GopherCon Racer

Make a Pitstop in Denver and visit 1Password at GopherCon

Each year, a bunch of us make the annual pilgrimage to GopherCon, the largest and most well attended Go developer conference in the world.

We take in the sights Denver has to offer, get the best coffee around from Denver Little Owl Coffee (If you think there’s better, please tweet us 😉), and most importantly learn all about the miraculous things people are creating with Golang.

This year things will be even more special as we are the headline sponsor of GopherCon 2018!

The GopherCon organizers have some amazing things planned this year, with the racing theme in full effect. As this is our first time sponsoring, make sure you visit the 1Password Pitstop while attending the conference!

1Password Pitstop Gophers

Visit the 1Password Pitstop

If you are attending GopherCon, come and get a checkup from our expert Passwordologists at the 1Password Pitstop, and find out the best ways to secure your business and family online. We also love to hear from customers already using 1Password, so do come on over and chat about your favourite 1Password productivity features.

Our Pitstop will have will have lots of surprises, and if you come by, you’ll get the chance to meet some of the amazing people behind 1Password. It’s a great opportunity to talk shop and maybe even pick up some stickers to pimp your ride and add some bling to your device!

1Password and Go

We use Go all over the place at 1Password!

Every 1Password account relies on our Go servers. Making everything work together is no easy feat and so we needed a strong (and fast!) language like Go to create the backbone that connects all our apps together. We also use Hugo for our many of our websites.

Sharing code between our six different apps across six platforms helps us provide a consistent experience and minimize bugs. Our filling engine “The Brain”, our new password generator, and a host of other features are already built in Go. Our command-line tool is also built entirely in Go.

For more sneak peaks of the exclusive 1Password GopherCon shirt and the 1Password Pitstop, follow us on Twitter. If you are in Denver between August 27th – 30th, I really hope to have the chance to meet you in person at the conference!

HaveIBeenPwned

Watchtower: we shall fight on the breaches

1Password’s Watchtower service has been helping users identify accounts that have been affected by breaches for years. Today we’re proud to announce an enhancement to how 1Password finds and identifies breached accounts.

1Password can now use Have I Been Pwned to find accounts that have been compromised based on the email address associated with the account. It can even do this without needing to share your email address with anybody.

Before we dive in to learn about the details, take a look at the awesome work Matt and Jasper did to bring this to life.

Breach Report

There’s actually a fair amount to unpack here, and it’s difficult to see detail on a video, so let’s break down the breach report in screenshot form.

Breach Report

The Breach Report is split into three sections.

The top most section is a list of websites where an account with your email address has been identified as having been compromised, but you don’t have any information about this website in 1Password.

That’s amazingly powerful as 1Password can help you identify breaches that impact you without you having actually added information to 1Password. In this case, you’re going to want to generate a unique strong password for that website, and while you’re at it you should consider adding it to 1Password.

If it’s a website for which you have no interest in having an account, you should delete the account as opposed to ignore it. Accounts often have additional data, such as a mailing address or maybe a phone number. You should be protecting that private information, and thanks to excellent pieces of legislation like the GDPR most websites have a way to request permanent deletion of your data.

The second section lists breached websites for which you’ve got an item in 1Password, but 1Password suspects that password to be compromised. You’ll definitely want to create a new password for that website.

The last section lists breaches for which you’ve got an item in 1Password, but you’ve already updated the password so there’s nothing more to do.

How Does It Work?

The Breach Report is based on a new service provided by Have I Been Pwned which allows 1Password to query for compromised accounts based on an email address. 1Password can achieve this without needing to share the email address with Have I Been Pwned because this new service functions much like its Pwned Passwords service, and uses the same K-anonymity model. This model allows 1Password to work with Have I Been Pwned to find breaches without needing to share sensitive information with Have I Been Pwned. Let’s take a look at how that works…

Have I Been Pwned has a database with over 5 billion compromised accounts obtained from the various data breaches around the internet over the last few years. This database contains the email address associated with the account as well as a SHA-1 hash of the password that was compromised. The new service allows 1Password to look up entries in that database based on the email address.

