-to-face time, and whiskey (ok maybe not trust falls). We usually prefer someplace warm, and this year it was both warm and mobile.

Mike Verde, an Android dev, doing his best 1:1 ship ratio

Mike Verde, an Android dev, doing his best 1:1 ship ratio

We call this newly minted tradition AGConf, and for AGConf[4] our Minister of Magic, Sara Teare, chose to take us on-the-go with Royal Caribbean’s Liberty of the Seas. It’s an incredible vessel, practically a floating city, which was perfect because there were plenty of lounges for us to commandeer for daily sessions of customer support and collaboration.

We took over the deck 14 lounge every morning to answer emails and synnergize (no, not trust falls)

We took over the deck 14 lounge every morning to answer emails and synergize (no, not trust falls)

Of course, our all-hands AgileBits gatherings aren’t complete without the team taking on some kind of challenge. This year we decided on the Liberty’s FlowRider and, courtesy of our own Chris Meek and his iPhone 5S’s slow-mo shooting, you can see how that ended in the following video.

Our cruise stopped in Labadee, Haiti and Falmouth, Jamaica, which were nice changes of scenery. Both had their share of excursions, Falmouth’s port had your typical round of touristy shopping, but Labadee had a gorgeous private beach and a delightful drink invention known as the Labadoozie.

It truly was a fantastic week. AgileBits has nearly doubled in size over the past year and it was wonderful getting nearly all of us together in the same floating city room. Emails were answered, great product and company plans were forged, and, of course, drinks were had. These trips are as much about getting everyone some fun in the sun (while still responding to customer support) as they are about making 1Password the best it can be. Now that we’re all energized and back in the office, we can’t wait to show you what’s next.

‘Take Control of 1Password’ ebook updated for all our big v4.1 Mac features!

Take Control 1P 1-1Remember how Joe Kissell wrote an entire book about 1Password? It covers how to get started with creating unique, strong passwords for all your sites, then how to get the most out of 1Password by securing all the other critical aspects of your identity, financials, and more. Well, Joe didn’t stop there—he’s already back with a free update!

Take Control of 1Password v1.1 covers the big changes we brought to 1Password 4.1 for Mac, including the excellent new ability to update an existing Login’s password right in your browser, new printing options, and much more. It’s a great update and we thank Joe for covering all our new goodies so thoroughly!

If you already own a copy, you may have received an email with instructions on how to update, or you can log into your Take Control Books account and grab it there. If you have yet to pick up your copy—run, don’t walk, and grab Take Control of 1Password for yourself or a friend to learn about all the ways 1Password can make security more convenient.

There’s 1Password documentation in your head, we need it out. Yes, we’re hiring again!

Train tracks

You have experience building documentation for powerful, popular products that span more than one platform. You also laugh at the task of organizing these labyrinths of documentation because you eat labyrinths for breakfast. If you’re nodding right now because I really get what you’re all about, we’d like to talk to you.

Yes, AgileBits is growing again, and this time we need someone with strong documentation experience. Someone who can create the greatest 1Password documentation and user guides for Mac, iOS, Windows, and Android the world has ever known.

What can we offer ye wizard of documentation? I believe you would have more success asking what we can’t offer. We’re a remote-friendly company based in downtown Toronto, Canada, so we’re interested whether you can work with our incredible team in our office or roll in your pajamas at home. We have:

Now, what do we ask for in exchange? Beyond the aforementioned experience and drive to build incredible documentation and user guides for 1Password, we want to see that you can:

  • Demonstrate a great work ethic
  • Translate 1Password and its great features into languages that everyone can understand, newbies and power-users alike
  • Handle a fast-paced environment
  • Hang with some of our tools like Confluence, HipChat, and TextExpander
  • Bring some of your own tricks

If you have documentation and user guide experience, and you’re still nodding your head, email us. Tell us who you are, what you’ve done, and how you can make our documentation shine.

Your Master Password is your defense from Dropbox breaches, real and imagined

1Password in DropboxRumors of a Dropbox data breach spread this weekend, a breach that ultimately turned out to be false. But even in instances of false alarms, it is useful to remind 1Password users that their 1Password data cannot be decrypted without the Master Password. So let me take this opportunity to remind everyone that your 1Password data cannot be decrypted without your Master Password. If someone steals your 1Password data – whether from the theft of your own computer or through the breach of a sync service – they cannot decrypt it.

Fact checking

It is worth noting that when a perpetrator of a rumor like this self-identifies as “Operation Troll Security”, it might be worthwhile to double check their claims before jumping to conclusions or even reporting the claims further. This is particularly true if a perpetrator has a history of claiming responsibility for every notable site outage, then laughing at people who believed them. Operation Troll Security doesn’t often tell the truth, but it may be wise to heed one particular tweet:

https://twitter.com/1775Sec/status/421861679631044608

Despite the fact that the claims of a Dropbox breach were a complete hoax, it still is worthwhile to point out some things about the security of your 1Password data if it ever does fall into the wrong hands.

