1Password X: Better, Smarter, Faster, and Japanese! マジで!

If you’re new to 1Password X, you’re in for a treat! 1Password X is a full featured version of 1Password that runs entirely within your web browser. It’s great if you’re using Linux or Chrome OS and has quickly become my favourite way to enjoy 1Password on the web.

Since launching in November we’ve been hard at work exploring what’s possible and polishing everything else. I’d love to share with you what’s new since 1Password X blasted off! 🚀

Our best password generator yet

One of the things that we wanted to explore in 1Password X was how could we make our beloved password generator even better. And we were willing to go back to the drawing board to make it happen.

We started by suggesting new passwords directly within websites:

Just click Use Suggested Password when signing up and you’ve secured this website. It’s incredibly easy and perfect for most sites.

Some websites, however, don’t accept long passwords. Or sometimes you need a memorable password or a numeric PIN code.

1Password X now has a fully customizable password generator and it’s our best one yet! When you need a custom password just open 1Password from the toolbar and bring up the password generator:

In addition to looking amazing, our new generator is more powerful and easier to use than ever. You can customize everything and choose between different kinds of passwords depending on your needs.

I’ve always enjoyed the simplicity of our password generator and didn’t want to lose that as we added more options. I’m incredibly thankful that our designers found a way to pack so much power into such a simple and beautiful window.

Smarter filling and saving

Using machine learning, we can now distinguish between registration forms and sign-in forms. This is incredibly cool as it allows us to anticipate what you need and suggest appropriate actions.

When you’re on a sign-in form, 1Password X will offer to fill it for you. If you’re on a registration form, it will suggest a strong, unique password for you to use. And if you need to change an existing password, 1Password X can help you there, too:

Along with these more visible improvements, we also greatly improved form filling all around (especially credit cards and identities) and added support for those running in Incognito mode.

Faster everything

Feel the need for speed? 1Password X is packed full of it! Unlocking 1Password is now over 30 times faster and loading your items is instantaneous.

I’m now able to unlock 1Password X on my 2014 MacBook Pro faster than I can type my Master Password. I have over 3000 items in 50+ vaults spanning two accounts and I have access to everything I need before I can say “oh my”. 🙂

In addition to blazing unlock speeds, you’re also able to view your item details and fill Logins faster than ever.

To achieve this incredible speed, 1Password X caches your encrypted data locally so it’s always available. That means you always have access to your data, even when you don’t have internet or are on spotty Wi-Fi.

And so much more

We’ve added over 120 new features and improvements to 1Password X since our inaugural 1.0 release. In addition to the highlights above, some more of our favourites include creating new items, customizable auto-lock settings, and full support for Japanese!

To get started, all you need to do is install 1Password X and sign in to your 1Password account.

Oh, and there’s one more thing

1Password X initially came out for Google Chrome and since then we’ve added support for Vivaldi, Ghost Browser, and coming very soon, Opera. But as much as I love Chrome and its Chromium-based relatives, it’s time for 1Password X to support more browsers.

Mozilla does an amazing job of keeping the web an open and inclusive space for everyone to enjoy, and we want to support that. So that’s what we’re going to do! 1Password X is coming to Firefox. 🎉 🙌

We have an internal build of 1Password X running on Firefox Nightly already and we’re almost ready to share it with adventurous testers. If that’s you, please give us your email and we’ll be in touch.

There are even more exciting things planned for 1Password X and I hope to share them with you soon. Your feedback is immensely valuable in helping us set priorities so please join us in our 1Password X forum and say hi.

Onward and upwards! 🚀 😘

Install 1Password X

Give the gift of 1Password

Ever since we launched 1Password memberships, people have been asking us how they can gift 1Password to their friends and loved ones. As you might expect, we see the most interest around the holidays, and this past holiday season was no different. I always thought it was a great idea, but we didn’t have a good answer – until now.

$125 for only $99 🎉

With 1Password Gift Cards, you can help anyone stay safe online. Give them to others or redeem them for yourself. You can purchase them in amounts of $25, $50, or $125. And because everyone loves to save money, we put the $125 gift cards on sale for only $99!

Get a 1Password Gift Card

PayPal, Apple Pay, and more

Another request we’ve seen is the ability to pay for a 1Password membership without using a credit card. Gift cards make that easy.

You can purchase 1Password Gift Cards with PayPal, Apple Pay, and – because it’s 2018 – cryptocurrencies, like Bitcoin, Ethereum, and Litecoin. You can even use 1Password to manage your cryptocurrencies.

And for those of you who are like myself – a bit old-fashioned – credit cards are still an option as well. 😉

Gifts are for everyone

Giving the gift of 1Password is incredibly easy. When you purchase a gift card, you’ll receive an email with the gift code. Simply forward that email to your friend or loved one, and they can sign up for 1Password to redeem the gift card or apply it to the 1Password membership they already have.