Email Hash Illustration

In order to perform a lookup, 1Password takes the email address associated with your account, and hashes that using SHA-1. Sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your email address. Just like the Pwned Passwords service, this new service only requires the first few characters of the hash, six to be precise.

Similarly to Pwned Passwords, the process is completed within 1Password itself. Have I Been Pwned sends 1Password a list of possible matches based on the start of the hash that was sent, and 1Password needs to complete the search by looking for exact matches with the full hash that was created in the first step.

Bringing You More Info On Compromised Logins

When viewing items in the Compromised Logins section of Watchtower, you may notice that some of them have a slightly different banner at the top and include a “More Info” link.

Watchtower Notification Banner

Clicking it will bring up a panel with some information about the breach, letting you know what information in that account was made available.

Breach Info

This was made possible with the additional breach information that is provided by Have I Been Pwned.

Run, don’t walk, to change the password associated with this Login. And also change the password for any other Login item you might have that happens to share that password (you’re using strong unique passwords everywhere, right?).

Taking Watchtower Further

Have I Been Pwned allows us to push Watchtower further and do more to keep you safe online. The k-anonymity model used in both this service as well as Pwned Passwords ensures that your privacy is respected, which is incredibly important to us. We’re thrilled to be one of the first services using Have I Been Pwned in this way.

You can try it today by using Watchtower on 1Password.com, and we’re looking forward to bringing this feature to all of our apps.

Thank you Troy for building an excellent service that makes this feature possible.

 

Rick Fillion 1Password.com Lead

AG Conf 8

AGConf[8]

AgileBits Conference Travel Badge 2018

One of the many highlights of a job at AgileBits is our annual meetup, AGConf. Held in February, but anticipated year round, it’s a chance for the entire AgileBits family to get together and share a week of work and fun. For AGConf[8] this year, we sailed on Royal Caribbean’s Freedom of the Seas, from Fort Lauderdale in Florida, stopping at Costa Maya and Cozumel along the way.

New Friends 🎉

If you’ve read any of our previous AGConf blog posts, you’ll have seen that a common theme throughout is the growing size of our company. There was no sign of slowing over the last year, and in fact, I’m one of the new ones myself! It’s worth pointing out that most of us new ‘Bits were new to cruising, too – that explains the excited faces.

In fact, I remember a comment on our post last year, where a customer asked if we’d rented the entire ship to ourselves. We’re still not able to fill the 4,370 guest capacity, but we are getting closer every time. As long as we keep the family feeling that I love, new ‘Bits are certainly welcome!

Saying Hello 👋

AGConf[8] started on land for most of us. Since lots of ‘Bits work remotely, this involved travel from all over the world. After arriving, we checked Slack (which we use to communicate) for ‘Bits nearby. Very quickly, we were sharing breakfast and dinner, getting to know each other, and dreaming of the week to come.

Twelve stories up 🛳

As the morning sun rose the next day, ‘Bits staying in hotels around the port began heading to the ship. After handing our bags to the porters, we all moved towards deck 12, which appealed to us because of both the sun and drinks on offer. Once everyone had arrived, we took a team photo, had dinner, and finally went to the welcome party downstairs.

Off to work ✉

Keeping our customers happy is always a priority! Each morning, we made sure to reply to as many of you as possible – the entire AgileBits team were in the dining room sending help from sea. Being able to research answers by walking up to the right person and asking them face to face was a real luxury, and it definitely felt surreal.

There were also exciting meetings to be had, where we received support tips from Dene, and security lessons from Goldberg himself. We even looked back at 2017 and into the future. I am personally very excited about what’s to come, and I can’t wait to be able to share the details.

