The 1Password at Macworld/iWorld 2014 megastravaganza post!

MW iW 2014 pre-conf team

We’re in San Francisco for Macworld/iWorld 2014—and for you! We love hearing from our customers, and we have booth #39 in the Appalooza so we can hear from you in person this week! We’ve spent the day getting the booth ready and tracking down that one thing we need to make it all work. Now we’re just excited to get the show on the road.

Swing by anytime Thursday, Friday, or Saturday during the conference to say hi. Bring a friend if you like! In fact, we’re bringing a friend on Friday from 11am-12pm—Joe Kissell, he of the Take Control of 1Password book.

Our co-founder Dave Teare is also going to be on the Main Stage Thursday, March 27 in Mac Gems: Meet the Developers. He’ll join Jennifer Bell of Prosoft Engineering, John Chaffee of BusyMac, and Greg Scown of Smile to talk everything from ‘where do the great ideas come from?’ to ‘the risks and rewards of the Mac App Store and developing software in general’. Be sure to catch the panel and learn from some of the best in the Apple community.

Last but not least, 1Password 4 for Mac (and Windows!) is 50 percent off to celebrate Macworld/iWorld! You can get the sale price in our web store and in the Mac App Store, so it’s up to you!

Whether you pick up 1Password on sale or not, be sure to swing by our booth at the conference to say hi!

Apps that Love 1Password: Unread, Fantastical, Tonalli

This is another particularly delightful edition of Apps that Love 1Password since it’s so diverse. This time we have a hot new newsreader, one of the best calendar apps for iPhone, and a slick utility for tracking your project time with Tick.

Unread iconUnread

Unread for iPhone from Jared Sinclair is a beautiful, minimal newsreader for Feedly, FeedWrangler, and Feedbin. Jared cut out a lot of buttons and toolbars in favor of simple gestures to let you focus on reading and (optionally) sharing articles.

Unread’s login forms for FeedWrangler and Feedbin features a 1Password button so you can quickly find your accounts. The sharing feature also lets you open the current article or webpage in our 1Browser so you can use Identities to quickly register for services, or even Credit Cards so you can insta-buy what you just read about!

Unread is available for iPhone in App Store.

Fantastical iconFantastical 2

The Sweet Setup declared Fantastical 2 the best calendar app for iPhone, and it’s easy to see why. Fantastical is fast, a native iOS 7 citizen, and has optional support for Apple’s Reminders. One of its best features is that you can use natural language to create events and tasks, like “Lunch with Amy at 12:30″ to create an event, or “get milk /p” to add a Reminder to your Personal list.

As of Fantastical 2.0.5, you now have the option to open links in our 1Browser, making it much easier for you to securely log into services, register at new sites with 1Password Identities, and fill out shopping carts with one tap.

Fantastical 2 is available for iPhone in App Store.

Tonalli iconTonalli

For all you folks out there who need help tracking projects and the time you put into them, Tonalli is a minimal and free iPhone client for Tick. You can see your daily timecard, manage said timecards, and view reports and charts for all your projects.

A new 1Password button in Tonalli’s login screen should make it faster to log into your Tick account. You’ll switch to 1Password with an AutoSearch for Tick. Swipe the item to open the Action Bar, copy your password, then switch back to paste and get to tracking time.

Tonalli is available for iPhone in App Store.

As always, we thank the developers behind these and all the Apps that Love 1Password for making it easier to work, play, and stay secure both on- and offline with 1Password.

1Password – No More Sticky Notes

Ever wanted a succinct video with a catchy soundtrack to help explain what 1Password is all about to friends, family, and coworkers? Now you got it!

We wanted to make a video that explains the overall problems and challenges of passwords and staying secure online, then how 1Password is the best way this side of the sun to solve it all. I might be biased, but I think we nailed it, and we’d like to thank the wonderful folks we worked with at Sandwich Video for making it happen.

Crackers report great news for 1Password 4

To understand why this is really good news for us and for 1Password users, it is important to know what “crack” means in this context. I’ll come back round to that and why we encourage the developers of hashcat, John the Ripper, and cryptohaze to take a crack at 1Password. But first, let’s talk about this news and what it says about your password security.