And you don’t even have to limit gift cards to people you like. You can send one to someone you don’t like. Maybe it’ll be the beginning of a beautiful friendship. 😊

Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

How to use 1Password to manage cryptocurrency

In 2017, the cryptocurrency market skyrocketed to over $600 billion. It’s the digital gold rush, and everyone wants their share. The lure of riches is too much to ignore, but there are also enormous risks. We can’t teach you how to make the best investments, but we can help you manage your cryptocurrencies securely.

I’ve been trading crypto for a while now, and to be perfectly honest, none of it would be possible without 1Password. It helps me stay secure, and creating and managing all of my credentials – 46 and counting – is an absolute breeze.

My #1 rule: Set up 1Password before investing in crypto

Before you invest in crypto, you need to take your security seriously. The best way to do that is with 1Password. I’ve seen people invest without using a password manager at all, and I’m seriously terrified for them. They create weak passwords, which they store on a piece of paper or unencrypted on their device. Or, like a number of early bitcoin investors discovered, they no longer remember their credentials. So while they may have thousands of dollars stored in a digital wallet somewhere, it’s lost forever.

There have already been reports of people losing over $100,000 by accessing their accounts on public Wi-Fi, or signing in to a fake website. While 1Password can’t protect you from insecure networks (if it’s unavoidable, always use a VPN like Encrypt.me), we can protect you from phishing sites, weak and duplicate passwords, and a foggy memory.

How to use 1Password to store your crypto

So just how can you use 1Password to manage your crypto? It depends what you’re storing: account credentials, private keys, wallet seeds and backups, or crypto addresses. I’ll shed some light on how I use 1Password to manage them all.

Exchange accounts

Exchanges are where all the action takes place. After you’ve purchased some crypto, you can send it to an exchange and trade it for any other coin on offer. Unless you only trade the top 20, you’ll need to sign up for a few exchanges to buy the coins you want.

Crypto exchange Login itemWhen I sign up for an exchange like Bittrex, Binance, or Kucoin, I save it as a Login item, just as I would for a regular account. I enable 2-factor authentication using one-time passwords, and I strongly recommend you do the same before depositing money there.

When I want to sign in, 1Password fills my username and password, and copies my one-time password to the clipboard for easy retrieval. Plus, it won’t fill my details anywhere except the specified URL, keeping me well protected from both man-in-the-middle and phishing attacks.


If the collapse of Mt Gox taught us anything, it’s that you should always take your coins off an exchange. To keep them safe, you’ll need to set up some wallets. Cryptocurrency wallets allow you to interact with the blockchain to store, send, and receive crypto. Because most coins have their own blockchain, you’ll likely need more than one.

Cryptocurrency software wallet Login itemThere are 3 main wallet types: software, hardware, and paper. Many people prefer hardware wallets like the Ledger Nano because they’re not connected to the internet. My only advice here? Don’t buy one second hand.

I’m worried I’d lose a hardware wallet, so I use a mix of paper and software wallets and store the details in 1Password. I set up my software wallets on an encrypted Virtual Machine with the password saved as a Login item. I create a Login item for each wallet (software and paper), and use the password generator to create a wallet seed or passphrase.

If my wallet address won’t change, I set it as the username. If I create multiple addresses, I add them to a new section called Addresses for easy retrieval. And if I need to save private keys, I add a new field to the Login item, label it Private Key and set it as a password so it’s always concealed.

Cryptocurrency paper wallet Login itemOnce my wallet is encrypted, I save a backup and attach it to the Login item in 1Password. This way, if I ever lose my MacBook Pro, I can restore the wallets on another computer using my wallet backups and credentials.

To help me see how my coins are spread, I can use the notes section to keep a tally. I find this especially helpful for keeping track of coins in MyEtherWallet, a paper wallet that stores both Ethereum and ERC20 tokens.

Cryptocurrency addresses

Much like a bank account, if someone in my family wants to send me crypto, they’ll need to know my wallet address and the currency tied to it. 1Password covers that, too. I simply create a Bank Account item and name it after the currency. I use the name of the wallet for the bank, and insert my wallet address into the account number field. Then I just add it to our Shared vault so it’s there whenever they need it.Cryptocurrency address Bank Account item

Organise your crypto with tags

I have a lot of data in my vaults, and with my crypto items growing rapidly, I need a good way to organise them. Luckily, that’s a simple fix. All I need to do is tag them crypto and I can see everything at a glance.

