Apps that Love 1Password: SOLARO – Study help for Common Core

solaro_app_icon_roundedThe Apps that Love 1Password page has broken into education with the addition of SOLARO, a comprehensive study guide and service for Common Core K-12 classes!

SOLARO packs content for over 1,500 classes across English language arts, mathematics from 3rd to 12th Grade, and science for all 50 states in the U.S. and some Canadian provinces. It offers things like topic-level practice tests, section-level quizzes, flashcards, study notes, and more, and now students can login much more easily with SOLARO’s new 1Password for iOS support!

In SOLARO’s latest update, a new 1Password button in the login screen will automatically search 1Password for your SOLARO Login. You simply need to unlock with your Master Password, swipe right on the SOLARO item for the Copy button, copy, then double-tap the Home button to switch back, paste, and get to learning.

Thanks to SOLARO, we’re thrilled students have an easier way to stay secure while staying on top of their studies. You can get SOLARO in the App Store.

Take Control of 1Password ebook updated for our new Watchtower service

Take Control 1P 1-2By now you’ve probably heard of 1Password Watchtower, our new service that warns and informs you when websites of your Logins have been compromised. Watchtower has been a huge hit with our Mac customers and is coming soon to Windows, and now you can learn more about it in the latest update to Take Control of 1Password, the comprehensive ebook by Joe Kissell.

This latest free update to the book—version 1.2.1 for those keeping track at home—adds a new section in “Perform a Password Security Audit” that explains what 1Password Watchtower is and does, and how to make it part of your security regimen. Honestly, that whole section is perfect to review and re-review for both current and new book owners alike, as it walks through some of 1Password’s most useful and effective tools under Security Audit.

Take Control of 1Password v1.2.1 is now available. Current owners can sign into their Take Control Ebooks account to grab the latest edition, or you can pick up your copy for just $10.

1Password makes cameo in Silicon Valley

Silicon_Valley_uses_1Password

No, we haven’t moved our new office to San Francisco, CA. But 1Password did make a brief appearance in HBO’s Silicon Valley comedy this week, episode “Third Party Insourcing.” Those entrepreneurs may be struggling with the trials and tribulations of… being entrepreneurial, but at least they don’t have to struggle with strong passwords.

[thanks for the heads up, Luca Zorzi!]

1Password in the news

newsWe are constantly amazed by all the great things people write and create about 1Password, whether it’s a review of our latest iOS update, a fan-made “1Password Emergency Kit”  for friends and family, or even just fun Twitter conversations that lead to craziness like this.

We want to give a proper shout out to this good stuff here on the Agile Blog, so I will occasionally round it up starting… now.

Honorable mention: Mike Vardy’s 1Password Emergency Kit v2.0. Mike released this latest update to his kit last fall, but it really does deserve another mention. Having this in place in case something happens to you is just smart planning, for both you and your loved ones.

AgileBits’ Roustem Karimov to speak this week at NSNorth in Ottawa, Canada

NSNorth 2014 logoIt’s been a little while since an AgileBits co-founder or CEO spoke at a conference, so it’s great that our own Roustem Karimov is carrying the torch to NSNorth this week!

NSNorth goes down in Ottowa, Canada from May 8-10. Roustem joins quite the roster of speakers, and he allegedly plans to share his origin story and spill all of our secrets as to how AgileBits gets things done. He and other Agile dev and design folks—Dave Teare, Jeff Shiner, Dan Peterson, Rad Azzouz, Winnie Teichmann, and maaaybe Philippe Lague-Morin—will also be mingling and most likely smiling, so be sure to track them down and say hi!

Our 1Password Watchtower service is now looking out for you, right in 1Password for Mac

1Password WatchtowerEarlier this month, we introduced our new Watchtower service on the web. In its initial version, Watchtower checks whether a website is (or ever was) vulnerable to the internet’s nasty Heartbleed security bug, then tells you whether it’s safe to update your password.

Now we’ve taken the next major step and made it much easier to stay secure online, as Watchtower can now check all your Logins at once, right inside 1Password for Mac.

1Password 4.4 for Mac is now available to website and Mac App Store customers, and it has Watchtower built right in. Watchtower is a free service, and once you enable it (either under Security Audit or Preferences), Watchtower will alert you if a website is found to be at risk.

Like Captain Picard sounding the call to battle stations, 1Password will display a red alert at the top of any affected Logins (see this post’s gallery for examples). Click the alert to learn more about what’s going on and when it is necessary and safe to update your password.

Watchtower in Security Audit

Watchtower in Security Audit

Watchtower is a new component of 1Password’s popular Security Audit feature, which shows you items with weak passwords, duplicate passwords, and other handy info to help you decide which Logins to update.