Cracking fast and slow

If someone gets your 1Password data, they will not be able to decrypt it without your Master Password. A determined attacker might then try to guess your Master Password. Your job is to pick a good Master Password so that it will take trillions of guesses before the attacker finds the right one. Our job is to make sure that they can’t make millions of guesses per second on common hardware, thus significantly slowing down the guessing process, ideally to the point of futility. We do our job by using a “slow hash” for deriving encryption keys from your Master Password. In 1Password 4, that slow hash is PBKDF2-HMAC-SHA512. For the Agile Keychain Format it is PBKDF2-HMAC-SHA1.

keep calm

Jens Stuebe, the developer of a password hashing system called hashcat, has been testing just how many guesses per second he can get out of hashcat for the 1Password 4 data format. The hashcat demonstration showed fewer than 500 guesses per second, but with somewhat beefier hardware and a more realistic data file, a better estimate based on the hashcat data would be between 5,000 and 20,000 guesses per second. For all of the calculations below, I will use the more pessimistic (for us, the defender) estimate of 20,000 guesses per second. It’s not because I think the pessimistic estimate is the most realistic, but simply that it is better to err on the side of caution.

If you use a four word password from the scheme described in Toward Better Master Passwords, then at 20,000 guesses per second it would take more than 5,600 years for a high-end PC with with multiple graphics processing units (GPUs) to work through all of the 3.65 trillion equally possible passwords. Of course, the attacker won’t have to try all of those. On average, she will find the right one after going through about half of the possibilities. So the average time to crack will be about 2,800 years. If you use a five word password, then the average time to crack will be more than 20 million years.

20-and-5K-guesses-per-sec

We like crackers

With enough time (perhaps far more time than the life of the universe) it will always be logically possible to guess a Master Password. This is simply the nature of the beast. We need to know how many guesses an attacker can make in a second, a day, a year with the resources available to them so that we can devise the most effective defenses against these sorts of attacks.

We make our own estimates, but the best estimates come from looking at real data. We will, on occasion, run our own tests but the people who specialize in password cracking are the people who perform the most stringent tests and will look for things that we might not notice. We want to know how hard they have to work at guessing passwords. We are extremely supportive of projects like John the Ripper, hashcat, and Cryptohaze. Indeed, conversation with people involved in these projects has very much helped us develop better resistance to password cracking.

This is one of several reasons why we are open about our data format. We get better analysis from the security community by doing so. Hashcat, and John the Ripper, worked against some sample data we make available to the public.

Cracking isn’t breaking

When crackers develop tools to guess at 1Password Master Passwords, they are not “breaking” anything. They aren’t exploiting vulnerabilities. They are just automating password guessing. Because they are working directly on the data files themselves, not with the 1Password software, things like lock-outs after multiple failed guesses aren’t an option (and don’t provide any meaningful security against encryption tools like this).

The technical stuff

The 1Password 4 data format uses PBKDF2-HMAC-SHA512 with an absolute minimum of 10,000 iterations when transforming a Master Password to a decryption key. I’m not going to explain what all of that means, but I will say that PBKDF2 is a Password Based Key Derivation Function that is designed to require that there be lots of computation in getting from an entered password to a key. It is specifically designed to slow down cracking attempts.

The attacker is able to build special machines for their cracking efforts, and software carefully optimized for that hardware. Defenders like us have to be able to process a single password in an acceptable amount of time for them on the hardware in their pockets. As a consequence, the attacker can process a candidate password much more quickly than the legitimate user. @bitwiesil, the developer of Cryptohaze, describes this as an Attacker/Defender Ratio (ADR).

For example: if it takes 1/4 of a second for a user’s Master Password to be processed on their mobile device, but the attacker using specialize hardware can make 10,000 guesses per second, the ADR would be 2,500. In a perfect world, the ADR should be 1:1, but that is never going to happen. Plus, ADR in the tens of thousands, instead of in the millions or billions, is a hard but more realistic goal.

The limits of PBKDF2

PBKDF2 isn’t perfect. Most importantly, it can only go so far. We can reach a point where even tiny improvements to a password (say, just adding a digit) can offer far more additional protection than adding extra strength to PBKDF2. For example, adding a single random digit to the end of a password will offer as much as going from 30,000 PBKDF2 iterations to 300,000. And the latter can do real harm in making legitimate decryption too slow. Increasing the number of PBKDF2 iterations does not change the Attacker/Defender ratio at all.

There are a couple of other things that PBKDF2 doesn’t do. When it uses SHA1 internally (a very common configuration), it can be optimized to run extremely quickly in GPUs, giving the attacker a high ADR. Computers built with several (or many) GPUs operating in parallel can still perform many billions of SHA1 computation per second. GPUs cannot be so easily tuned when PBKDF2 uses SHA512 instead of SHA1. Our use of SHA512 within PBKDF2 in 1Password 4 is overwhelmingly the biggest reason that we are seeing such a small Attacker Defender Ratio in the hashcat report.

There is another, more subtle issue with PBKDF2 which can allow the attacker to double the ADR in some peculiar cases. Those cases can be avoided (once people know to avoid them), and a doubling of the ADR is not a big deal. But this does show that PBKDF2 is not the slow hash we would design today.