Pay for your 1Password account with crypto

If you ever wanted to pay for your 1Password account with crypto, now you can. We’ve released 1Password Gift Cards as an alternative payment option, which you can purchase with Bitcoin, Ethereum, Litecoin, and Bitcoin Cash. When you get to the checkout, choose Coinbase as your payment method and complete your order in the cryptocurrency of your choice. Once your payment has cleared and you’ve received your gift card, you can redeem it by adding the code to your Billing page.

1Password.com gift cardGift card Ethereum payment portal

1Password is an essential tool for managing cryptocurrency – one that I’d be completely lost without. Thanks to the flexibility of custom fields, I can save my credentials in a format that makes sense for me, and retrieve them with ease. And I can sleep soundly knowing my data is protected by 1Password’s security model.

We’d love to add some new cryptocurrency templates in a future release, so please let us know in the comments what strategies you use to manage yours.

1Password is for families

Today we’re celebrating Family Day here in Ontario and throughout other parts of Canada. It’s a great way to remind ourselves of the people in our lives who are always here when we need them. Family can mean a lot of different things – my brother-in-law Mike calling to ask if I need help shovelling snow, my aunt sharing a new card game, or a friend who needs a ride to an appointment – in the end, family means “together”.

Sharing together

Most of the time, sharing lives together is as simple as sharing a meal, sharing how your day was, and – these days – sharing Wi-Fi passwords and Netflix accounts. 1Password Families can’t cook for you or get your kids to clean their rooms, but it’s great with online accounts. In fact, it’s great for sharing a lot more than passwords, too.

The Winter Olympics in Pyeongchang got me thinking about international travel, and I’m reminded of Jeff’s post about his son’s trip to Texas. He used 1Password Families to help his son prepare for his trip to the USA for an international gymnastics training camp. I’ll let him tell the story:

I created a Texas Trip vault [and] added our passports, contact info, and a credit card for emergencies (new headphones are not an emergency). In went the flights, insurance policies, consent forms, and all the rest. Finally, I added passwords for all the ways he could reach us, from Skype to FaceTime to Zoom; although, trying to get a 15-year-old to actually talk to his parents was another matter.

It was really quite reassuring to know that all of that information was there for him to easily access on either his Mac or his iPhone.

And that’s just one example. There are as many different ways to use 1Password Families as there are families. You get to choose who has access to shared information, and everyone gets their own personal vault for stuff that’s private. But no matter what you share with your family, you can be sure that your secrets are safe.

Recovering your peace of mind

One of my favourite taglines for 1Password is “Go ahead, forget your passwords”. Taking that plunge into a world of not knowing my passwords was scary, but now that I’m here, I can’t imagine going back. There’s only one password I need to remember now: my Master Password. But what happens if I forget that?! I’d normally start to feel my peace of mind slip away just thinking about that, but thanks to my family, I don’t have to worry.

Nobody at 1Password ever has access to your information. That means that if you forget your Master Password, we can’t help you recover your account. But if you have a 1Password Families membership, you can designate another family member who can help you recover your account. You get to have peace of mind because you’re in control.

Make the switch

If you have a 1Password account and have been considering inviting your family, there’s never been a better time. There are a ton of benefits to 1Password Families, some of which I mentioned above. A family account lets you:

  • Share vaults securely. Shared vaults show up on your family’s devices instantly.
  • Recover accounts. If someone in your family forgets their Master Password or can’t find their Secret Key, a family organizer can help recover their account.
  • Simplify payment. A single subscription covers a family of 5, with room to grow.

Upgrading to a family account is as easy as inviting more people.
Simply sign in to your account on 1Password.com and click Invite People in the sidebar. 😀

Love for our 1Password Family

With that, I’d like to wrap this up with a special thank you to all of our extended 1Password family members. Without the lovely people I work with every day and all the amazing customers who have supported us over the years, 1Password wouldn’t be where it is today. Thank you! And I mean it when I say we have amazing customers. Dave and I were recently away and came back one day to our room and saw this on the door:

Thank you for making truly amazing software. I use 1Password everyday (when I'm not cruising) ❤️ @miwahall

Thank you for making truly amazing software. I use 1Password everyday (when I’m not cruising) ❤ @miwahall

It’s heartwarming to be making connections with people, and we’re so glad we’ve had the chance to be a part of your lives! ❤

Terraforming 1Password

A few days ago I posted this tweet:

The tweet generated quite a bit of interest from people running or managing their services, and I thought I would share some of the cool things we are working on.

This post will go into technical details and I apologize in advance if I explain things too quickly. I tried to make up for this by including some pretty pictures but most of them ended up being code snippets. 🙂

1Password and AWS

1Password is hosted by Amazon Web Services (AWS). We’ve been using AWS for several years now, and it is incredible how easy it was to scale our service from zero users three years ago to several million happy customers today.