Now built into 1Password, Watchtower lists all vulnerable Logins in a single place and even sorts them by status, such as “Avoid”—for sites that have not yet patched their vulnerability—and “Change Password” for sites that have updated and it is now safe (and prudent) to change your passwords.

How it works

The Watchtower service is off by default. Once users enable it, 1Password will check daily for new website vulnerability information. Your website information is never transmitted to us. 1Password simply downloads this information and checks it locally against your Logins.

Now available

1Password 4.4 for Mac is now available as a free update to existing website and Mac App Store customers, and we have plans to add it to 1Password for Windows. Our new Watchtower service is a major step for 1Password and making you more secure on the web. We’d love for you to give it a try and let us know what you think on Twitter, Facebook, and in our forums!

1Password 4.5 for iOS: The full release notes

1Password 4 for iOS icon

Last week Tuesday we released 1Password 4.5 for iOS and 1Password 4.3 for Mac, updates that were both so large that I figured I’d skip listing their full release notes for fear of making you scroll your morning and afternoon away. However, we’ve had enough requests to see the full release notes here on the blog, so I am happy to deliver!

What follows is screenshots and every last big feature and little improvement that make 1Password 4.5 for iOS so touchable and just plain wonderful.

Continue reading

1Password 4.3 for Mac: The full release notes

1Password 4 for Mac icon

Last week Tuesday we released 1Password 4.3 for Mac and 1Password 4.5 for iOS, updates that were both so large that I figured I’d skip listing their full release notes for fear of making you scroll your morning and afternoon away. But we had enough requests to see the full release notes here on the blog, so I am happy to deliver!

What follows is every last big feature and little improvement that make 1Password 4.3 for Mac so fantastic.

Continue reading

1Password 4.5 for iOS and 4.3 for Mac are out and on Launch Celebration Sale!

One could say we’ve been busy these last couple of months, but that would only be the half of it. We have two great releases today that are packed with so much stuff, we had to cut down on our What’s New text just to fit it within the App Store requirements.

1Password 4.5 for iOS

1Password 4 for iOS iconCompletely redesigned. Multiple Vaults and Sharing. AirDrop. Search always where you need it. A unified AutoFill tool in 1Browser. This is our biggest free update for iOS ever and you can get the full details on why in the App Store.

Plus, all versions of 1Password are 50% off through the 4/26-27 weekend for our Launch Celebration Sale! Pick up 1Password for iOS now for just $8.99!

1Password 4.3 for Mac

1Password 4 for Mac icon1Password mini can now search everything, use a healthy dose of keyboard shortcuts, and show your Secure Notes. Go full screen. Sync your data file on a USB drive. Mac App Store customers also get all the great stuff from our 4.2 web release, like AutoSave updating existing Login items when you change passwords (that’s a big one!), editing items right in 1Password mini, and more.

Check out the full details in our changelog or on the Mac App Store, and don’t miss the Launch Celebration Sale here too. Through April 27, pick up 1Password for Mac in our web store or the Mac App Store for just $24.99!

Introducing the 1Password Watchtower service for Heartbleed and beyond

1Password Watchtower

When news of the internet’s Heartbleed bug broke last week, we published what we knew about it and the implications for 1Password and 1Password users.

To recap: 1Password is not affected by Heartbleed, but there are steps you need to take to protect your passwords from sites that may have been affected.

Today, we’re introducing a new service to help you check vulnerable sites and stay on top of your online security. We call it 1Password Watchtower.

A way to check if the bleeding has stopped

Your password data remains safe and secure within 1Password, but when your web browser sends a password to an insecure website, that particular password can be captured.

Most, but not all, websites have had some period of being insecure because of Heartbleed, and this is why so many passwords need to be changed.

Since those first few hours on April 7, we’ve gone from “what is this all about?” to “which sites do I need to change my password, and when?” Today, the 1Password Watchtower service will help you answer that question.

1Password Watchtower: Check this website

The categories of sites

With respect to Heartbleed, the 1Password Watchtower service will try to categorize websites into one of the following five categories.

1. Vulnerable

SiteChecker vulnerable example

Sites that are still exhibiting the Heartbleed bug should be avoided until they’ve fixed it. Once fixed, you should change your password.

If you reused a password for one of these sites, then all of those websites are also at risk. You should change your passwords on those other websites as soon as appropriate, and be sure to set up a different password for each of these sites.

2. Not currently vulnerable but needs new certificate

SiteChecker Needs new certificate

This is where things get complicated. While these sites have stopped the bleeding, their master keys may have been stolen while the site was vulnerable.

