Apps that Love 1Password: Turbine Reader, Glassboard, Cisco Meraki

It’s that time of the year, at least here in the U.S.’s upper midwest and Canada. The first couple of winter storms have done their worst, it’s warmed up a little so the snow is starting to melt, and yet more iPhone and iPad apps have added support for 1Password.

Turbine Reader iconTurbine Reader

Turbine Reader for iPhone and iPad is a news client Feed Wrangler and News Blur, with more services coming soon. It’s a great iOS 7 citizen sporting a clean look, background updating, and an automatic night mode.

When it’s time to log into your chosen service, a “Launch 1Password” option above the login form will bounce you over to 1Password to make finding your Login a breeze. Just swipe your Login for the new Action Bar to copy your password and head on back.

Turbine Reader is just $4.99 in App Store.

Glassboard iOS icon 512Glassboard 3.0

Glassboard for iPhone is a private chat service for teams, groups, or just two individuals. You can share everything you would expect—photos, videos, and files—and even your location, and you can join as many different boards as you want.

Second Gear recently gave Glassboard a major overhaul, making it a sleek, beautiful iOS 7 citizen and even easier to use. While signing in, a new 1Password button makes it easy to switch to 1Password and find your Glassboard Login. Just swipe the item for 1Password’s Action Bar, tap the clipboard to copy your password, then switch back, paste, and get on with messaging your boards.

Glassboard is free in App Store and the free service lets you create up to three boards and host 100MB of stuff per board. If you want more, a small yearly subscription gives you all the boards you want, some extra features, and a ton more storage space.

Cisco Meraki iconCisco Meraki

Cisco Meraki for iPhone and iPad is an app for managing your Cisco Meraki wireless switches and access points for your business. You can view your wireless network’s status, check on specific Meraki access points and device types, and add more wireless capacity, all right from the app.

When logging into the Meraki app, a 1Password button makes it easy to find your Login. Swipe it to trigger the Action Bar, tap the clipboard to copy your password, and switch back to quickly log in and get on with work.

Meraki is free in App Store.

Your Master Password is your defense from Dropbox breaches, real and imagined

1Password in DropboxRumors of a Dropbox data breach spread this weekend, a breach that ultimately turned out to be false. But even in instances of false alarms, it is useful to remind 1Password users that their 1Password data cannot be decrypted without the Master Password. So let me take this opportunity to remind everyone that your 1Password data cannot be decrypted without your Master Password. If someone steals your 1Password data – whether from the theft of your own computer or through the breach of a sync service – they cannot decrypt it.

Fact checking

It is worth noting that when a perpetrator of a rumor like this self-identifies as “Operation Troll Security”, it might be worthwhile to double check their claims before jumping to conclusions or even reporting the claims further. This is particularly true if a perpetrator has a history of claiming responsibility for every notable site outage, then laughing at people who believed them. Operation Troll Security doesn’t often tell the truth, but it may be wise to heed one particular tweet:

Despite the fact that the claims of a Dropbox breach were a complete hoax, it still is worthwhile to point out some things about the security of your 1Password data if it ever does fall into the wrong hands.

End-to-end encryption

1Password uses what is called “end-to-end” encryption. 1Password on your computer or mobile device encrypts your data with keys that are derived from your Master Password. Those keys are never stored anywhere or transmitted. Nobody, not even us at AgileBits, ever see those keys or your Master Password. This is why it absolutely essential that you don’t forget your Master Password. We cannot reset it or reconstruct it. Your data can only be decrypted by you.

We designed 1Password this way from the outset because we knew that computers get stolen and services get compromised. By placing all encryption and decryption under your control, we become far less reliant on the security of any sync service.

Protecting Master Passwords

If an attacker does get hold of your 1Password data, the only feasible way for them to attempt Password Based Key Derivation Function diagramto decrypt it would be to try to guess your Master Password. Of course, they wouldn’t sit there typing in guesses. Instead they would run automated password guessing systems against the data.

We have a long history of building mechanisms into 1Password’s data format that make it harder for attackers to guess your Master Password. When we released 1Password 2.5 in 2007 with the then new Agile Keychain data format, we added PBKDF2 so that anyone trying to run automated password guessing systems against captured 1Password data would have to perform lots of slow computation for each guess. You can read more about PBKDF2 and this aspect of our design in an older article of mine, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too. Many of the details have changed over the intervening years, but the essential concept remains the same.

