Get to know 1Password Teams: Security Audit & Watchtower

You’ve moved over to 1Password Teams, invited your team, set up custom groups and laid out a recovery plan. Simply by using 1Password, your company is now far more secure than when you started. But how can you know your team is safe from online security breaches? Your teammates could go through their passwords one by one and make them stronger, but there’s a better way: Security Audit.

Save time with Security Audit

Security Audit is a powerful and essential tool designed to help your teammates take charge of their online safety. It’s available to all 1Password Teams customers.

Security Audit lives in the sidebar in the 1Password desktop apps. It highlights any passwords which are too weak or which have been reused in multiple places. When you see a password in this list, it’s probably time to change it.

Because everyone in your team has his or her own unique set of passwords, Security Audit looks different for each person. By asking your teammates to review their own Security Audit every once in a while, you can ensure they stay as safe as possible online.

Keep a watchful eye on Watchtower

Watchtower tells you about security breaches on the websites you have saved in 1Password. It’s included on Mac and iOS with every 1Password subscription.

Every day, Watchtower downloads a list of new vulnerabilities to your devices. It then checks this list against your logins—if any match, they’re flagged by Watchtower.

When you see the red “Vulnerability Alert” banner on a password, it’s definitely time to change it! Train your teammates to recognize this banner and respond appropriately.

How we use Security Audit and Watchtower

As a security company, we lead by example. It’s important to us that all our staff use unique, random passwords for each one of their accounts. When new team members join, they often have bad password habits that need fixing, so for them, Security Audit is a big help. Security Audit shows them exactly which accounts need their attention. They can tackle the list a chunk at a time, or change a password when they next log in to that account.

And, of course, whenever we see the red Watchtower banner, it’s all hands on deck!

Keep ahead of future problems

The overall security of your team depends on the security of each individual. It’s each person’s responsibility to keep their passwords strong and up-to-date. Security Audit and Watchtower help make this easy.

To get even more benefit out of these features, ask your teammates to:

  • Avoid reusing passwords. Always use the password generator when they sign up for for a new account.
  • Turn on item counts. Choose View menu > Show Item Counts, and you’ll be able to see at a glance if Watchtower is reporting any vulnerabilities.

By the way, while Security Audit is most useful on an individual level, it also works in shared vaults. If your team has a shared vault with lots of flagged passwords, you don’t need to tackle them alone. Why not get help from others? When someone changes a password in a shared vault, it will automatically update for everyone else. By making it a joint effort, you’ll have stronger passwords in no time.

Next steps

Customize permissions for your team members, so they have as much or as little control as they need. With Pro, you can elect managers for vaults and groups, and allow others to recover accounts. To upgrade, sign in to 1Password.com and go to the Billing page.

If you’re not using 1Password Teams, it’s time to start. Sign up for a free 30-day trial, or talk our sales team at sales@agilebits.com.

Get to know 1Password Teams: Vaults and sharing

What would 1Password be without vaults? They’re where you put your most important information to keep it safe, and they’ve been a core part of the 1Password experience since the beginning. In 1Password Teams, vaults are more useful than ever. Let’s look at how vaults can help you organize and share information within your team.
Read more

Get to know 1Password Teams: Custom groups and roles

As a 1Password Teams customer, you’re in charge of tens, hundreds, or even thousands of people, passwords, and files. Thankfully we have some fantastic tools that give you flexibility and control. Two such tools are custom groups and roles:

  • Custom groups let you organize your staff in a way that makes sense. You might want to put your IT team in one group, your accounts team in another, and sales in a third. Each group has access to the vaults it needs, so new members will have be able to see the right information as soon as they join.
  • Custom roles let you decide who can perform team-level responsibilities like invite people or recover accounts—-without giving them full admin privileges. You can also grant the ability to manage people and vaults, and a lot more. These roles supersede the built-in permissions, so you can give your team members more power, or take it away. It’s entirely up to you.

Read more

Get to know 1Password Teams: The Activity Log

In this series of posts we’ll be exploring 1Password Teams and the features that make it uniquely suited to the challenges faced by businesses. Today’s article is about the Activity Log, a rich overview of all the activity that takes place in your team.

0ae56d96-003c-11e7-89a4-575f0a89d428

What is activity logging?

Activity Logging is one of those features that you can’t live without once you try it. Simply put, it’s the ability to see, at a glance, anything done by anyone on your team.

Anything?

Just about. Fire up the Activity Log and you’ll be able to find out about:

  • password changes
  • team members joining and leaving
  • device authorizations
  • vault creation and deletion
  • membership changes to groups and vaults

…and more.

For each action, you see exactly when it happened, who was involved, and who was responsible. You can sort the list by date or by person, and you can click on the names of people, vaults, and groups to go right to their details. It’s the simplest and best way to audit your team and improve security and accountability.