End-to-end encryption

1Password uses what is called “end-to-end” encryption. 1Password on your computer or mobile device encrypts your data with keys that are derived from your Master Password. Those keys are never stored anywhere or transmitted. Nobody, not even us at AgileBits, ever sees those keys or your Master Password. This is why it absolutely essential that you don’t forget your Master Password. We cannot reset it or reconstruct it. Your data can only be decrypted by you.

We designed 1Password this way from the outset because we knew that computers get stolen and services get compromised. By placing all encryption and decryption under your control, we become far less reliant on the security of any sync service.

Protecting Master Passwords

If an attacker does get hold of your 1Password data, the only feasible way for them to attempt Password Based Key Derivation Function diagramto decrypt it would be to try to guess your Master Password. Of course, they wouldn’t sit there typing in guesses. Instead they would run automated password guessing systems against the data.

We have a long history of building mechanisms into 1Password’s data format that make it harder for attackers to guess your Master Password. When we released 1Password 2.5 in 2007 with the then new Agile Keychain data format, we added PBKDF2 so that anyone trying to run automated password guessing systems against captured 1Password data would have to perform lots of slow computation for each guess. You can read more about PBKDF2 and this aspect of our design in an older article of mine, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too. Many of the details have changed over the intervening years, but the essential concept remains the same.

Toward better Master Passwords

DicePBKDF2 makes it harder for those automating password guessing, but it does have limits. You need to do your part by choosing a good Master Password. Even a small improvement to a Master Password goes a long way. Adding a single truly randomly chosen digit to the end of your Master Password makes the attacker work ten times longer to guess it. Adding a truly randomly chosen word make the attacker work thousands of times longer. Adding two truly randomly chosen words makes the attacker work tens of millions of times longer.

You will note that I emphasized the phrase “truly randomly” a few times there. That part is crucial. People turn out to be very unrandom even (especially?) when they are trying to be random. If you follow our advice in Toward Better Master Passwords, you will see how you can securely pick words at random to add to a Master Password. Hint: It involves rolling dice. It’s fun!

A hoax is a hoax, of course of course

Even though the report of a Dropbox breach was a hoax, you still may ask what role Dropbox security plays in the security of  your 1Password data. I hope that this article helps explain that and how using 1Password can keep your secrets safe. I look forward to further discussion in our forums.

Here’s to 2013 and a happy and secure 2014!

fireworks

I think it’s safe to say 2013 was the best yet for AgileBits. We laughed, we cried (at some really funny stuff), and we fell in love with our first-ever office space. It’s about that time to glance back at everything we accomplished over the past 365 days, then look forward to what we have on the way in 2014.

2013 Retrospective

This was easily our biggest and busiest year ever:

2014 Awesomespective

Glancing back is a great way to see how far we’ve come, but looking forward to next year is even more fun because we have so much more in store.

With a major Windows upgrade and full Android version in beta, we’re making sure everyone gets the fantastic password and digital wallet experience they deserve. We also have a big, free iOS update on the way and… well, I should probably wait on the rest until we can show you.

Thanks to all of you for making 2013 our best year yet, and let’s all toast to a happy and secure 2014!

The NSA can do what to my iPhone?

30c3After Der Spiegel, along with Jakob Appelbaum at the 30th meeting of the Chaos Computer Club, published an astonishing trove of documents revealing a great deal of the extent of their penetration of the network and capabilities to install spying mechanisms into individuals’ computers and devices, one of the least significant documents is getting the most press attention. That document, is of course, the one describing the DROPOUTJEEP program.

If you were to believe press reports, you would believe that every iPhone on Earth could be (or is) infected (“implanted” in NSA jargon) with NSA spyware. But what happens if we actually look at the document?

S3222_DROPOUTJEEP

Overlooked facts about DROPOUTJEEP

  1. The document is from 2008 describing 2007 technology. Thus it only applies to the first iPhones.
  2. The “implant” can not be done remotely. It requires “close access” which probably means physical access to the phone.
  3. It had not been deployed at the time the document was drafted.

For a fuller discussion of what the documents do and don’t say, I refer you to an excellent article by Graham Cluley, “DROPOUTJEEP. Can the NSA spy on every iPhone on the planet?“. Indeed, Cluley wrote the article that I would have liked to write; so I will just highlight a few points instead of repeating things.

Where do things stand now?

Question: What can we conclude about the NSAs current capabilities and attacks against recent iOS devices (iPhones, iPads, iPod Touches)?