To protect against this, websites need to get new certificates signed by certification authorities, which simply takes time (especially when nearly every site needs to do it). It took two days to get our new certificate, and I would not be surprised if others will have to wait longer, especially if they submitted their requests after us.

For these sites we recommend that you change your password twice. Changing your password now will prevent an attacker from using any previously stolen passwords. Then you can change your passwords again once the site’s certificates have been reissued to guarantee that the new password is only known by you.

3. Not currently vulnerable and has a new certificate

SiteChecker new certificate example

These sites were vulnerable to Heartbleed at one time but have been completely fixed. You can go ahead and change your passwords on these sites.

You may find yourself with many sites for which you need to change passwords, but don’t let yourself get overwhelmed. Focus on changing passwords for your most important websites first.

1Password can help you through the process, and of course, this is a great opportunity to use 1Password’s Strong Password Generator to create a strong and unique password for each site.

4. Never vulnerable

SiteChecker Never Vulnerable example

Some sites and services were never vulnerable to Heartbleed, typically because they never used OpenSSL or had disabled various features.

One piece of good news is that, as far as we can tell, most banks fall into this category. However, to the annoyance of security researchers, banks are not telling us why they weren’t vulnerable; they are merely repeating that their customers are and have been safe.

For  sites that were never vulnerable, no special action is needed. You do not need to change those passwords if your passwords were unique to those sites.

But (and you will hear us repeating this often) if you used the same password on a “never vulnerable” site that you used on one which was vulnerable, then you should change your passwords to be strong and unique on both sites.

This illustrates why password reuse on multiple sites is so dangerous. Even services that have had excellent security on their own can be broken into with a password stolen from elsewhere. 1Password’s Security Audit will help you find duplicate passwords.

5. No SSL/TLS

SiteChecker: No SSL

Sites in this category are in no way affected by Heartbleed, but these are the services where it is most important that you don’t reuse passwords.

Some sites and services do not use SSL/TLS to secure connections between your web browser and their service. Because they have no transport security to break, their security can’t be “broken” by Heartbleed. Any password—or, really, any data—sent to such a site can be easily captured. If you have a password for one of these sites, make sure that you don’t use the same password for any other service.

Subdomains matter: It is important to remember that 1Password Watchtower checks the exact domain you tested. So even if go.com doesn’t use SSL, subdomains such as disney.go.com, may. It does not appear that one ever sends passwords to go.com itself, so its lack of SSL does not put passwords at risk.

How do we know which sites fall into which category?

Sorting hatAs 1Password Watchtower checks for Heartbleed, it performs a number of tests on a domain and its certificate, as well as looking at the results of earlier tests. But even with all of the tests that we run, there is some substantial “guess work” in the categorization.

We can reliably tell which sites are currently vulnerable and which sites aren’t. We can also check the start date for the validity of a certificate. We run other tests, but whether they produce results or not, they only offer hints at which category we should put a domain into.

If you are a site administrator and find that we are reporting incorrect results for your site or service, please make use of Heartbleed HTTP Headers to announce your condition or let us know.

Uncertainties

Never vulnerable or needs a new certificate?

The biggest uncertainty is that we have no reliable way to distinguish between sites waiting for new certificates and sites which were never vulnerable. Both such sites will not be currently vulnerable and will not have new certificates. We look at fragmentary results of previous scans as well as web server software to try to form a guess, but it remains a guess.

Is an old certificate really old?

Every certificate has a validity period. They have a “valid from” date and a “expiry” date. We are (mostly) using the date from which they are valid to see if they are old or new. However many recently reissued certificates have the same validity period as the one that they replaced. As a consequence, certificates that appear as if they are in need of replacement aren’t.

Are we talking to the right service?

Many high traffic web sites use load balancers, which don’t actually process your web request, but send off your request to a one of many back-end servers. The software on a load balancer is meant to be invisible, but it will often be different than what appears on the backend. The tests we perform involve a number of queries, some of which will be handled by the back-end servers and some by the load-balancer. For example, a load-balancer that was running an affected version of OpenSSL might be using IIS as a back end, and thus we might false report as “never vulnerable”.

Wrapped Heartbeed Heart: Strong, Unique, New Passwords

Use strong, unique passwords and carry on

Heartbleed is an astonishingly serious thing, but it isn’t cause to panic. Indeed, frightened people tend to make poor security decisions. The bulk of the work is being done by system administrators, and there are changes to come in the ways critical software is scrutinized. But for most people like you and me, the job is to improve our password practices.

Many—I’d like to think nearly all—1Password users are good about having strong, unique passwords for each site and service. That habit should already make the current task easier for you. Heartbleed and this initial version of 1Password Watchtower gives you another opportunity to improve even more. Doing so will make you safer now and long into the future.