It has recently been noted over at ZDnet that if your Facebook password is PattyAndMolly, Facebook will also accept pATTYaNDmOLLY as a valid password. This may initially seems look something that weakens users’ security. However it actually is a good thing. Facebook designed their system this way to help people log in even if they [...]

The big security news of the past few days is the story of the compromise of the DigiNotar Certificate Authority and the subsequent issuing of fraudulent SSL certificates, leading to actual Man in the Middle attacks against Gmail users in Iran. If that previous sentence was gobbledygook, this post should explain some of it. It [...]

We often hear people say that there is a trade-off between security and convenience. Although there is some truth to that, I want to explain why, more often than not, security actually requires convenience. I should warn you, though, that this is going to be one of my most boastful articles to date. Users of [...]

An otherwise excellent article over at The Inquirer has a very unfortunate title: AES encryption is cracked. AES is the Advanced Encryption Standard and is at the heart of so much encryption used today by governments, militaries, banks, and all of us. It is used by 1Password and less directly by Knox for Mac. It [...]

I’ve always wanted to write a technical followup to an earlier post, Toward Better Master Passwords, but this time going into some of the math behind it. Today’s xkcd comic does that for me: Indeed, what took me nearly 2000 words to say in non-technical terms, Randall Monroe was able to sum up in a [...]

About 12 years ago I was fighting a losing campaign against JavaScript’s ubiquity. There was a time when JavaScript was a security nightmare, and I ranted and raved against it. Things have changed enormously since then, all for the better. A few of the slogans that I and my colleagues shouted from the rooftops in [...]

Security news has not been, shall we say, “uplifting” as of late, what with massive personal account breaches at Gawker, Sony, and a handful of other companies. While we hate to be the bearers of bad news, we feel it’s part of our duty as a security software company to keep you informed about these [...]

There is a great deal of discussion at the moment in the security community about the conflict between a group calling itself Anonymous and the security firm HBGary Federal. I just want to highlight one technical aspect of this, the role that password reuse played in the take over of HBGary Federal and rootkit.org. Password [...]

When the ‘net is abuzz with videos and headlines like Lost iPhone? – Lost passwords! and iPhone Attack Reveals Passwords in Six Minutes and iPhone passwords succumb to researchers’ attack and hundreds more like it, it is more than natural for users of 1Password for iPhone and for 1Password for iPad to be concerned about [...]

From Commenting Accounts Compromised — Change Your Passwords – Gawker: If you’ve registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn’t log in using Facebook Connect, then it’s best to assume that your username and password were included among the [...]