A Sneak Peek At 1Password 3.6

After months of 1Password 3.6 beta testing by our valiant forum patrons and early adopters, we are pleased to say that 1Password 3.6, a free update for all v3 owners, is nearly ready for its public debut. This has been our longest running beta since version 3.0 debuted almost 2 years ago, and there’s some great stuff in here that we’re excited to show you.

1Password 3.6 is scheduled to be released in late Spring, and since it’s such a big deal, here’s a sneak peek at some of its highlights:

  • Lion support! We pounced on Mac OS X 10.7 Lion as soon as Apple unleashed it upon developers for testing. Lion is scheduled to ship sometime this summer, but 1Password 3.6 is primed and ready for it, including an all new Safari extension with a revamped interface that we introduced in our Chrome extension last November. As of this blog post, our extensions for Chrome and Firefox work fine with their current versions on Lion, too. Check out Dave’s post last weekend for a little more info on this new design.
  • Snow Leopard and Lion only: Now that 10.7 Lion is supported, 1Password 3.6 will retire support for 10.5 Leopard in order to keep 1Password lean and mean. Our stats show that a whopping 89% of 1Password users have upgraded to 10.6 Snow Leopard, while 3% are already on Lion (sounds like a lot of developers use 1Password!). This also means that 1Password 3.6 has gone Intel-only. As usual, though, we’ll keep 1Password 3.5.9 (and every version back to 0.8.0!) available for download on our 1Password release history page. If you’re on Leopard, 1Password 3’s built-in update tool will not auto-update you to version 3.6.
  • Firefox 4 only: To keep up with Google Chrome’s increased development cycle, Mozilla is doing things like dropping PowerPC support (Firefox 4 is Intel-only) and implementing its own auto-upgrade policies to usher remaining users away from Firefox 3.x as quickly as possible. In fact, Firefox 5 is already in beta, so we need to pick up our pace too (though stay tuned for news of our Firefox 5 extension). While 1Password 3’s update tool will not auto-update Leopard users, it will auto-update for Snow Leopard and Lion users regardless of Firefox version. If you prefer to stay on Firefox 3, please disable 1Password’s auto updater under 1Password > Preferences > Updates now.

1Password 3.6 has plenty of other improvements that we’ll detail soon in a more thorough post. But these are the big ticket items that we wanted to discuss ahead of time to help users decide on their upgrade plans. If you’re willing to help us beta test 1Password on Lion and you just can’t wait to check out version 3.6’s improvements, or you’ve already upgraded to Lion and you just need 1Password to work in Safari, go to 1Password > Preferences > Updates and enable the “include beta versions” option. Then hit the “check now” button and perform the upgrade. You can also check this forum post for more detailed instructions and screenshots.

Thanks for helping us test 1Password! We’re really excited about this version and supporting Lion, so join us in our forums to let us know what you think!

Using 1Password in Safari on OS X 10.7 (Lion)

Happy Memorial day! I thought our friends in the US would appreciate a surprise on their holiday: 1Password now has great support for OS X 10.7! This will give everyone something to play with during their long weekend. :)

OS X 10.7 brings some fantastic changes and ushers in a completely new approach to how 1Password integrates with Safari. We’re really excited about the possibilities enabled by this new technology. One of the biggest changes you’ll see immediately is an entirely new UI:

Please see this forum post on details on how to enable 1Password on Lion:

Enabling 1Password in Lion

If you have any questions or problems, please [join us in the 1Password beta forum][1] and we’ll be happy to help. Enjoy the rest of your weekend! And if you’re not in the US, call in sick on Monday. That’s my plan anyway. ;)

[1]: http://forum.agile.ws/index.php?/forum/12-1password-3-beta-builds/

Here's to five years of 1Password

Know what happened on this day in history? Sure, Smart introduced the US to its new car, the Soviet Union got on board with banning nukes from outer space, and Pete Townshend wrote the anthem of a generation. Oh yeah, and it’s the tenth anniversary of Apple’s first retail store.

It’s also the day that Roustem Karimov and Dave Teare, co-founders of AgileBits, released the first beta of 1Password to the world.

Yep, on May 19, 2006, version 0.8 of 1Password became the first that Mac users had the pleasure of experiencing (a public beta, of course). Back then, we were still called Agile Web Solutions, and 1Password was missing a couple letters from its name. I remember discovering “1Passwd” when I wrote for TUAW and immediately becoming enamored with it.

1Password has come a long way in five years. It’s kept pace with new browsers and Mac OS X releases, gained a bunch of great new features from Secure Notes to Dropbox syncing and 1PasswordAnywhere, and it even gained a Windows version! It also picked up those missing letters and, more recently, we changed our name to AgileBits.

This is also probably a good time to mention that I’m back! I joined the company in 2009, got tempted away by Macworld in 2010, and have since returned to my senses. Fortunately, Roustem, Dave, Nik, and my other friends at AgileBits were in a generous mood, so I was able to return and don a few different Agile hats, including the Agile Blog.