Toward better Master Passwords

DicePBKDF2 makes it harder for those automating password guessing, but it does have limits. You need to do your part by choosing a good Master Password. Even a small improvement to a Master Password goes a long way. Adding a single truly randomly chosen digit to the end of your Master Password makes the attacker work ten times longer to guess it. Adding a truly randomly chosen word make the attacker work thousands of times longer. Adding two truly randomly chosen words makes the attacker work tens of millions of times longer.

You will note that I emphasized the phrase “truly randomly” a few times there. That part is crucial. People turn out to be very unrandom even (especially?) when they are trying to be random. If you follow our advice in Toward Better Master Passwords, you will see how you can securely pick words at random to add to a Master Password. Hint: It involves rolling dice. It’s fun!

A hoax is a hoax, of course of course

Even though the report of a Dropbox breach was a hoax, you still may ask what role Dropbox security plays in the security of  your 1Password data. I hope that this article helps explain that and how using 1Password can keep your secrets safe. I look forward to further discussion in our forums.

Here’s to 2013 and a happy and secure 2014!

fireworks

I think it’s safe to say 2013 was the best yet for AgileBits. We laughed, we cried (at some really funny stuff), and we fell in love with our first-ever office space. It’s about that time to glance back at everything we accomplished over the past 365 days, then look forward to what we have on the way in 2014.

2013 Retrospective

This was easily our biggest and busiest year ever:

2014 Awesomespective

Glancing back is a great way to see how far we’ve come, but looking forward to next year is even more fun because we have so much more in store.

With a major Windows upgrade and full Android version in beta, we’re making sure everyone gets the fantastic password and digital wallet experience they deserve. We also have a big, free iOS update on the way and… well, I should probably wait on the rest until we can show you.

Thanks to all of you for making 2013 our best year yet, and let’s all toast to a happy and secure 2014!

The NSA can do what to my iPhone?

30c3After Der Spiegel, along with Jakob Appelbaum at the 30th meeting of the Chaos Computer Club, published an astonishing trove of documents revealing a great deal of the extent of their penetration of the network and capabilities to install spying mechanisms into individuals’ computers and devices, one of the least significant documents is getting the most press attention. That document, is of course, the one describing the DROPOUTJEEP program.

If you were to believe press reports, you would believe that every iPhone on Earth could be (or is) infected (“implanted” in NSA jargon) with NSA spyware. But what happens if we actually look at the document?

S3222_DROPOUTJEEP

Overlooked facts about DROPOUTJEEP

  1. The document is from 2008 describing 2007 technology. Thus it only applies to the first iPhones.
  2. The “implant” can not be done remotely. It requires “close access” which probably means physical access to the phone.
  3. It had not been deployed at the time the document was drafted.

For a fuller discussion of what the documents do and don’t say, I refer you to an excellent article by Graham Cluley, “DROPOUTJEEP. Can the NSA spy on every iPhone on the planet?“. Indeed, Cluley wrote the article that I would have liked to write; so I will just highlight a few points instead of repeating things.

Where do things stand now?

Question: What can we conclude about the NSAs current capabilities and attacks against recent iOS devices (iPhones, iPads, iPod Touches)?

Answer: Almost nothing.

iDevice security has improved enormously since the first iPhones. The difference between the iPhone 3G and the iPhone 3GS alone was a huge leap. (Not a minuscule “quantum leap”.) Though of course there have been several publicly disclosed or discovered vulnerabilities in various versions of iOS over the intervening years. So while we know about improvements in iOS security, we don’t have any information about how successfully the NSA has been at keeping up (or staying ahead) of that. The only thing we can safely assume is that they would like to have the capabilities (incorrectly) described in the media and that they will have had highly skilled people working on it.

Would NSA spyware be able to break or work around 1Password security?

We have no idea of whether the NSA can break or go around 1Password security. The tool described in DROPOUTJEEP would have been able to ship your encrypted 1Password data to the NSA. That is, it could “remotely pull/push files from the device”, which would include any files—documents, photos, and that sweet GarageBand track you’re tinkering with. But there is no indication from the listed capabilities that it could grab your Master Password, keys, or encrypted data. Still, the “safer” assumption is that they could have.