AWS has many geographical regions. Each region consists of multiple independent data centres located closely together. We are currently using three regions:

  • N. Virginia, USA us-east-1
  • Montreal, Canada ca-central-1
  • Frankfurt, Germany eu-central-1

In each region we have four environments running 1Password:

  • production
  • staging
  • testing
  • development

If you are counting, that’s 12 environments across three regions, including three production environments: 1password.com, 1password.ca, and 1password.eu.

Every 1Password environment is more or less identical and includes these components:

  • Virtual Private Cloud
  • Amazon Aurora database cluster
  • Caching (Redis) clusters
  • Subnets
  • Routing tables
  • Security roles
  • IAM permissions
  • Auto-scaling groups
  • Elastic Compute Cloud (EC2) instances
  • Elastic Load Balancers (ELB)
  • Route53 DNS (both internal and external)
  • Amazon S3 buckets
  • CloudFront distributions
  • Key Management System (KMS)

Here is a simplified diagram:


As you can see, there are many components working together to provide 1Password service. One of the reasons it is so complex is the need for high availability. Most of the components are deployed as a cluster to make sure there are at least two of each: database, cache, server instance, and so on.

Furthermore, every AWS region has at least two data centres that are also known as Availability Zones (AZs) – you can see them in blue in the diagram above. Every AZ has its own independent power and network connections. For example, Canadian region ca-central-1 has two data centres: ca-central-1a and ca-central-1b.

If we deployed all 1Password components into just a single Availability Zone, then we would not be able to achieve high availability because a single problem in the data centre would take 1Password offline. This is why when 1Password services are deployed in a region, we make sure that every component has at least one backup in the neighbouring data centre. This helps to keep 1Password running even when there’s a problem in one of the data centres.

Infrastructure as Code

It would be very challenging and error-prone to manually deploy and maintain 12 environments, especially when you consider that each environment consists of at least 50 individual components.

This is why so many companies today switched from updating their infrastructure manually and embraced Infrastructure as Code. With Infrastructure as Code, the hardware becomes software and can take advantage of all software development best practices. When we apply these practices to infrastructure, every server, every database, every open network port can be written in code, committed to GitHub, peer-reviewed, and then deployed and updated as many times as necessary.

For AWS customers, two major languages could be used to describe and maintain the infrastructure:

CloudFormation is an excellent option for many AWS customers, and we successfully used it to deploy 1Password environments for over two years. At the same time we wanted to move to Terraform as our main infrastructure tool for several reasons:

  • Terraform has a more straightforward and powerful language (HCL) that makes it easier to write and review code.
  • Terraform has the concept of resource providers that allows us to manage resources outside of Amazon Web Services, including services like DataDog and PagerDuty, which we rely on internally.
  • Terraform is completely open source and that makes it easier to understand and troubleshoot.
  • We are already using Terraform for smaller web apps at AgileBits, and it makes sense to standardize on a single tool.

Compared to the JSON or YAML files used by CloudFormation, Terraform HCL is both a more powerful and a more readable language. Here is a small example of a snippet that defines a subnet for the application servers. As you can see, the Terraform code is a quarter of the size, more readable, and easier to understand.


"B5AppSubnet1": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
        "CidrBlock": { "Fn::Select" : ["0", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
        "AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]},
        "VpcId": { "Ref": "Vpc" },
        "Tags": [
            { "Key" : "Application", "Value" : "B5" },
            { "Key" : "env", "Value": { "Ref" : "Env" } },
            { "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet1"]] } }

"B5AppSubnet2": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
        "CidrBlock": { "Fn::Select" : ["1", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
        "AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : "" } ]},
        "VpcId": { "Ref": "Vpc" },
        "Tags": [
            { "Key" : "Application", "Value" : "B5" },
            { "Key" : "env", "Value": { "Ref" : "Env" } },
            { "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet2"]] } }

"B5AppSubnet3": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
        "CidrBlock": { "Fn::Select" : ["2", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
        "AvailabilityZone": { "Fn::Select" : [ "2", { "Fn::GetAZs" : "" } ]},
        "VpcId": { "Ref": "Vpc" },
        "Tags": [
            { "Key" : "Application", "Value" : "B5" },
            { "Key" : "env", "Value": { "Ref" : "Env" } },
            { "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet3"]] } }


resource "aws_subnet" "b5app" {
  count             = "${length(var.subnet_cidr["b5app"])}"
  vpc_id            = "${aws_vpc.b5.id}"
  cidr_block        = "${element(var.subnet_cidr["b5app"],count.index)}"
  availability_zone = "${var.az[count.index]}"

  tags {
    Application = "B5"
    env         = "${var.env}"
    type        = "${var.type}"
    Name        = "${var.env}-b5-b5app-subnet-${count.index}"

Terraform has another gem of a feature that we rely on: terraform plan. It allows us to visualize the changes that will happen to the environment without performing them.