PBKDF2 is not “memory hard”. It is designed to raise the cost in computation for both attacker and defender, but it doesn’t force a substantial demand on computer memory. If, as the case has been, that the price of computations falls faster than the price of computer memory, the attacker can affordably purchase or rent a fleet of fast processors. But, if we build a slow hash function that also requires substantial memory use, we have more flexibility in trying to reduce the ADR.

So why do we stick with PBKDF2?

For all of its warts, PBKDF2 is the best choice for 1Password today, although it may not be tomorrow.  We can mitigate some of the limitations of PBKDF2 in our design, which we currently do. After all, the great results that we have from this weekend’s hashcat report show that we continue to be successful with it.

The best alternative to PBKDF2 that is reasonably well available and scrutinized is scrypt. If scrypt or similar had been further along as a standard, we probably would have used that. But because you need to unlock your 1Password data on a variety of different platforms, we need to use cryptographic functions that are included in well-tested libraries for all of those platforms.

This is why the Password Hashing Competition is so important. This is an effort to develop and agree upon a design for a successor to PBKDF2 that takes into account everything we’ve learned since it was first developed. The aim is that the successor will have enough support to become available to developers in many cryptographic tool kits. But that is a hope for the future. Right now we continue to use PBKDF2 in a way that takes its various quirks into account.

Your part of the job

Even the slowest hash with a perfect Attacker/Defender Ratio can’t protect a weak Master Password. Our job is to make sure that, when an attacker needs to guess trillions of passwords, they have to really work to do so. Your job is to pick a good Master Password so that it is trillions of passwords they need to guess instead of thousands. In our sample data that hashcat used, the password was “fred” (this was also made public). So even performing less than 500 guesses per second, hashcat was able to find the password “fred” in less than a minute.

Updated to correct spelling and add in a few links.

We’ll be at Macworld/iWorld 2014, come say hi!

Macworld iWorld 2014 banner squareShhh, listen… you smell that? It’s that time of year again—winter begins its retreat, the doors of Moscone North get ready to open, and the Apple community will soon flock to downtown San Francisco for Macworld/iWorld 2014, from March 27-29!

I bring this all-things-Apple conference to your attention not only because it’s a wonderful thing, but because we’ll have a booth again this year and we’d love to meet you in person! A good portion of the AgileBits team will be there, too:

  • Jeff Shiner – CEO
  • Dave Teare – co-founder
  • Roustem Karimov – co-founder
  • Dan Peterson – Lead Designer
  • Kyle Swank – Ambassador of Swank
  • Chris Meek – Tech Ninja
  • Ben Woodruff – Positive Experience Architect
  • Steve Joyner – Ninth Inning Closer
  • (me) David Chartier – Agile Herald

But wait, there’s more: the first 100 people to click this link can pick up a free expo hall pass, and we’re bringing a friend!

On Friday morning from 11am-12pm PT, we will be joined by the Take Control of 1Password maestro himself, Joe Kissell! You can meet the author behind the book and ask him anything you want! Well, just about anything… except that.

So swing by our Macworld/iWorld booth Thursday, Friday, and Saturday at the end of March to say hi, ask questions, catch Joe Kissell, and talk shop in person!

Apps that Love 1Password: Capitaine Train

Capitaine Train 9 icon1Password has built its name, in part, on three syllables. For the other part, it excels in helping you get around online more securely and conveniently, and it can be plenty useful off-line too. In fact, don’t take it from our past and future blog posts about all this, our Apps that Love 1Password has gained another real-world feather in its cap with the release of Capitaine Train, a transit booking app for iPhone.

Capitaine Train is a train ticket booking app for European systems, in particular France (SNCF, iDTGV, iDBUS), Germany (Deutsche Bahn), UK (Eurostar), Switzerland (Lyria), Belgium and Netherlands (Thalys) and more. You can search for trips, register multiple passengers, purchase tickets (of course), and even add your trips to your calendar and Passbook for easy access.

A new 1Password button in Capitaine Train 9.0 makes it easier to log into your account. Tap the button and you’ll switch to 1Password with an auto-search for your account. Swipe your Capitaine Train item to show the Action Bar, tap the clipboard to copy your password, then switch back to paste it in and get to booking.

Capitaine 1P button GIF

1Password security doesn’t depend on SSL

The security of your 1Password data does not depend on the security of SSL/TLS. 1Password keeps your data encrypted with your Master Password. This means that, even if an attacker is able to intercept the communication between your system and a sync server, they will not be able to decrypt your 1Password data.