As for today, we again have no idea. The question of how well any security product stands up against threats from a compromised operating system is tricky. In a technical sense, once the operating system is compromised then nothing running on it can be trusted. But in a practical sense, applications can sometimes put up meaningful defenses against some of the attacks that do exist from a compromised operating system.

Nobody can realistically claim that they are safe from the NSA. We simply don’t know their full capabilities. But 1Password does provide end-to-end encryption, with no reason to believe that the encryption we use can be broken by the NSA. So we can say that 1Password is “PRISM Resistant“. When the NSA captures your encrypted 1Password data, they – in all likelihood – need to guess your Master Password to decrypt your data. If they already control the computer or device you are using, then they can probably get around 1Password’s security.

The ends of end-to-end

[Update: This section was added on January 1 2014 to more explicitly spell out the implications of the previous paragraphs.]

1Password provides end-to-end encryption. This is what makes it “PRISM Resistant”.  If your data is captured by any attacker, governmental or otherwise, from your machine or from a sync service, we believe that the best attack is to try to guess your Master Password. PRISM represents a threat that end-to-end encryption does defend against.

End-to-end encryption does not cover the situation where the attacker has compromised the system on which you are decrypting your data. That is, if the attacker controls something that you use at either “end” of your end-to-end encryption (such as the operating system), then this poses a threat that end-to-end encryption does not solve.  Thus DROPOUTJEEP represents the kind of threat that end-to-end encryption does not defend against.

DROPOUTJEEP doesn’t tell us about NSA current capabilities, but it does tell us that the NSA in the past has had the capability and intention to compromise iPhones.  It is more than plausible that they have continued to develop the program over the past six years. To the extent that they have been successful (something we simply don’t know), then we can only advise people to behave as if nothing on their devices is protected from the NSA.

Although it should go without saying, I will repeat myself:  If the US government is aware of vulnerabilities in iOS (or any other system) and has failed to disclose those vulnerabilities to Apple, we have absolutely no choice but to consider the US government to be “black hats”.

Miscellany

I started out saying that I think that DROPOUTJEEP is one of the least significant of the documents released. I haven’t studied more than just a few, but I find the overall penetration of the Internet the most disturbing at this point.

AgileBits is a Canadian company comprised of people from a variety of different countries. But I am a US Citizen, and as one I am furious that my own government is working to make my job harder. My job is to help you keep your data secure. Every time my government discovers (or even creates) a vulnerability in network and application security that they don’t disclose to the vendor is a time when they are harming everyone’s security.

Their activity also makes it extremely difficult for people to know who they can trust. I will state again that we have never been asked, pressured, or ordered to do anything that would weaken our products or your security, nor have we ever deliberately weakened our products. For a discussion of what reasons you might have to believe us when we say that, see 1Password and the Crypto Wars.

Update: Apple statement

Apple appears to have issues a statement saying that it had no knowledge of any back door into iOS. The statement, as reported by All Things D reads:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

[Update: This post has been edited to correct the Spelling of Appelbaum's name and to explicitly mentioned that there have been several vulnerabilities in more recent versions of iOS over the intervening yeas. It has also been updated to include a section that explicitly spells what end-to-end encryption does and doesn't protect you against.]

CNN recommends 1Password as a password manager!

The topic of securing one’s email and other accounts is becoming more important than ever, so CNN is offering some advice to viewers on how best to protect their sensitive information. They even called in some assistance from Clay Johnson, CEO of the Department of Better Technology, who recommended 1Password to get the job done!

They’re all stored with you. You just remember one password to get access to all of your other passwords, and they automatically fill out all the forms for you. That’s what I use, and it makes life super easy.

1Password for Mac, iPhone, iPad, Windows, and Android—making life super easy since 2006.

I think Secret Santa accidentally delivered a 1Password for iOS screenshot

The AgileBits team did its first Secret Santa this year, but I think the gift I (anonymously) received was meant for you. Yes, you.