But back to the app of the hour: 1Password. It’s become the password and identity manager to have, and we owe it all to you. As we toast to five years of our flagship product, we also toast you, our fantastic customers, for making it happen.

Dropbox security revisited: Plus ça change

Plus ça change, plus c’est même chose
— Jean-Baptiste Alphonse Karr

Summary: Dropbox remains safe for 1Password use despite some high profile discussion of its security.

Keeping up with news about security issues can make your head spin. It certainly does that to me. Most often important news gets little public attention, and at other times non-events go viral. I think the latter has happened with respect to the complaint filed against Dropbox (PDF) with the United States Federal Trade Commission.

Naturally, when I heard that the complaint had been filed I had to read it closely. After all, the security of Dropbox is of great concern to us all. So what did I find? I found that every security issue mentioned in the FTC filing was something that we had already looked at. I discussed all of these points in earlier posting.

There is no new information in the FTC filing or discussion surrounding it, and so the conclusion posted earlier still stands:

[T]here is no need to panic about Dropbox security. The issues that have come up all do raise very 1Password in Dropbox
legitimate concerns about how Dropbox presents their security claims and addresses issues when they arise, but the actual issues are not nearly as serious as some of the the discussion would suggest. They are even less of an issue for 1Password users. Your sensitive information in your 1Password data is extremely well encrypted and we remain comfortable recommending syncing with Dropbox.

It seems that not even I can resist blogging about the FTC filing, but recent news has put me in the position of having to say that just because there is new “news” doesn’t mean there is new information. Real security must be based on level headed assessments of the threats, whether those are highly publicized or – as is more common – are only discussed by those in the field.

Informed users are the best users

Informed users are the best users, and the outpouring of questions to us regarding Dropbox let us know that you want to be informed. I am delighted by this, but it has also meant that we haven’t been able to respond to queries as quickly as we would like. We are all working hard to catch up, and we should soon be back to providing the speedy responses you deserve and have come to expect from us.

We are AgileBits

It’s kind of fitting that we reinvent ourselves (reborn, if you will) just in time for Mother’s Day, eh? (Mother’s Day is this Sunday in the States.) Agile Web Solutions, Inc. is now AgileBits. Out with the stodgy old name, in with the new! There are a couple of reasons we’ve made this change:

  • Our fantastic friends over at Smile Software changed their name from SmileOnMyMac and we got jealous.
  • I use the word “bit” with joyful abandon, almost too frequently.

Okay, those aren’t the real reasons. The truth is that we didn’t feel that our company name accurately reflected who we are, anymore. In all seriousness, there was too much seriousness! We’re a simple, fun-loving bunch. We work hard, changing direction on a dime. We’re Pac-Man, and—as you already know if you keep up with 1Password for Mac beta releases—we chomp bits. =]

So, that’s today’s news. Please pardon the debris while we clean up a bit (see? I told you!) around here. Give us a few days to get things sorted, and if you still see references to “Agile Web Solutions” anywhere, please let us know so we can change it to AgileBits.

Thanks, and Happy Mother’s Day!

Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too.

What happens if someone gets hold of your encrypted 1Password data? What would it take to “crack” it? From the beginning, we’ve designed the 1Password data format with the knowledge that some people would have their computers stolen. I want to briefly talk about one of those design elements: PBKDF2.PBKDF2 diagram r

The abbreviation PBKDF2 stands for
Password Based Key Derivation Function version 2” and does not stand for “Peanut Butter Keeps Dogs Friendly, Too”, but my dogs love peanut butter, and I do find the latter easier to remember. I need to remember “PBKDF2” because it is a very important, though behind the scenes, part of your security.

PBKDF2 deliberately slows down the process of getting from a password to an actual decryption key. The idea is to make using automated password guessing tools, such as John the Ripper, impractical.
PBKDF2 strengthens what would otherwise the be weakest part of a system, your master password. PBKDF2 is called a “Key Strengthening Protocol” for this very reason.

It works by forcing the process that goes from your master password to the derived key go through a large number of complicated iterations. Each time through the data is transformed using an encryption process called HMAC-SHA1, and the resulting intermediate key is fed back into the whole thing again.

For our current (1Password 3) Agile Keychain format, we’ve set things to use 1000 iterations. [Update: changed to 10000 in November 2012] Without PBKDF2, password guessing program could try hundreds of thousands of passwords per second, with PBKDF2 that number is dramatically reduced because there is no way to test a possible master password without having to perform all of those operations. PBKDF2 may cause a fraction of a second delay for you when you enter your master password, but that fraction of a second quickly adds up when a password cracker is trying millions of passwords.

As the environment changes, we are beefing our use of PBKDF2 even more in our next data format. Today, a good master password in combination with our use of PBKDF2 protects your 1Password data, even if it falls into the wrong hands. [Update: There have been several adjustments to PBKDF2 settings since this article was first published, as can be seen by various articles on this blog that discuss PBKDF2]

Coming soon will be a blog post about what makes for a good master password.