From the beginning, 1Password has been designed with the expectation that some people would have their 1Password data captured. As unfortunate as it is, these things happen, whether it could get stolen from synchronization servers, from people’s own devices and computers, or during transit. Because 1Password provides end-to-end encryption, it does not rely heavily on the security of the communication channel used for storing and synchronizing 1Password data.

SettingsThis is good news, because the bad news is that there is a serious bug in Apple’s implementation of the SSL/TLS in some versions of iOS and OS X. If you haven’t already done so, update your iPhones, iPads, and iPod Touches to at least iOS 7.0.6 (or iOS 6.1.6 if you are still using iOS 6) by launching the Settings app and going to General > Software Update.

Do this as soon as you can. Put this blog post on hold and do it right now, if you can (then come back and finish, because this is important). Keep an eye out for an OS X update, too, as we all hope it’s coming soon.

What’s all this about?

https lockSSL/TLS is the protocol used to secure most internet connections. It puts the “s” in “https“. The bug means that attackers who have sufficient control of a portion of a network you are using can break some of the “secure” connections between your device and some server. That is, some of these “secure” connections are not as secure as we would hope.

The actual details of the bug are very interesting and suggest a number of important lessons, but I will have to leave that for a separate article. Instead, let’s talk about what this means (or doesn’t) for 1Password.

How can this SSL bug affect 1Password

The SSL bug does not affect 1Password’s protection of your data in any way since 1Password does its own encryption of your data. This means that wherever your data resides, it is protected by strong encryption and your Master Password. So please do make sure that you have a strong, unique, memorable, and easy to type Master Password; that is your best protection.

The bad news

While Apple’s SSL bug doesn’t affect 1Password directly, it does open up a way for an attacker to learn some of your passwords if you use them over a compromised connection. When you use Safari and other clients (though not Chrome or Firefox), a supposedly secure connection between your browser and the the web server could be intercepted. This means that when you submit a password on a web page, whether or not the password is handled by 1Password, it can be intercept en route to the web server.

This not only applies to Safari, but also Mail and other software running on Macs that make use of Apple’s SecureTransport tools. 1Browser, the 1Password web browser built into 1Password for iOS, would also have been subject to this along with Mobile Safari and many other apps and tools on iOS.

But of course, you have all performed the software update on your iOS devices by now, right?

iPad Software Update

We have no reason to believe that this vulnerability has been actively exploited, but now that it is known it is important to get a fix out for OS X quickly. Until that is done, I am taking a little break from my beloved Safari and switching to another browser on the Mac. Fortunately, 1Password supports Firefox, Chrome, and Opera in addition to Safari, so I can make this switch with ease. Unfortunately, that switch does nothing for Mail.app and other utilities that rely on OS X’s SSL implementation.

To exploit Apple’s SSL bug, an attacker needs to be in a “network privileged” situation. They need to control a portion of the network between you and the service you are trying to talk to. Any Internet Service Provider or telecoms operator is obviously in a position to do so, as are governments that can compel those operators to participate. So are the operators of local networks such as in coffee shops, hotels, work places. If they (or anyone who breaks into such systems) will also be in a “network privileged” situation.

Back to the good news

As I now say for the third time (and what I tell you three times is true), the security of your 1Password data does not depend on SSL. 1Password does its own encryption, so even if your SSL connection is compromised, no one will be able to decrypt your 1Password data without your Master Password.

There are a couple of places where 1Password does use SSL/TLS, but these do not effect the security of your 1Password data.

Fetching 1Password

When you update 1Password or download it from us, that connection uses SSL. In this case, the goal isn’t to keep the download secret but to ensure that you are fetching 1Password from a bona fide source. Apple’s SSL bug could enable an attacker to subvert that check and the authenticity of your download. That check, however, is only one of several checks and safety measures to ensure that your copy of 1Password is the real deal. It is neither the last nor the most important defenses against “evilgrade” updates.

Both our updater and your operating system check the digital signature of the application before installing or running it. The details differ between 1Password for Mac and 1Password for Windows. On the Mac there is a check performed by the 1Password updater, and there is also a check performed by Gatekeeper. A failure of SSL to do its job only means that some potential attacks make it through the first of multiple defenses.

Rich icons

If you have enabled Rich Icons in 1Password 4, then the fetching of site and application icons takes place over SSL. An attacker who has been able to exploit the SSL bug would be able to monitor that traffic. However, such an attacker is already able to read your SSL web traffic and would have little need to know what rich icons 1Password is fetching, as they already know what websites you visit by watching you visit them.