Brett’s the spy 🕵️‍♂️

As the cruise continued, there was lots of time for fun! I really enjoyed playing board games with the team, and Resistance was a popular choice (a game where the good guys work to identify a secret group of spies). Other cruise pastimes included karaoke, mini golf, and Isha’s scavenger hunt which I really want next year!

Fun away from the ship ☀

While there was plenty to do on the ship, there was no shortage of shore excursions on offer either! I remember the ziplining most fondly, along with the taco that I enjoyed at the beach. I’ll let the pictures do the talking, though, as I’d be here forever if I went through the adventure of choice for each Bit.

Sending birthday wishes 🎂

The final day of AGConf[8] overlapped with our Minister of Magic’s birthday. I’m glad it worked out that way – two birthday cakes were presented, and I can say with certainty that the chocolate one was delicious! Happy Birthday once again, Sara, and thanks for organising what I’d call the trip of a lifetime if I wasn’t already excited for AGConf[9].

WWDC18: Presents from Apple

Hello everyone! It’s WWDC week and a large portion of the 1Password development team is here in San Jose basking in the glow of this year’s Apple’s Worldwide Developer Conference. For me it’s my first time coming to WWDC since it was last held in San Francisco two years ago, and I absolutely love it. The conference center itself is gorgeous, and the surrounding area is wonderful. Somehow I’m finding it easier to run into folks I know, and I’ve already caught up with a bunch of old friends and made a number of new ones since I’ve arrived.

WWDC is much more than a place for me to stretch the wings of my social butterfly tendencies, however; it’s all about new tech, and boy oh boy did Apple hook us up this year. Many of us are already rocking iOS 12 and macOS Mojave on our main devices and computers and they are awesome. Not only that, but 1Password is running quite happily on iOS 12 and needs just a couple small tweaks on macOS Mojave.

iOS 12 and Password Autofill

On Monday afternoon, during Apple’s Platform State of the Union I sat down with my teammate Rudy and jumped into Apple’s newly announced Password Autofill API. By the time we were ready to grab some dinner we had a tweet-worthy demo all done:

This new capability is transformational in our ability to integrate with iOS. Starting in the next version of iOS, 1Password will be able to fill your credentials into every app that has opted into the Password Autofill functionality that Apple introduced with iOS 11 last year.

macOS Mojave and Dark Mode

After our incredibly successful launch of 1Password 7 a few weeks ago we’ve been waiting to see what Apple had in store for the Mac. On Monday we got our first glimpse of dark mode in macOS Mojave, which of course left our designer Dan itching to get back to his computer to start playing. Since then the mockups have been flowing like water:

Dan's Dark Mode Lock Screen Concept

Privacy and Security

Apple’s dedication to privacy and security are legendary and this year they introduced a whole host of new tools to help keep your computer safe. The biggest ones that we’re excited about are system integrity protection (SIP) for apps and notarized apps.

Apple’s documentation gives a concise definition of SIP at a high level:

System Integrity Protection is a security technology in OS X El Capitan and later that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.

SIP for apps allows us to opt in to these same protections for the 1Password app binary that resides on your computer. It gives you (and us!) peace of mind knowing that the app we built and shipped is the one running on your computer.

Notarized apps is the other thing that we’re really excited about. Apple is standing up a new service for developers where they can submit their app prior to release. The service will check the app, verify that it’s free of malware, and issue a certificate that will be “stapled” to the app. This certificate is then used by your Mac to verify that the version of 1Password you’re using has been screened and approved as being free of malware. Coupled with SIP, these two new technologies are going to be great for all apps, and 1Password in particular.

Wrapping it Up

While I can’t comment on rumor or speculation, you could use our previous track record to reasonably conclude that when iOS 12 and macOS Mojave ship later this year we’ll be there, on day one, with full support for both. In the meantime, make sure you sign up for the iOS beta, and opt-in to the betas of 1Password for Mac in Preferences:

1Password for Mac Beta Prefences

How about you? What was your favorite announcement from WWDC this year? Sound off in the comments below, I’d love to chat about it with you.