Time to give 1Password 4 for Mac’s Security Audit a whirl

1Password Security AuditIt was bound to happen eventually. A massive Adobe data theft of 130 million customer names, emails, encrypted passwords, source code, and more will enable almost limitless password reuse attacks in the coming weeks.

Suppose you are one of the 130 million people who’s oddly encrypted passwords were among the Adobe password breach. Suppose that you used the same password there as you do for PayPal.

To make matters worse, suppose you actually listed that fact in Adobe’s password hint. Since the malicious attackers dumped the Adobe data online, a quick check of Adobe customer password hints shows that there are more than 700 that say things like “paypal” or “sameaspaypal”. There are more than 20,000 hints referring to “bank”. I will talk about password hints at some other time; my point here is all about password reuse.

Only a fraction of the people who are reusing passwords will make that clear in their password hints. We already know password reuse is common. We also know that criminals do indeed exploit password to steal from people.

I am very tempted to explain all about Adobe’s peculiar method of storing passwords. It’s really a cool story with lots of interesting lessons, and explaining it would involve poorly encrypted pictures of a penguin.

I am also tempted to dive into gory details of the statistical properties of the data, the analysis of which has kept my computer busy for days on end. Likewise, I could rant about Cupid Media’s failure to encrypt or hash passwords for 42 million customers. Or I could talk about privilege escalation and the MacRumors discussion forums breach of 860,000 hashed passwords a week earlier, leading to the capture of all 860,000 hashed passwords.

But it is far more important for me to repeat what we’ve said in many different ways and at many different times: Password reuse—using the same password for different sites and services—is probably the biggest security problem with password behavior.

We want to fix that.

Knowing the right thing to do is easier than doing the right thing

Like most people, you weren’t born using 1Password, it’s something that came to use later in life. Now that you use 1Password, you will (or should) be using the Strong Password Generator when you register for a new website so you get a strong, unique password.

But think back to those dark days when you needed to come up with passwords on your own. You probably picked from a small handful that you had memorized, so now you’re stuck with a bunch of sites and services for which you used the same password.

Security Audit selections

Getting all of those old passwords sorted out is going to be a chore, but it doesn’t have to be done all at once. Best of all, 1Password 4 for Mac can help, thanks to its new Security Audit feature.

Let’s use an analogy: say that Molly (one of my dogs, and not really the cleverest of beasts) has just started using 1Password. She has a few passwords, but not many. Even though she doesn’t know how to push open a door that is already ajar, she can make use of the new Security Audit tool in 1Password for Mac.

In the left sidebar of 1Password 4 for Mac, down toward the bottom, there is a section called “Security Audit”. When Molly clicks (or paws) “Show” next to “Security Audit” she sees a number of audits available. She can select “Weak Passwords”, which will show her all of her items with weak passwords. She can also look at password items that are old. But the selection we are interested in today is “Duplicate Passwords”.

Security Audit: Molly's duplicates

Security Audit in 1Password 4 for Mac, displaying Molly’s duplicate passwords

What Molly sees is that she has two sets of duplicates. One of them is used for two Logins, and the other one is used for four Logins. As we can see, her Adobe.com password of “squirrel” is used for her Barkbook, Treats R Us, Cat Chasers Logins as well.

Molly transfixed by "squirrel"Molly should, of course, go to each of those sites and change her passwords on them. But there are squirrels in the back yard to bark at, and changing all of those passwords may seem overwhelming. So Patty (the cleverer dog in the family) advises Molly to think about which of those Logins are most crucial. Molly can’t tolerate the thought of anyone else getting a treat; so she starts with Treats are Us.

This does mean going to the Treats are Us site and using its password change mechanism. 1Password is smart, but it isn’t quite smart enough to go browsing through the sites to find their password change pages. Molly may decide that her Barkbook Login is also very important, and so will change that one right away as well.

Ideally, Molly should fix all of her weak and duplicate passwords as soon as possible. And as Molly has only a handful of Logins, she could do that. But for those of us who may have a large number of old accounts, it is probably best to check Security Audit and update reused or weak passwords at the most important sites first. Then, updating other passwords a few at a time is an easy way to make all our accounts much more secure.

Apps that Love 1Password: Delivery Status touch

Delivery Status Touch iconYou buy stuff online, and you need to know when it’s going to show up at your house, work, or your lucky recipient’s doorstep. For years, community favorite Delivery Status touch has made it, dare I say, fun to track your packages. Now it’s adding the convenience of 1Password.