A big blunder

Apple’s SSL/TLS bug is a big blunder. Hopefully it has not, and is not, being exploited. It also tells a number of stories: some about how errors can sit in plain sight without being noticed, others about how backwards compatibility enable downgrade attacks, and others the importance of systematically testing software. But those are stories that will have to be discussed elsewhere, so please join us in our discussion forum.

Apps that Love 1Password: Diet Coda, VSCO Cam

Our growing Apps that Love 1Password page got even more diverse recently with some great new additions: Diet Coda from the fine folks at Panic, and VSCO Cam.

Diet Coda iconDiet Coda

Diet Coda is an iPad-ified version of Coda for Mac, Panic’s venerable web code editor. Diet Coda speaks all the big web languages, sports a powerful text editor, and has great S/FTP tools to bring it all together.

In the new Diet Coda 1.5, adding a website you need to work on is easier than ever. When adding a new site, the password field has a new 1Password button that will switch over and automatically search your vault for the domain you entered. Just tap your item, tap the password field, tap “copy” in the popover that appears, and switch back to Diet Coda to enter your password and get editing.

VSCOcam iconVSCO Cam

VSCO Cam is a photo shooting, editing, and sharing app for iPhone from Visual Supply Co. It has its own unique sense of style and is backed by people who have done work for everyone from Apple to Levi’s to Nintendo. In other words: they know photography.

In a big VSCO Cam 3.0 upgrade, the company added quite the unique way to automatically search 1Password for your VSCO account password. Instead of a 1Password button in the password field, you can triple-tap the cam app’s login screen to make the switch. Once in 1Password, just swipe across your item to trigger the Action Bar, tap the clipboard to copy your password, then switch back to VSCO Cam to paste and get shooting and sharing.

We’d like to thank Panic and Visual Supply Co. for making it easier to login with 1Password. We really do appreciate it, and our mutual users love it.

1Password for Mac Tips: How to update your passwords

1P4 Mac update Login

In every password’s life, there comes a time to get changed. Maybe it was never a very good password to begin with, maybe you were a victim of password reuse, or maybe you were among the 200 million accounts stolen in the recent Adobe and Sony breaches.

Fact is: every password dies, not every password really lives.

When it’s time to change a password, the latest versions of our browser extension and 1Password 4 for Mac make it really, really easy. Give this a shot:

  • Use the extension to log into your service of choice
  • Go to the password reset page, it’s usually in Settings or Options somewhere
  • (Optional) If your current password is required, click our extension and mouse to the right of the Login you want to update. Your details will appear in a menu to the right. Mouseover your password and click to copy it to your clipboard, then paste it into the Current Password field in the webpage (keyboard shortcut fans will be happy to know you can do all this with arrows keys and Return to copy the password)
  • Click our browser extension and go to the Password Generator to get a unique, super strong new password. Customize any details you like (such as length or special characters), then click Fill to automatically fill it into the New Password fields on the page
  • Click the Save button in the password reset form, and the 1Password extension will offer to update your existing Login, much like that glorious window you see above. If you have multiple Logins for the current site, be sure to pick the right one to update

Click Update in that window, and your new password is now saved for your existing Login! But wait, there’s more, and you can see it if you click that little details arrow next to the Login name:

1P4 Mac update Login extra details

If you make use of 1Password’s tags and folders (you should, they’re really handy!), you can add tags and file this updated Login into an existing folder, all right from the extension. Plus, if you give 1Password 4 for Mac’s new Security Audit feature a whirl, you can get a good idea of which passwords you might want to update first. Super cool?

Very super cool.

Get 1Password for Mac, Fantastical, and more in the Parallels bundle!

Parallels bundle DEAL OF THE CENTURY

Hear ye, hear ye! Step right up and get yer Parallels Bundle with seven of the most incredible, irrefutably exceptional, absolutely indispensable apps this side of the moon!

That’s right, for a limited time—and I do mean “limited”—the good folks at Parallels are offering a Mac app bundle designed just for you! Naturally, the headliner is the full (non-upgrade) version of their own Parallels Desktop for running Windows, Linux, and any other OS right on your Mac, but accompanying it are:

  • 1Password 4 for Mac
  • Fantastical
  • Kaspersky Internet Security for Mac
  • CleanMyMac 2
  • MacHider
  • Parallels Access for iPad
  • all for just $79.99!

But wait, there’s more! if you already own Parallels Desktop version 7 or later, you can get a Parallels upgrade version of the bundle for just $49.99!

But keep waiting because there’s one more thing! If you’re looking to get everything but Parallels Desktop, you can get the bundle for the low, low price $39.99!

Ok, that’s enough exclamation points for one day. But seriously, the bundle is available only for a limited time, so run, don’t walk!