Answer: Almost nothing.

iDevice security has improved enormously since the first iPhones. The difference between the iPhone 3G and the iPhone 3GS alone was a huge leap. (Not a minuscule “quantum leap”.) Though of course there have been several publicly disclosed or discovered vulnerabilities in various versions of iOS over the intervening years. So while we know about improvements in iOS security, we don’t have any information about how successfully the NSA has been at keeping up (or staying ahead) of that. The only thing we can safely assume is that they would like to have the capabilities (incorrectly) described in the media and that they will have had highly skilled people working on it.

Would NSA spyware be able to break or work around 1Password security?

We have no idea of whether the NSA can break or go around 1Password security. The tool described in DROPOUTJEEP would have been able to ship your encrypted 1Password data to the NSA. That is, it could “remotely pull/push files from the device”, which would include any files—documents, photos, and that sweet GarageBand track you’re tinkering with. But there is no indication from the listed capabilities that it could grab your Master Password, keys, or encrypted data. Still, the “safer” assumption is that they could have.

As for today, we again have no idea. The question of how well any security product stands up against threats from a compromised operating system is tricky. In a technical sense, once the operating system is compromised then nothing running on it can be trusted. But in a practical sense, applications can sometimes put up meaningful defenses against some of the attacks that do exist from a compromised operating system.

Nobody can realistically claim that they are safe from the NSA. We simply don’t know their full capabilities. But 1Password does provide end-to-end encryption, with no reason to believe that the encryption we use can be broken by the NSA. So we can say that 1Password is “PRISM Resistant“. When the NSA captures your encrypted 1Password data, they – in all likelihood – need to guess your Master Password to decrypt your data. If they already control the computer or device you are using, then they can probably get around 1Password’s security.

The ends of end-to-end

[Update: This section was added on January 1 2014 to more explicitly spell out the implications of the previous paragraphs.]

1Password provides end-to-end encryption. This is what makes it “PRISM Resistant”.  If your data is captured by any attacker, governmental or otherwise, from your machine or from a sync service, we believe that the best attack is to try to guess your Master Password. PRISM represents a threat that end-to-end encryption does defend against.

End-to-end encryption does not cover the situation where the attacker has compromised the system on which you are decrypting your data. That is, if the attacker controls something that you use at either “end” of your end-to-end encryption (such as the operating system), then this poses a threat that end-to-end encryption does not solve.  Thus DROPOUTJEEP represents the kind of threat that end-to-end encryption does not defend against.

DROPOUTJEEP doesn’t tell us about NSA current capabilities, but it does tell us that the NSA in the past has had the capability and intention to compromise iPhones.  It is more than plausible that they have continued to develop the program over the past six years. To the extent that they have been successful (something we simply don’t know), then we can only advise people to behave as if nothing on their devices is protected from the NSA.

Although it should go without saying, I will repeat myself:  If the US government is aware of vulnerabilities in iOS (or any other system) and has failed to disclose those vulnerabilities to Apple, we have absolutely no choice but to consider the US government to be “black hats”.

Miscellany

I started out saying that I think that DROPOUTJEEP is one of the least significant of the documents released. I haven’t studied more than just a few, but I find the overall penetration of the Internet the most disturbing at this point.

AgileBits is a Canadian company comprised of people from a variety of different countries. But I am a US Citizen, and as one I am furious that my own government is working to make my job harder. My job is to help you keep your data secure. Every time my government discovers (or even creates) a vulnerability in network and application security that they don’t disclose to the vendor is a time when they are harming everyone’s security.

Their activity also makes it extremely difficult for people to know who they can trust. I will state again that we have never been asked, pressured, or ordered to do anything that would weaken our products or your security, nor have we ever deliberately weakened our products. For a discussion of what reasons you might have to believe us when we say that, see 1Password and the Crypto Wars.

Update: Apple statement

Apple appears to have issues a statement saying that it had no knowledge of any back door into iOS. The statement, as reported by All Things D reads:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

[Update: This post has been edited to correct the Spelling of Appelbaum's name and to explicitly mentioned that there have been several vulnerabilities in more recent versions of iOS over the intervening yeas. It has also been updated to include a section that explicitly spells what end-to-end encryption does and doesn't protect you against.]

1Password is a Mac App Store Best of 2013, so let’s have a saleabration!

MAS best of 2013

It’s only Tuesday, but I think it’s safe to say this is already one of our Best Weeks of 2013.

Yesterday we woke up to the wonderful news that Macworld gave us a 2013 Editors’ Choice Award, and this morning Apple says 1Password is one of the Best Apps of 2013!

To celebrate such wonderful presents, we spiked some eggnog, then we spiked our 1Password for Mac price by 30 percent so everyone can enjoy simple, convenient security over the holidays.

If you’ve had your eye on 1Password for Mac or it would make a great gift for someone, now is the perfect time. The sale ends with 2013.