The best part? Like everything else in 1Password, the Activity Log is fully end-to-end encrypted. No one apart from your team administrators has access to it.

Read more

1Password revisits the Today Show

My mom is always the first to whip out a business card and tell people all about how 1Password can make their lives easier. So when the Today Show reached out to us, we got to share a proud mom moment – 1Password on TV!

It’s been a few months since then, but I was still star-struck when Carley and her team contacted us again asking for a demo. Happily, your buddy Khad is as cool as a cucumber, and he answered all their questions and helped them get set up.

1Password is recommended by the Today ShowWhile it appeared that Kathie Lee and Craig were having one of those days, Carley got their full attention as soon as she mentioned passwords. (Even Kathie Lee knows you should have a different password for every account!) Carley talked about our password generator, and how you can use it to make each password unique.

Craig brought up a concern about someone getting access to the data, but once again, Carley knew that 1Password uses encryption to keep your data safe. Hopefully Craig takes advantage of Watchtower to look for repeat passwords and get them changed ASAP!

A big shout out to Mobicip, Bouy Health, and Safetrek. It was great sharing the screen with you! And a huge thank you to Carley and her team. You’re helping us keep people safe, 1Password at a time. ☺️

Get to know 1Password Teams: Account Recovery

We created 1Password Teams to solve long-standing challenges faced by businesses who need to protect their sensitive information. In this series of posts we’ll be exploring 1Password Teams and features that make it uniquely suited to these challenges. This first entry is all about account recovery, how we use it, and how to make a recovery plan.

Read more

Hey-oh Android O! 👋

Earlier this week, Google announced the availability of the Android O Developer Preview. We’ve been anticipating this for a while and its arrival certainly didn’t disappoint. The developer documentation shows lots of enhancements to existing features and a few key new ones as well. And of course, one in particular that has our entire Android team buzzing with excitement…

My producers want me to dangle that one in front of you for the next 45 minutes while I talk about the other features in Android O that don’t have much impact on 1Password. They want me to talk about the new Picture-in-Picture mode that will allow you to pretend to work while binge-watching Netflix on any Android device. Then I’ll hint that the big reveal will come after the commercial break…

Once back, I’ll launch into an explanation of how notification channels will allow you to selectively mute certain groups of notifications while leaving others untouched. From there, I’ll segue into a discussion of the neat animated effects and customizations that adaptive icons will make possible. And that will bring us to the next commercial break and more promises of things to come…

And while I’m at it, I should probably mention multi-display support, autosizing text views, integration with Google’s safe-browsing API, in-app pinning of shortcuts and widgets, improved animations and more. Seriously, there’s a lot of great stuff in this OS release. But that’s not why you’ve tuned in. That’s not what you want to read about. You want to know why we’ve got our O-faces on…

So let’s jump right into it. The best part of Android O is the Autofill Framework!

Autofill, O my!

So what do you do when you get a new present? If you’re a geek like me and that present is the Android O Developer Preview, you definitely unwrap it and play with it! In this case, “unwrapping” took a few minutes and a couple of downloads, but in short order I was ready to start my new life as an Android O developer ? Within a few hours, I was able to put together a basic demo of what automatic filling with 1Password might look like.

Android Autofill Demo from AgileBits on Vimeo.

As you can see in the video, after navigating to the login page in the Twitter app, the Autofill Framework notified 1Password that there were some fields that could be filled. 1Password then responded by letting the Autofill Framework know it recognized those fields as a login form, but that it needed to be unlocked first. I was then prompted to unlock 1Password if I wanted to continue.

After I unlocked 1Password with my fingerprint, my example Twitter credentials were displayed in a dropdown provided by the Autofill Framework and automatically filled when I tapped on them.

Like all great technology, it feels like magic, and I’m in love with Android O already!

I can’t wait to share more with you as we continue to develop this into the automatic filling experience that we’ve all always wanted. In the meantime, feel free to share your curiosity, excitement, and favourite Android O features with us in the comments below.

More than just a penny for your thoughts — $100,000 top bounty

We believe that we’ve designed and built an extremely secure password management system. We wouldn’t be offering it to people otherwise.  But we know that we – like everyone else – may have blind spots. That is why we very much encourage outside researchers to hunt for security bugs. Today we are upping that encouragement by raising the top reward in our bug bounty program.

bugcrowd-logoWe have always encouraged security experts to investigate 1Password, and in 2015 we added monetary rewards though Bugcrowd. This has been a terrific learning experience for both us and for the researchers. We’ve learned of a few bugs, and they’ve learned that 1Password is not built like the web services they are used to attacking. [Advice to researchers: Read the brief carefully and follow the instructions for where we give you some internal documentation and various hints.]