Sure, we opened our first office in Toronto earlier this year, but a good portion of the company is still remote, which made pulling off a Secret Santa interesting. Maybe a little too interesting, though, because I think my Secret Santa gave me the screenshot you see below by accident. It just kinda showed up; I don’t know who it’s from (them’s the rules of Secret Santa), or what, specifically, it is, but I figured it’s my duty to make sure this gift gets delivered to its intended recipient.

It kinda looks like 1Password for iOS, except… different, don’t you think? I’ll get on the horn to the AgileBits Secret Santa Customer Support line and see what I can find out; you’ll know more when I do.

For now, happy holidays.

1P 4.5 iOS Secret Santa whoops

[Update - sale has ended, thanks everyone!] App Santa brings you 1Password and other great indie iOS apps at up to 60% off!

App Santa - 320x50@2x

Update – App Santa has packed it up for the season, so the sale has ended! Thanks everyone!

Our elf friends at Readdle, Contrast, and nearly a dozen other shops have been busy this holiday season, and we’ve put together the best present yet! Some of the most popular, useful, and just plain super iPhone and iPad apps, including 1Password for iOS, are up to 60% off!

1Password is just $9.99. Realmac Software’s beautifully simple to-do app Clear+ is just $1.99. One of my personal favorites, Bloom Built’s Day One journal/diary is only $2.99. App Santa has 15 apps in his sack this year, so whether they’re for yourself or friends or family, check out AppSanta.co for awesome deals on some of the best indie apps that could ever grace an iPhone or iPad.

If you’re looking for something password-y on the Mac for yourself or as a gift, we’re also celebrating two recent major awards with a 30%-off sale on 1Password for Mac!

1Password for Mac Tip: One-click to tidy up your vault

Passwords mingling with LoginsYour 1Password 4 for Mac vault is probably filled with a collection of website Logins, Secure Notes, reward program memberships, and more. There may also be a number of Generated Password items too, and some of them might be redundant because they were turned into Logins. If you want a simple way to clean up these redundant items (and an explanation for why they’re there), here’s a quick trick you can use.

Simply unlock 1Password with your Master Password, then go to Help > Tools > Remove Redundant Generated Passwords. You’ll get a prompt like the one below, telling you how many items were found and offering the chance to back out.

Trash redundant duplicates

Note: I have over 1,500 items, so your results may vary :)

If you click Move to Trash, 1Password will do your bidding. To err on the side of caution, 1Password does not automatically empty the Trash, so you have one last opportunity to recover any you might need.

The backstory, if you’re curious

Erring on the side of caution is the reason these redundant Generated Password items are around in the first place. In many cases, we can detect when a Generated Password item becomes a Login, and we automatically convert the item to get it out of your way.

Bonus Tip: click any Generated Password item, then click the Convert to Login button at the bottom to perform this process manually.

However, in some cases, we can’t detect this Password –> Login process. Instead of guessing wrongly and deleting an item that you actually need, we play it safe and keep them around. But with this Remove Redundant Generated Passwords tool, we gave you a choice and a quick way to do some spring vault cleaning.

1Password is a Mac App Store Best of 2013, so let’s have a saleabration!

MAS best of 2013

It’s only Tuesday, but I think it’s safe to say this is already one of our Best Weeks of 2013.

Yesterday we woke up to the wonderful news that Macworld gave us a 2013 Editors’ Choice Award, and this morning Apple says 1Password is one of the Best Apps of 2013!

To celebrate such wonderful presents, we spiked some eggnog, then we spiked our 1Password for Mac price by 30 percent so everyone can enjoy simple, convenient security over the holidays.

If you’ve had your eye on 1Password for Mac or it would make a great gift for someone, now is the perfect time. The sale ends with 2013.

1Password 4 for Mac wins a 2013 Macworld Eddy

Macworld_EddyWe could hardly believe our Twitter and Facebook followers this morning, but there it is, plain as day: 1Password 4 for Mac won a 2013 Macworld Eddy!

The fine folks at Macworld say “1Password offers the best combination of convenience and security that we’ve seen.” We may be just a teeny bit biased, but we’re inclined to agree. This is also perfect timing, since we’ve been talking about our plans for Macworld/iWorld 2014.

We’d like to thank everyone at Macworld for this award, and every single one of our customers for helping us get where we are. 1Password wouldn’t be what it is today without our customers, and we’ll never forget it.

%d bloggers like this: