On the NSA, PRISM, and what it means for your 1Password data

It should come as no surprise that the NSA (United States National Security Agency) has easy access to data that ordinary people store online. Section 215 of the PATRIOT Act (of 2001) and section 702 of FISA (renewed and extended many times over its long history) give the US government the legal authority to gather […]

The top 6 worst passwords from the Star Trek universe [Updated]

You would think that, once we master space exploration and how to replicate the perfect cup of Earl Grey, everyone in the future according to Star Trek would understand the necessity for unique, strong passwords. Unfortunately, you would be wrong. And no, as we’ll see later, biometrics (like voice authentication) don’t seem to help. As […]

Guess why we’re moving to 256-bit AES keys

1Password is moving to using 256-bit AES keys instead of 128-bit keys. We already started this within the browser extensions in the summer of 2011, and the new Cloud Keychain Format also uses 256-bit keys. Why do you think we are making this move? If your answer is because AES 256 is stronger than AES […]

You have secrets; we don’t. Why our data format is public

The security of your 1Password data depends on only one secret—your Master Password. It also depends on plenty of things that aren’t secret. For example, 1Password uses the AES encryption algorithm, every detail of which is defined by public standards; your security depends on the security of AES, but there is nothing secret about it. […]

Authenticated Encryption and how not to get caught chasing a coyote

I introduced HMAC (Hash-based Message Authentication Code) through the back door when talking about the Time-based One Time Password (TOTP) of Dropbox’s two-step verification. But TOTP is actually a peculiar way to use HMAC. Let’s explore what what Message Authentication Codes (MACs) are normally used for and why they play such an important role in […]

Hashing fast and slow: GPUs and 1Password

The net is atwitter with discussion of Jeremi Gosney’s specially crafted machine with 25 GPUs that can test hundreds of billions of passwords per second using hashcat, a password cracking system. Password crackers, like hashcat, look at the cryptographic hashes of user passwords and repeatedly make guesses to try to find a password that works. […]

Credit card numbers, checksums, and hashes. The story of a robocall scam

As  Lívia and I were out walking Molly and Patty on Monday evening, I received a telephone call from an unknown number. I decided to answer the phone anyway, and I was greeted by a recorded voice telling me that my Bank of America debit card beginning with 4217 has been limited and whether I […]

On Ars Technica’s most excellent comprehensive review of password security

Dan Goodin at Ars Technica published an excellent article reviewing password security and explaining why people need randomly generated and unique passwords for every site and service. That is a message you hear from us frequently. One thing that is clear from Goodin’s review is that many of the underlying issues are more complicated than most people […]

More than just one password: Lessons from an epic hack

Mat Honan, a 1Password user and writer for Wired, did everything right. He had strong, unique passwords everywhere. Yet he was the victim of an “epic hack”, and had to put a great deal of effort into getting his digital life back. A very brief account of this Homer-worthy hack is that someone talking to […]

Blizzard and insecurity questions: My father’s middle name is vR2Ut1VNj

By now most people will have heard that email addresses, hashed passwords, and some other data has been stolen from Blizzard’s Battle.net servers, and people are advised to change their passwords there. As unfortunate as this story is, it serves as yet another good reminder of why we very strongly encourage people to not reuse […]