Since we started with our bounty program, Bugcrowd researchers have found 17 bugs, mostly minor issues during our beta and testing period. But there have been a few higher payout rewards that pushed up the average to $400 per bug. So our average payout should cover a researcher’s Burp Suite Pro license for a year.

So far none of the bugs represented a threat to the secrecy of user data, but even small bugs must be found and squashed. Indeed, attacks on the most secure systems now-a-days tend to involve chaining together a series of seemingly harmless bugs.

Capture the top flag to get $100,000

Capture the flag for $100,000

Our 1Password bug bounty program offers tiered rewards for bug identification, starting at $100. Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000. (All rewards are listed in US dollars, as those are easier to transfer than hundreds or thousands of Canadian dollars worth of maple syrup.) This, it turns out, makes it the highest bounty available on Bugcrowd.

We are raising this top bounty because we want people really trying to go for it. It will take hard work to even get close, but that work can pay off even without reaching the very top prize: In addition to the top challenge, there are other challenges along the way. But nobody is going to get close unless they make a careful study of our design.

Go for it

Here’s how to sign-up:

  • Go to bugcrowd.com and set up an account.
  • Read the documentation on the 1Password bugcrowd profile
  • The AgileBits Bugcrowd brief instructs researchers where to find additional documentation on APIs, hints about the location of some of the flags, and other resources for taking on this challenge. Be sure to study that material.
  • Go hunting!

If you have any questions or comments – we’d love to hear from you. Feel free to respond on this page, or ping us an email at security@agilebits.com.

A year in the life of the Best Password Manager for Android

Hello again friends! 👋

When I last wrote about 1Password for Android, we had just released version 6.4 with support for Android 7.0 and all of its Nougat-y goodness. We’ve been hard at work since then, but before I tell you about some of the great changes we’ve introduced in version 6.5, I want to take a moment to celebrate.

android-central-1I’m incredibly proud to say that we’ve been awarded “Best Password Manager” by Android Central! While we naturally think that 1Password is the best, it’s always fantastic to have a great site like Android Central back us up with their recommendation. And the timing couldn’t have been better as we were also celebrating a birthday last month… 1Password 6 for Android just turned one!

So come with us on a journey as we celebrate 1Password 6 for Android’s birthday, and look back on a year of Googly wonder!

Birthday beginnings 🎁

Let’s start with the release of 1Password 6. This was a huge release that restyled our pixels with Material Design, made unlocking your vaults quick and easy with Fingerprint Unlock, and introduced support for 1Password memberships.

In the months that followed, we released 4 major updates to 1Password 6. These updates made search available from first launch, added All Vaults to allow you to view all of your items at once, and made it easier to type passwords into other devices with Large Type. We also made 1Password more convenient to use alongside other apps by adding support for Nougat’s split-screen mode.

All of these changes were focused on making it more convenient for you to stay secure with 1Password. Features like Fingerprint Unlock and Universal Search are all about getting you to the data you need quickly. 1Password memberships make your data available whenever and wherever you need it with instant sync and web-based access through 1Password.com.features

Speaking of 1Password memberships, I want to take a moment to celebrate another birthday. Not only did we release 1Password 6 for Android last February, but we also launched 1Password Families.

Enjoying Families with family ❤️

As you might imagine, I’m the resident password guru and all-around IT guy for my family. While I would never complain that it’s a burdensome job, anything that makes it easier to manage devices and accounts for Juliana and the kids is a big win for me. So when we launched 1Password Families a year ago, it was a no-brainer for me to switch us over. In the time since, my role in family tech support has gotten so much easier…

convenience-updatesSetting up 1Password on all our devices. Our house is littered with devices spanning the Android, iOS, and Mac platforms. Setting up each one is now as simple as installing 1Password, scanning an Account Code, and entering the Master Password.

Making passwords easy! No one in my family needs to think too hard about creating strong unique passwords. Instead, we simply use the strong password generator in 1Password to create a new password for each new account we create. No re-using passwords and no arcane rules or formulas to follow.

securely-shareStoring more than passwords. We also use 1Password to store everything from credit cards to passports to locker combinations. Anything that should be kept secret, yet be available whenever and wherever we need it, goes in 1Password.

Sharing with the right people. There are some items that I only want to share with Juliana and other items that I want the kids to have access to as well. 1Password makes it easy for me to organize our items into multiple vaults and share those vaults appropriately.

Recovery Time Machine

Restoring previous versions of items. I no longer need to worry that an item will be accidentally changed or deleted. If that ever did happen, the new Item History feature will help me get it back. All I need to do is log in on 1Password.com and restore the version of the item back the way it was.

As you can see, 1Password Families adds up to a lot of peace of mind for everyone and makes my IT role in my family much easier! And now that I’ve gone on about how our 1Password membership has made managing my digital life easier, I’m eager to help you do the same.