Delivery Status touch 5.0 just hit the App Store and it is a whopper of an upgrade. In addition to big new features like optional background notifications, Calendar support, and iCloud sync, you can use the new 1Password integration to quickly log into services and add packages to track.

For supported services like Amazon and Google Checkout, Delivery Status touch can simply log into your account and pull down the details it needs. Tap the new 1Password button in the service login section, and you will switch to 1Password with your All Items list already filtered for the service you’re adding. Swipe across the Login item you want to trigger the Action Bar, tap the clipboard button to copy your password to the clipboard, then switch back to Delivery Status touch to finish logging in.

We’d like to thank the fine folks at Junecloud for adding 1Password support to their legendary delivery tracker. Be sure to pick up Delivery Status touch in the App Store, and if you’re a developer, learn how you can add some 1Password to your iOS apps!

Apps that Love 1Password: Money Pilot

Money Pilot Icon@152pStaying on top of your finances is a good idea, and so is managing them in a secure way. That’s why we’re happy to see a brand new iPhone app, Money Pilot from Victor Hudson, join the ranks of Apps that Love 1Password!

This is one of those apps that was born out of necessity—literally. Victor told me that he started managing his finances a decade ago using a spreadsheet. He built a system and got pretty good at it, but then he bought an iPhone and this approach just didn’t hold up on such a personal, mobile device. He looked for apps that could supplant his financial management spreadsheet, including Apple’s own Numbers for iOS, but ultimately decided he’d have to build it himself. And so Money Pilot was born.

Money Pilot is a financial record keeper and bill planner. You can plan bills around your pay schedule, see how much you actually can spend right now, and gain some of the automation of spreadsheets without all the overhead. Victor also added some clever 1Password support that he says was a “must have” for him, personally: you can add bank URLs for your accounts, then set 1Password’s 1Browser as the default browser for when it’s time to visit their websites.

Get Money Pilot now in the App Store for just $2.99, and be sure to leave a review to support Victor and help him make it even better! If you want to check out all the other apps that have added 1Password support, from Twitter clients to beer companions (no, really!), check out our Apps that Love 1Password page!

1Password 4 for Android: The beta, like winter, is coming!

Android Signup Banner

You might have noticed that this summer a couple of interesting screenshots appeared in our Dropbox folder, and then here on the blog.

You also might have noticed that we ran a rather large beta test for our Mac version.

Now those two great tastes will taste great together! We’ve set up a shiny new (if I do say so myself) Android beta newsletter signup page.

If you ever sent us an email or a tweet asking about the future of 1Password on Android, now’s your chance to help shape that future.

It’s an opt-in newsletter, so we’ll send you a message with a confirmation link to click just to be sure you meant to sign up, and to make sure we got your address right.

Join us, won’t you?

1Password 4 for Windows is coming. Want to help beta test?

1P4 Win beta

I’m going to be honest: I can’t tell you anything about 1Password 4 for Windows. Technically speaking, I’m not even supposed to confirm it exists. But I can tell you that, if it did, we’d be accepting beta testers who want to help us polish it at a webpage like this.

So, if you like to live on the wild side, test Windows apps, and offer feedback in super special forums, you might want to add your email address to our beta Windows newsletter signup page.

1Password for Mac tip: How to create, share a vault with family or coworkers

switching vaults

1Password 4 for Mac brought over 90 awesome new features, and one of its best (and most-requested) is the brand new Multiple Vaults. You can now create extra vaults, copy items to them, and optionally share them with family, coworkers, or anyone else you choose.

We have a great support document that explains step-by-step how to create and share a new vault, but here are the cliff notes:

  • Create a new vault (1Password > New Vault…)
  • Customize its icon, color, and Master Password (you can even use photos from your Mac!)
  • Copy some items to this new secondary vault (select any item, click the sharing arrow and choose your new vault as the destination)
  • Place the vault in a shared Dropbox folder or other location (1Password > Preferences > Sync)
  • Have your family members or coworkers use 1Password 4 for Mac to add your new vault
  • Enjoy 1Password’s new Shared Vault awesomeness

Our new Multiple Vaults feature is Mac-only for now, emphasis on for now. But we think it’s the best way to collaborate with family and coworkers yet conveniently use strong, unique passwords to protect all your sites, apps, and devices.

Our own Kelly Guimont helps KGW News get the word out on a credit card scam

KGW News cellphone credit card scam Kelly

Credit card scams and Nigerian emails bearing gifts of unclaimed government treasures are usually things that happen to “other people.” Well, recently that “other people” happened to be our very own Kelly Guimont, so she helped KGW News in Portland get the word out on a new cellphone credit card scam making the rounds. Check out the video segment at KGW’s site, and be careful out there.

37signals recommends 1Password in new ‘Remote’ book

remote_frontYou might know 37signals from Basecamp, Highrise, and Campfire—excellent services that help team members collaborate better whether they’re across the hall or the world. Those folks know a thing or two about working remotely, so co-founder Jason Fried and company partner David Heinemeier Hansson wrote an entire book on the topic and called it Remote. You can get it in iBookstoreAmazon, and elsewhere.

Remote covers the advantages of allowing some or all of a company to work remotely and how to pull it off, and in the midst of all that, Fried and Hansson give a shout-out to 1Password. In a chapter called “Only the office can be secure,” Remote debunks the myth that employees need to be under the same roof in order to keep sensitive accounts and data under control. The company describes its simple security checklist that all employees must follow, and one of its cornerstones is to:

Use a unique, generated, long-form password for each site you visit, kept by a password-managing software, such as 1Password.

It’s a smart checklist overall, and one of the dozens of reasons you should really give Remote a look to learn more about how and why working remotely can open a lot of doors for you and your organization.

For bonus points, our very own co-founder Dave Teare had a brief Twitter conversation with Jason Fried to say thank you:

Dave Teare Jason Fried Remote Twitter conversation

1Password as part of your emergency plan

I’ll be honest about this post: it isn’t really one of our most exciting 1Password life tips. It might even be a little sad. But it’s definitely one of our most important tips and down-the-road things to think about as a 1Password user.

Most people have a will, possibly power of attorney and advance directive paperwork. All this stuff usually lives in a secured location, whether it’s a safe deposit box, a safe in your house, or with a trusted third party. But what about all the accounts, identities, and other information we keep in 1Password? Who gets control over that in an emergency or when we’re gone? And how?

I wanted to write this post after having to answer this support email repeatedly in a relatively short period of time:

Hi Support! My (family member) passed away and they used 1Password for everything. Can you reset the master password so I can log in to [important sites] now that they are gone? Thanks!

It hurts me to have to tell people they are 100% out of luck if that Master Password isn’t recorded and stored in a safe place. I know all the things you have to deal with when you lose someone, so it makes me sad to be the person adding yet another thing to that list.

Ways to prepare

Some people simply include their Master Password in their personal papers. I used to keep a "cheat sheet" in an undisclosed location, a page of information about my computer, Apple ID, and other details, and I include my 1Password Master Password on that page.

You may have noticed I said "used to" keep a cheat sheet. Now I don’t have to do that anymore, thanks to a friend of mine, Mike Vardy. One of the most popular posts on his site is "1Password Emergency Kit", and I’m really happy to say he just released a big update: 1Password Emergency Kit 2 (aka, The Legend of Curly’s Gold, as I like to call it). It’s a free PDF you can print and keep with your "papers", allowing you to record and organize your 1Password Master Password, device passcodes, and other essential credentials for your loved ones. It gives you a bit more peace of mind, which is one of the pleasant benefits of using 1Password in the first place.

We have also heard from some of our faithful users who have their own unique solutions to these What If situations. One approach is from Rik Williams, who wrote in to ask about backups and how to restore from one, since he’d given a copy of the backup file to his trusted sources:

The three parties I use are my accountant, estate attorney, and financial advisor. I’ve instructed them that the three would need to convene along with any surviving family members and ALL agree that it’s appropriate to open the backup 1PW vault. I specified that this meeting should be documented in writing so that it would withstand legal review – I’m assuming the attorney would do this.

I’ve used Secure Notes to record everything I can think of in the if-I-die-scenario. This includes a short write-up on how to find the most current copy of my 1PW file from my cloud synch service. (BTW, I refer my survivors to the excellent support that AgileBits provide.)

Finally, my friend Judy MacDonald Johnston has covered some prudent thoughts along these lines in her TED talk. I recommend getting a beverage and watching her tell you about them. It’s not as sudden a situation, but still a lot of good tips, particularly if you’re someone who, like me, before Judy’s talk, hasn’t done much at all on this front.

Whichever route you take, it’s never too soon to spend a few minutes and organize your critical 1Password and other details for your loved ones, just in case. Take that Boy Scout oath and Be Prepared.

Interview with Joe Kissell, author of Take Control of 1Password

Joe Kissell illustratedWith our release of the all-new 1Password 4 for Mac this month, the venerable Joe Kissell also wrote a whole book for the Take Control series called Take Control of 1Password (on sale for just $10!). It’s a great look into getting setup with 1Password 4 for Mac and even iOS and Android, as well as all the real-world ways 1Password can be useful for passwords and beyond.

Since Joe went so in-depth into getting the most out of 1Password, I figured we should go in-depth on Joe, the Take Control series, and his thoughts on 1Password and the future of security. I reached out for an interview, and he had some great responses.

AgileBits: First off, thanks for writing a whole book about 1Password, that’s pretty great of you. For our customers who aren’t familiar with the Take Control books, can you give a rundown on what the series is about?

Take Control is a series of ebooks that help ordinary, nontechnical people understand and make the best use of technology. The idea is that you have a professionally written and edited explanation of some technical topic that’s much more detailed than a magazine article could be (say, 100–150 pages instead of 2–6) but far more manageable than a 500+ page printed book. And, since they’re ebooks, we can treat them much like software: we offer minor updates for free and discounted upgrades on major new editions. You click a link to check for updates, download the new version, and that’s that. So the content can stay up to date as the technology changes, and you don’t end up with this huge chunk of paper that’s outdated before you even read it the first time. And all this comes at a modest price—most of our books are around $10–15.

The majority of our books focus on Apple (Mac and iOS) technologies. But we’re increasingly covering topics that apply across platforms, such as online privacy, Dropbox, and (of course) 1Password. We’ve even had a few books in the series that weren’t about computers at all, including one I wrote about how to prepare Thanksgiving dinner!

This month is actually the 10th anniversary of Take Control Books. Ten years ago this spring, I got a call from Adam Engst, who is well-known in the Apple community as the publisher of TidBITS and the author of numerous books. I’d known Adam for a long time—I’d written some TidBITS articles and Adam had written a foreword to one of my books and so on. He said he had an idea for an experiment in electronic publishing, and wanted to know if I’d be interested in joining a small group of other authors and editors in trying out this new model. I said sure, and the first book I wrote in the series was “Take Control of Upgrading to Panther,” which came out the same day Panther (Mac OS X 10.3) did, in October 2003. It sold a bazillion copies, and the rest is history. (And, this month, in keeping with tradition, we shipped “Take Control of Upgrading to Mavericks“!

Take-Control-of-1Password-book-cover.jpeg

What about your Take Control of 1Password book, in particular? Is there an overall approach or theme you had in mind while writing it?

Earlier this year I wrote a general-purpose book on password security, “Take Control of Your Passwords“. That book was all about understanding password security generally—why you need to have excellent, strong, unique passwords; what makes one password better than another; and what strategies you can use to keep from being overwhelmed by passwords. Of course, using a password manager like 1Password is one aspect of that, although I take pains to say it’s not a complete solution in and of itself.

In the 1Password book, I wanted to say, OK, if you’ve chosen 1Password (which happens to be my favorite password manager) for that aspect of your password strategy, then here are all the details about doing the stuff you care about doing with it. It’s no good to just say, “Go out and buy this app” if a reader isn’t sure what to do with it, how to use it most effectively, how to solve problems, and so on. So that’s what I was trying to do with this book.

For whom did you write this book? Was there a type of user or skill level in mind?

Well, I was thinking of people like my wife (hi, honey!), who may have had 1Password for a long time but never quite grokked it. People who aren’t technophobic but also don’t wear propeller beanies, if you know what I mean. Ordinary folk who just want to get things done and appreciate a bit of patient, systematic hand-holding but don’t want to be talked down to.

It’s not that 1Password has such a steep learning curve, but you kind of have to get on board conceptually with its way of handling things. And I think the best way to do that is to walk through all the steps of creating, storing, and using passwords a few times, with the sites you use most frequently, so it’s not just a vague idea about what should happen but the actual experience of making it happen. I try to walk users through both the theory and the practice so that, hopefully, after a few tries the process clicks and they go, “Aha! Now I see how much better this is than the old way.”

So, as with all my books, I’m writing for an intelligent reader who just isn’t an expert in this particular thing. And I try to focus more on real-world tasks than on features. In other words, I don’t think that by simply cataloguing what every button and menu command does, I’d be teaching someone how to use the product. Instead, I frame it as, “You probably need to accomplish x, y, and z with this app. How do you go about doing that?”

Besides stronger passwords, do you have another favorite use or some tricks for getting more out of 1Password?

I keep all my software licenses in 1Password. At the moment, I have—let’s see—373 of them! I find, especially at times like these when a new OS version is coming out, that I’m reinstalling apps quite a bit and I have to say, I’ve kind of fallen in love with 1Password mini for quickly retrieving license codes. I launch an app and it asks for the code, and now I just press Command-Option-\, type a few letters of the app’s name to find it, arrow over and down to the password field, and press Return to copy the code. Click back in the app, paste, and I’m done. So much simpler than it used to be!