For example, here is what would happen if we change the server instance size from t2.medium to t2.large.

Terraform Plan Output

# Terraform code changes
# variable "instance_type" {
#    type        = "string"
# -  default     = "t2.medium"
# +  default     = "t2.large"
#  }

$ terraform plan 
Refreshing Terraform state in-memory prior to plan...


An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ module.b5site.aws_autoscaling_group.asg (new resource required)
      id:                                 "B5Site-prd-lc20180123194347404900000001-asg" =>  (forces new resource)
      arn:                                "arn:aws:autoscaling:us-east-1:921352000000:autoScalingGroup:32b38032-56c6-40bf-8c57-409e9e4a264a:autoScalingGroupName/B5Site-prd-lc20180123194347404900000001-asg" => 
      default_cooldown:                   "300" => 
      desired_capacity:                   "2" => "2"
      force_delete:                       "false" => "false"
      health_check_grace_period:          "300" => "300"
      health_check_type:                  "ELB" => "ELB"
      launch_configuration:               "B5Site-prd-lc20180123194347404900000001" => "${aws_launch_configuration.lc.name}"
      load_balancers.#:                   "0" => 
      max_size:                           "3" => "3"
      metrics_granularity:                "1Minute" => "1Minute"
      min_size:                           "2" => "2"
      name:                               "B5Site-prd-lc20180123194347404900000001-asg" => "${aws_launch_configuration.lc.name}-asg" (forces new resource)
      protect_from_scale_in:              "false" => "false"
      tag.#:                              "4" => "4"
      tag.1402295282.key:                 "Application" => "Application"
      tag.1402295282.propagate_at_launch: "true" => "true"
      tag.1402295282.value:               "B5Site" => "B5Site"
      tag.1776938011.key:                 "env" => "env"
      tag.1776938011.propagate_at_launch: "true" => "true"
      tag.1776938011.value:               "prd" => "prd"
      tag.3218409424.key:                 "type" => "type"
      tag.3218409424.propagate_at_launch: "true" => "true"
      tag.3218409424.value:               "production" => "production"
      tag.4034324257.key:                 "Name" => "Name"
      tag.4034324257.propagate_at_launch: "true" => "true"
      tag.4034324257.value:               "prd-B5Site" => "prd-B5Site"
      target_group_arns.#:                "2" => "2"
      target_group_arns.2352758522:       "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e" => "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e"
      target_group_arns.3576894107:       "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4" => "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4"
      vpc_zone_identifier.#:              "2" => "2"
      vpc_zone_identifier.2325591805:     "subnet-d87c3dbc" => "subnet-d87c3dbc"
      vpc_zone_identifier.3439339683:     "subnet-bfe16590" => "subnet-bfe16590"
      wait_for_capacity_timeout:          "10m" => "10m"

-/+ module.b5site.aws_launch_configuration.lc (new resource required)
      id:                                 "B5Site-prd-lc20180123194347404900000001" =>  (forces new resource)
      associate_public_ip_address:        "false" => "false"
      ebs_block_device.#:                 "0" => 
      ebs_optimized:                      "false" => 
      enable_monitoring:                  "true" => "true"
      iam_instance_profile:               "prd-B5Site-instance-profile" => "prd-B5Site-instance-profile"
      image_id:                           "ami-263d0b5c" => "ami-263d0b5c"
      instance_type:                      "t2.medium" => "t2.large" (forces new resource)
      key_name:                           "" => 
      name:                               "B5Site-prd-lc20180123194347404900000001" => 
      name_prefix:                        "B5Site-prd-lc" => "B5Site-prd-lc"
      root_block_device.#:                "0" => 
      security_groups.#:                  "1" => "1"
      security_groups.4230886263:         "sg-aca045d8" => "sg-aca045d8"
      user_data:                          "ff8281e17b9f63774c952f0cde4e77bdba35426d" => "ff8281e17b9f63774c952f0cde4e77bdba35426d"

Plan: 2 to add, 0 to change, 2 to destroy.

Overall, Terraform is a pleasure to work with, and that makes a huge difference in our daily lives. DevOps people like to enjoy their lives too. 🙌

Migration from CloudFormation to Terraform

It is possible to simply import the existing AWS infrastructure directly into Terraform, but there are certain downsides to it. We found that naming conventions are quite different and that would make it more challenging to maintain our environments in the future. Also, a simple import would not allow us to use the new Terraform features. For example, instead of hard-coding the identifiers of Amazon Machine Images used for deployment we started using aws_ami to find the most recent image dynamically:


data "aws_ami" "bastion_ami" {
  most_recent = true
  filter {
    name   = "architecture"
    values = ["x86_64"]
  filter {
    name   = "name"
    values = ["bastion-*"]
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  name_regex = "bastion-.*"
  owners     = [92135000000]

It took us a couple of weeks to write the code from scratch. After we had the same infrastructure described in Terraform, we recreated all non-production environments where downtime wasn’t an issue. This also allowed us to create a complete checklist of all the steps required to migrate the production environment.

Finally, on January 21, 2018, we completely recreated 1Password.com. We had to bring the service offline during the migration. Most of our customers were not affected by the downtime because the 1Password apps are designed to function even when the servers are down or when an Internet connection is not available. Unfortunately, our customers who needed to access the web interface during that time were unable to do so, and we apologize for the interruption. Most of the 2 hours and 39 minutes of downtime were related to data migration. The 1Password.com database is just under 1TB in size (not including documents and attachments), and it took almost two hours to complete the snapshot and restore operations.

We are excited to finally have all our development, test, staging, and production environments managed with Terraform. There are many new features and improvements we have planned for 1Password, and it will be fun to review new infrastructure pull requests on GitHub!

I remember when we were starting out we hosted our very first server with 1&1. It would have taken weeks to rebuild the very simple environment there. The world has come a long way since we first launched 1Passwd 13 years ago. I am looking forward to what the next 13 years will bring! 😃


A few questions and suggestions about the migration came up on Twitter:

By “recreating” you mean building out a whole new VPC with Terraform? Couldn’t you build it then switch existing DNS over for much less down time?1

This is pretty much what we ended up doing. Most of the work was performed before the downtime. Then we updated the DNS records to point to the new VPC.

Couldn’t you’ve imported all online resources? Just wondering.2

That is certainly possible, and it would have allowed us to avoid downtime. Unfortunately, it also requires manual mapping of all existing resources. Because of that, it’s hard to test, and the chance of a human error is high – and we know humans are pretty bad at this. As a wise person on Twitter said: “If you can’t rebuild it, you can’t rebuild it“.

If you have any questions, let us know in the comments, or ask me (@roustem) and Tim (@stumyp), our Beardless Keeper of Keys and Grounds, on Twitter.

1Password command-line tool 0.2: Tim’s new toys

Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com.

Tim can script and automate with the best of them, and from the moment he got a preview of op, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just start playing with op 0.2 now. To find out more, read on.

Vault into the new year

Our first gift to Tim was more control over vault access. He can now use op to add users to vaults, remove users from vaults, and even delete vaults.

So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up.

Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project:

op create vault "Honey Badger"

But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault:

op add "Chris Meek" "Honey Badger"
op add "Betty Da" "Honey Badger"
op add "Matt Davey" "Honey Badger"

Tim can even create a script to take a list of email addresses and add everyone to the vault at once:

# Usage: add-everyone.sh "Honey Badger" < emailaddresses.txt
while read p; do
    op add $p $1

After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault:

op remove "Matt Davey" "Honey Badger"

When everyone is done with the project, Tim can use op delete vault "Honey Badger" and move on to his next gift.

New year, new groups

The next gift we gave Tim was control over group membership. He can now use op to create and delete groups and choose who belongs to them.

When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands:

op remove "Wendy Appleseed" "Support"
op add "Wendy Appleseed" "Design"

Tim can also create and remove groups with op create group and op delete group if ever he needs to.

Resolve to level up your skills

The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the full documentation on our support site.

Level up with op 0.2!

Then pop in to the 1Password Support forum to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release.

We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.

1Password keeps you safe by keeping you in the loop

This is a story with many beginnings and many threads coming together. The very short read of it is that 1Password’s browser extension has always been designed from the outset to keep you safe from some recently discovered browser based attacks on some password managers.

Researchers at Princeton University’s Web Transparency and Accountability Project were investigating tracking scripts on web pages, and discovered that several of them attack browser-based password managers and extract the email addresses, usernames and sites stored in the browser’s password manager. As I said, 1Password is designed in such a way as to not be vulnerable to the kinds of attacks those scripts used. The scripts that attempt this are from Adthink (audience insights) and OnAudience (behavioralengine).

Whether or not they make malicious use of the passwords they extract, they are certainly learning which sites you have records for in those password managers. I would like to add that we’ve designed 1Password so that we cannot know which sites and services you have logins for.

There is a huge amount to say about the contemptible behavior of these trackers, and I’m hopeful that others will say so clearly. Here, I want to talk more about what all of this illustrates about 1Password’s design and our approach to security.

Saying “no” to automatic autofill

A commonly requested feature is an option that that would have 1Password automatically fill in web forms as soon as you navigate to those pages in your browser. 1Password, instead, always requires that you take some action. Perhaps it is just hitting ⌘-\ or Ctrl-\ or using our Go and Fill mechanism or even setting up a 1Click Bookmark. But whatever of several mechanisms 1Password makes available, you have to tell it that you want it to fill material on the page.

Plenty of you have written in over the years, saying that they would like 1Password to fill in web forms as soon as they get to a page, with no human intervention. We’ve even been told that it is a very popular feature of some other password managers.

It’s not a lot of fun saying “no” to feature requests. But that is what we have done for as long as I can remember. And for the rest of this article, I’m going to draw from something I wrote in our forums back in 2014.

Because of security concerns we are disinclined at this time to offer, even as an option, the feature you (and so many others) are asking for. […] but I do want to give you an overview of our reasoning for what might seem like an odd choice.

Automatically filling a web form with no user intervention other than visiting the page can, if combined with something that works around the anti-phishing mechanism [of 1Password], lead to an attack where lots your usernames and passwords are submitted to a malicious site in a way that is silent and invisible to you.

The longer answer

I will use the terminology adopted by David Silver and co-authors in Password Managers: Attacks and Defenses at the USENIX security conference (2014). In the terminology of that paper, this requested feature is “automatic auto-fill” instead of what 1Password does with “manual auto-fill”. That is, 1Password requires some user intervention before it will fill a form (such as you typing Ctrl-\), instead of simply filling when you visit a page.

Although I am citing material from 2014, this kind of attack had been discussed since at least 2006, noting that

It’s really not phishing, as it doesn’t actually require the user to believe anything, as the social engineering portion of the attack is not there. As such you can steal user information through any page, as long as the automatic form submission requires no user input to fill the form.

This isn’t new.

Why am I now going to talk about phishing?

One of the great security benefits of 1Password is that it helps you avoid phishing attacks. When you ask 1Password to fill information into a page, it will not fill into pages that don’t match the URL of the item.

1Password has a number of mechanisms to prevent filling into the wrong page. That is, if you go to a form at paypal.evil.com 1Password will not fill in a password saved for paypal.com because the domains don’t match correctly. Tricking a person into filling out something like their PayPal password to something that only masquerades as PayPal is called “phishing”. The idea is that it should be harder to trick a password manager than a person. And it usually is. This is one of the many ways in which 1Password keeps you safe.

For the kinds of attacks we’ve been talking about, the malicious web page content needs to trick or by-pass the password manager’s anti-phishing mechanism. If a malicious script on MyKittyPictures.example.com is going to try to grab PayPal credentials, then it is going to have to fool the password manager into thinking that it is filling in a place that matches paypal.com.

We work very hard to make 1Password do the right thing in such cases. 1Password’s anti-phishing mechanisms work very well at preventing it from filling into the “wrong” web forms. But because of the nature of the HTML, iFrames, protocols, javascript, iFrames, conventions, page designs, and iFrames, the defenses that we (and everyone) have to use are messy and involve a series of rules and exceptions and exceptions to those exceptions. (Did I mention that iFrames are a trouble spot?) It is exactly the kind of thing that we know can go wrong.

So the question we’ve had to ask ourselves is if the anti-phishing mechanisms are strong enough to mean that we never ever have to worry about 1Password in data to the wrong place. We needed to decide whether the tools available for that defense are strong enough to allow us to build a mechanism that meets our standards. Unfortunately they don’t, and so we insist on another line of defense.

Invisible forms

The fields in which usernames, passwords, credit card numbers, and so on get filled won’t always be visible to you. Any page could have a form on it that you don’t see. If the designer of the form is attempting to trick a form filling mechanism, there is no way that 1Password could actually check to see if the fields really are visible.

So if the anti-phishing mechanism can be tricked, then when you visit a malicious web page (including those that have malicious tracking scripts on them) you could have your private information silently and invisibly stolen if automatic auto-fill were in place.

Sweep attacks

The malicious form could be designed to reload itself spoofing a different password each time. So that is, a single malicious injection point could trick your automatically auto-filling password manager into giving up your passwords for many different sites. David Silver referred to these as “sweep attacks”, and that is what it appears that these advert trackers are doing.

At this point, I have not fully studied their scripts to know the precise mechanisms they used, but it certainly is some form of sweep attack.

Doing good and doing no harm

Here is where I go off on a bit of a philosophical abstraction. As I’ve said, I don’t believe that a password manager can offer 100% absolute protection against phishing. But suppose there is one attack out of a million in which it fails to protect against phishing. If you use 1Password, you are much safer against the other 999,999 attempts and you are no worse off than you would be without it. Even in that one in a million case, using 1Password doesn’t add to your risk.

But now contrast that with a situation with a password manager that does allow automatic autofill. A password manager that can be subject to a sweep attack enables a kind of attack that wouldn’t be possible without the use of a password manager.

If you are using a password manager that allows for automatic autofill, turn that feature off. If you are using a password manager that doesn’t allow you to turn that feature off, switch password managers. And when you consider making such a switch, please remember that we’ve never allowed automatic autofill at any time in our more than 10 year history. We believe that you have to be in the loop when it comes to giving your secrets to anyone else. That design philosophy helps keep you safe and in control.

It ain’t over till it’s over

I’m sure that there will be more news to come over the next few days or weeks about the extent of these malicious trackers and precisely which password managers were affected. So please follow in comments for more information.

Fireside with Monty: 1Password 6.8 for Windows is here!

Monty and his fellow ‘Bits have been busy here getting ready for the holidays and just couldn’t wait to deliver the latest update – in fact, they decided to send it out on Monday! With over 100 changes, there is more inside our newest version than ever before, so let’s settle in with a warm cup of cocoa and review. 🎄 ☕

A place for everything and everything in its place

A picture is worth 1,000 words, and we think the new All Vaults view definitely fits that bill! Within Settings, you can now customize which vaults you want to appear. At the office PC? Have your work items front and center. At home? Keep those personal items right where you need them. Also, searching has never been easier with the new tag: option. Add tags to your items and make filtering simple, or use it by itself to display untagged items.

What’s on the menu(s)?

If you find yourself unwrapping a shiny new device over the holidays, you can unlock 1Password for Windows and set things up in a flash! 🎁 Use the Accounts Menu to copy your account credentials, or display your Setup Code right within the Windows app. You can also see the complete release notes from the Help menu (but here’s a link too 🙂). The Help menu also points you towards our support site, where you can find tons of articles and tips to help make the most of your 1Password experience. And if you need a personal hand, our Team is always here for you! 🤗

Shiny tinsel too!

There’s something about the sparkle from a new display… 🌟 We wanted to make sure we’re taking advantage of new screen resolutions and have given everything a fresh, new update. From a modern translucent sidebar, to revamped context menus, to new icons for your accounts and vaults within the Share menu, the new 1Password interface looks amazing! If you’re listening rather than watching, screen readers will now announce even more when navigating 1Password making it sound just as good as it looks.

Stocking stuffers

As you can tell, we’re super excited that we’ve been able to fill your 1Password for Windows stocking with so many treats! If you’ve been following along with the version numbers, you’ve noticed that we are getting closer and closer to version 7.0 – it is going to be a very exciting new year for us here and we’re happy to have you along! 🎉😊

Have a happy, safe and secure holiday and, as always, please let us know what you think on our support forum.

The 1Password Slack app makes administrators happy

Our all new 1Password app for Slack automatically posts messages in Slack when important events happen on your team. It also includes some new functionality that makes it easy for administrators to stay coordinated.

Let me tell you a story about how Slack can be so much more powerful than email.

Going crazy

 Once upon a time, there were three administrators: Jeff, Dave, and Roustem. Dave needed more help developing 1Password X, so he hired a new team member. You won’t be surprised to know that part of that process includes inviting the new hire to our 1Password team.

Once the new team member accepts their invitation and joins the team, their membership needs to be confirmed. To make this easier, 1Password sends a helpful email to all the administrators.

Jeff checked his mail the soonest and quickly confirmed the new team member. Dave was busy working on 1Password X, so he didn’t even have a chance to see the email. A few hours later, Roustem took a break from coding and saw the email. When he went to confirm the new team member, he saw that there were no team members to confirm. Did something go wrong? Or had someone else already beat him to it?

Roustem knew there had to be a better way and almost started to code the solution himself. Then he realized he was in the middle of five other things, so he let me take a crack at it. :)

Staying sane

Slack had all the tools we needed to create an intuitive system to keep all the administrators on a team in sync. The Slack API is really simple to work with, and I was able to have a shiny new Slack app up and running in about a week.

There are two kinds of messages that can be posted in your Slack workspace, and you can choose to post them in a single channel or separate ones.

Alerts that require action

1Password Teams can now post alerts in Slack for things that need your attention, so you can take action right away. But the main problem we wanted to solve was having some way to let administrators know what didn’t need their attention anymore.

After an action is completed, the message is automatically updated to let everyone else know. You’ll immediately know when someone else has already completed the action.

Notifications that let you know what’s up

Every day stuff happens on your team that doesn’t necessarily require you to take action. But it’s handy to have it all in one place. Notifications are informational messages that allow you to keep tabs on important activity, so there are no surprises.

For example, seeing that everyone is signing in from locations that you expect can help ease an otherwise stressful day for an administrator.

Happy administrators

The 1Password Slack app is easy to set up. You can get started today in your account settings:

Use the 1Password Slack app

Roustem couldn’t be more pleased. We hope you are too. Let us know what you think in the comments.

If you’re curious about some of the technical aspects of how we securely authorize with Slack, check out our post on the Slack Platform Blog.