The best gets better! 🎉

In version 6.5, we’ve made it easier than ever to get started with 1Password and get straight to what matters – keeping your personal information safe and secure.

If you’re a current 1Password customer but haven’t started your 1Password membership yet, you really should check it out. We’ve made it super easy to move your items over, so you can experience the best way to use 1Password.

You can sign up for a new individual account in Settings > 1Password accounts and then migrate your existing data in with the new ability to copy items.

And if you’ve never used 1Password before, you can sign up for a new individual 1Password membership and start your free 30-day trial right from first launch. Start with something for yourself and then when you’re ready, invite family members or team members to join you.

Wowzas! what a year! 🎉

We’ve got even more new features and improvements planned for the year ahead, and I look forward to sharing more about these with you soon. In the meantime, I hope you enjoy the best version of the Best Password Manager for Android yet!

out-of-the-storm

P.S. Here’s Paddy chilling on the beach after winning the Best Password Manager for Android. Our developers weren’t invited as she has us working on the next update already. She’s a tough project manager, but the results speak for themselves ?

PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

Welcome to Part 3 in a three-part series of posts that go in-depth on recent events that caused macOS to prevent 1Password for Mac from launching on our customer’s machines. In this thrilling conclusion we’ll go into what we’ve learned and what the rest of the developer community needs to do to prevent this same sort of pain in their own apps.

In case you need to catch up on your reading:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

We never take for granted that 1Password is an integral part of our customer’s workflows. It’s an app that has engendered a great deal of trust and any time we stumble and hurt our customers, we spend as much time as needed to fully understand what happened and make sure we cover our bases for the future. The events of this past week are no exception.

We’ve learned a fair amount over the last week, so let’s dive in.

Who This Affects

provisioning-bandaids@2xWe went over this a bit in part 2, but we’ve been able to confirm that the issue we ran into is one that affects any Developer ID signed application also containing a Provisioning Profile. If your app has declared any codesign entitlements there’s a good chance you’ve got a provisioning profile. Often developers think of codesign entitlements only in the context of sandboxing an application, but they’re used for other things as well. In our case it is used to declare a keychain access group.

The presence of the provisioning profile will depend on your use of app services, which you can see in the Capabilities pane in the project editor when viewing the target in Xcode. If any of these options are set, there’s a relatively good chance that your app is shipping with a provisioning profile.

terminal-icon@2xAs a user, you can see if an app contains a provisioning profile by right clicking on the app in Finder, and choosing “Show Package Contents”. Then navigating to Contents to see if there’s a “embedded.provisionprofile” file. Seeing its expiration date requires that you open Terminal and use the security cms -D -i command followed by the path to embedded.provisionprofile file. It will output the xml plist which will contain something that looks like this:

<key>ExpirationDate</key>

<date>2022-02-17T23:59:55Z</date>

Generally, this provisioning profile is set to expire at the same time as your Developer ID certificate. One of the hallmarks of 1Password is that it tends to adopt the latest and greatest technologies that Apple has to offer right on day one. For this reason our provisioning profile was generated relatively early on and therefore we are one of the first ones to experience this pain.

We urge all developers that distribute an app outside of the Mac App Store to check whether their app ships with a provisioning profile, and to verify its expiration date.

 

Short Term Fix

short-term-fix@2xWhen we generated our new provisioning profile last week we also created a new Developer ID certificate. Both this new certificate and the associated provisioning profile expire in 2022. In the short term this buys us a bit of time.

By the time you read this 1Password 6.6.1 will have been published on our website (with a major new version in the Mac App Store as well). This new version will help some users who have been having issues with the manual update process and also comes with a load of other goodies.

 

longterm-fix@2xLonger Term Fix

Apple has posted a thread on their Developer Forum indicating they’ve made changes to the developer center to help with this problem. Newly generated Developer ID Provisioning Profiles are now valid for 18 years instead of 5. That takes us up to 2035, just in time for us to start worrying about y2k38 bugs. If our customers are still using 1Password 6.6.1 in 2035 then they’ve certainly missed a few update notifications. ?

Apple recommends developers generate new provisioning profiles to obtain one that has the longer expiration date. We’ll be doing this on our side shortly.

In practical terms, this solves the issue for our customers.

 

Proper Long Term Fix

Ideally there would be no expiration that affects users. A few years ago I resurrected a system from 1988 and set up an operating system from 1994 on it. Expiration dates on software would have made this impossible. It pains me to think of someone being unable to run 1Password in the future out of curiosity because of arbitrary limits such as this.

The issue we’ve filed with Apple (rdar://30631939) regarding the inability to run apps with expired provisioning profiles remains open. We will continue to advocate for this to be changed and recommend that all developers of affected software do the same (please dupe the rdar). We’ll keep you updated if this changes.

 

out-of-the-storm@2x