1Password 4 for Mac wins a 2013 Macworld Eddy

Macworld_EddyWe could hardly believe our Twitter and Facebook followers this morning, but there it is, plain as day: 1Password 4 for Mac won a 2013 Macworld Eddy!

The fine folks at Macworld say “1Password offers the best combination of convenience and security that we’ve seen.” We may be just a teeny bit biased, but we’re inclined to agree. This is also perfect timing, since we’ve been talking about our plans for Macworld/iWorld 2014.

We’d like to thank everyone at Macworld for this award, and every single one of our customers for helping us get where we are. 1Password wouldn’t be what it is today without our customers, and we’ll never forget it.

Time to give 1Password 4 for Mac’s Security Audit a whirl

1Password Security AuditIt was bound to happen eventually. A massive Adobe data theft of 130 million customer names, emails, encrypted passwords, source code, and more will enable almost limitless password reuse attacks in the coming weeks.

Suppose you are one of the 130 million people who’s oddly encrypted passwords were among the Adobe password breach. Suppose that you used the same password there as you do for PayPal.

To make matters worse, suppose you actually listed that fact in Adobe’s password hint. Since the malicious attackers dumped the Adobe data online, a quick check of Adobe customer password hints shows that there are more than 700 that say things like “paypal” or “sameaspaypal”. There are more than 20,000 hints referring to “bank”. I will talk about password hints at some other time; my point here is all about password reuse.

Only a fraction of the people who are reusing passwords will make that clear in their password hints. We already know password reuse is common. We also know that criminals do indeed exploit password to steal from people.

I am very tempted to explain all about Adobe’s peculiar method of storing passwords. It’s really a cool story with lots of interesting lessons, and explaining it would involve poorly encrypted pictures of a penguin.

I am also tempted to dive into gory details of the statistical properties of the data, the analysis of which has kept my computer busy for days on end. Likewise, I could rant about Cupid Media’s failure to encrypt or hash passwords for 42 million customers. Or I could talk about privilege escalation and the MacRumors discussion forums breach of 860,000 hashed passwords a week earlier, leading to the capture of all 860,000 hashed passwords.

But it is far more important for me to repeat what we’ve said in many different ways and at many different times: Password reuse—using the same password for different sites and services—is probably the biggest security problem with password behavior.

We want to fix that.

Knowing the right thing to do is easier than doing the right thing

Like most people, you weren’t born using 1Password, it’s something that came to use later in life. Now that you use 1Password, you will (or should) be using the Strong Password Generator when you register for a new website so you get a strong, unique password.

But think back to those dark days when you needed to come up with passwords on your own. You probably picked from a small handful that you had memorized, so now you’re stuck with a bunch of sites and services for which you used the same password.

Security Audit selections

Getting all of those old passwords sorted out is going to be a chore, but it doesn’t have to be done all at once. Best of all, 1Password 4 for Mac can help, thanks to its new Security Audit feature.

Let’s use an analogy: say that Molly (one of my dogs, and not really the cleverest of beasts) has just started using 1Password. She has a few passwords, but not many. Even though she doesn’t know how to push open a door that is already ajar, she can make use of the new Security Audit tool in 1Password for Mac.

In the left sidebar of 1Password 4 for Mac, down toward the bottom, there is a section called “Security Audit”. When Molly clicks (or paws) “Show” next to “Security Audit” she sees a number of audits available. She can select “Weak Passwords”, which will show her all of her items with weak passwords. She can also look at password items that are old. But the selection we are interested in today is “Duplicate Passwords”.

Security Audit: Molly's duplicates

Security Audit in 1Password 4 for Mac, displaying Molly’s duplicate passwords

What Molly sees is that she has two sets of duplicates. One of them is used for two Logins, and the other one is used for four Logins. As we can see, her Adobe.com password of “squirrel” is used for her Barkbook, Treats R Us, Cat Chasers Logins as well.

Molly transfixed by "squirrel"Molly should, of course, go to each of those sites and change her passwords on them. But there are squirrels in the back yard to bark at, and changing all of those passwords may seem overwhelming. So Patty (the cleverer dog in the family) advises Molly to think about which of those Logins are most crucial. Molly can’t tolerate the thought of anyone else getting a treat; so she starts with Treats are Us.

This does mean going to the Treats are Us site and using its password change mechanism. 1Password is smart, but it isn’t quite smart enough to go browsing through the sites to find their password change pages. Molly may decide that her Barkbook Login is also very important, and so will change that one right away as well.

Ideally, Molly should fix all of her weak and duplicate passwords as soon as possible. And as Molly has only a handful of Logins, she could do that. But for those of us who may have a large number of old accounts, it is probably best to check Security Audit and update reused or weak passwords at the most important sites first. Then, updating other passwords a few at a time is an easy way to make all our accounts much more secure.