Another thing I suggest in my book is to include not only textual data, such as your credit card, driver’s license, and passport numbers, but scanned images of the items themselves, as attachments. If you ever lose one of these items, a scanned copy can be very helpful in getting it replaced (and also provides some supporting evidence that you are who you say you are).

What do you think are some of the challenges for the security software space in general?

Wow, where to even begin? Well, I’ll focus on a couple of issues. First is the actual security part—making products and services robustly hack-resistant. Some of the folks who want to break into people’s accounts and steal their data, money, or identity are extremely smart and, shall we say, dedicated. Staying ahead of them requires even more smarts and dedication. I’ve seen some pretty scary security products—I’m thinking of a couple of password managers in particular—where it’s evident that the developers didn’t have a deep understanding of things like entropy, encryption algorithms, and exploits, but just threw something together that seemed to basically work. Most users won’t know the difference—until they get hacked.

So I love reading the security posts on the AgileBits blog by Jeff Goldberg and Roustem, because they demonstrate an extensive, thorough knowledge of cryptography that shows you guys really do know the score.

The other side of that is usability. You could ask users to enter a password, type a code from an SMS message, and do a fingerprint scan every time they go to a new Web site, and that might be super secure, but it’s an unreasonable amount of effort for what you’re trying to accomplish. Tools like password managers have to not only be easy to use but to respect varied workflows. If a tool requires you to throw out all your habits to adapt to the one way it knows how to do things, or if it imposes unreasonable restrictions (like forcing you to use just one browser), it’s not being kind to users.

Now, it does make me a bit sad that 1Password has had to remove or alter certain useful features over the years in order to remain compatible with all browsers and platforms. I understand why that is—you have to work within what browser developers, and especially Apple, permit you to do, and those restrictions have gotten tighter. But man, I miss the time when I could visit a new Web site that asked me to generate a password and then, with a single click, create, fill in, submit, and memorize that password. Those were the days! And I’ve been lobbying for an option to fill in and submit a default set of credentials automatically when you load a page, no clicks or keystrokes required. I would love to see 1Password take that next step in usability.

You have a section called ‘Glimpse the future of 1Password.’ Care to offer a glimpse of that glimpse for your potential readers?

Part of the reason for that section was to reassure users who upgrade to version 4 and have a moment of “Hey, wait a minute! What happened to (my favorite feature)?!” During the version 4 beta testing, AgileBits staffers were constantly reminding everyone that, because it was a total rewrite as well as a redesign, a few of the elements people were used to in version 3 aren’t quite there yet, but will be soon—and there are big new features in the works too. I think one of the most important changes in version 4 is that 1Password was rethought in such a way that adding new features will be easier, and significant updates should be more frequent.

So, based on my discussions with AgileBits staff and what I read on the beta discussion boards, I expect to see things like more view options (not just the single-column list) and editing directly in 1Password mini, without having to open the full app. And I know that some bugs—er, design challenges—such as getting 1Password mini to work correctly on multiple displays are being addressed too.

One of the other things I mention there is that the Windows and Android versions of 1Password, which haven’t seen a lot of love lately, are actively being worked on to bring them to feature parity with the Mac and iOS versions.

Do you remember when you first found 1Password? Who or what got you into it?

I looked through my email archives, and the first mention of 1Passwd—it didn’t have the “or” in the name back then—was in July 2006, about a month after its version 1.0 release. I got a copy of version 1.3 to review for TidBITS, although for reasons I can no longer recall, that review didn’t appear until nearly a year later: 1Passwd Eases Password Pain in June 2007. My very first impression was one of puzzlement: I couldn’t figure out why someone would need an extra program to do something that any Web browser can do on its own. But the proverbial lightbulb went on as soon as I started using 1Passwd, and as early as October 2006, when Macworld was asking contributors for nominees for that year’s Editors’ Choice awards, I wrote to my editor, “I’m really jazzed about 1Passwd, which has quickly become indispensable for me.”

So, I’m proud to say I’ve been a user almost since the very beginning of the product. That year, 2006, was also when I wrote my first Take Control book about passwords (which was replaced with a much more modern title earlier this year). I’ve written an awful lot about passwords in the intervening years, and 1Password has been a faithful companion the whole time.

Thanks a lot Joe!

As you can see, Joe knows his stuff and we’re honored that he’s been with us since way back when the “1Password” name was missing a vowel. The Take Control series really is wonderful, so check out Take Control of 1Password and their other books to learn how to get more out of your apps.

%d bloggers like this: