DevBits header

1Password App Extension API and time-based, one-time passwords

The App Extension API was released as a companion to 1Password 5 for iOS last year. Now that 1Password 6 is out, I’m sure some of you are curious to learn about what’s new in the API. To celebrate the App Extension API’s first anniversary, I’d like to tell you about one of its best-kept secrets: Time-based, One-time Passwords (TOTPs).

TOTP + 1Password extension = 🔐

Did you know that our App Extension API supports one-time passwords? In fact, it’s been there since version 1.5 of the API. If you haven’t already, I recommend that you upgrade to the latest version, 1.6.1. Not only can your users fill their usernames and passwords in your app with a few simple taps, their one-time passwords can be filled just as easily.

Best of all, it’s an absolute cinch to implement: simply check whether the one-time password exists in the login dictionary from findLoginsForURLString:

@IBAction func findLoginFrom1Password(sender:AnyObject) -> Void {
        OnePasswordExtension.sharedExtension().findLoginForURLString("", forViewController: self, sender: sender, completion: { (loginDictionary, error) -> Void in
            // Fill the username and password into the fields
            self.usernameTextField.text = loginDictionary?[AppExtensionUsernameKey] as? String
            self.passwordTextField.text = loginDictionary?[AppExtensionPasswordKey] as? String

            // Check if the user has a One-Time Password for the selected 1Password Login
            if let generatedOneTimePassword = loginDictionary?[AppExtensionTOTPKey] as? String {
                self.oneTimePasswordTextField.text = generatedOneTimePassword

                // Important: It is recommended that you submit the TOTP to your validation server as soon as you receive it, otherwise it may expire.

That’s all it takes to make your users’ lives much simpler.

1Password ❤ App Developers

If you have already added the 1Password app extension to your iOS app, thank you; you’re awesome! This new functionality gives you the ability to make security even more convenient for your users, and I can’t wait to see how you use it. Please don’t forget to submit your app to our Apps ❤ 1Password directory.

A newsletter just for you

You can also subscribe to our 1Password App Extension Developers newsletter. We’ll send you an occasional newsletter containing 1Password App Extension news, updates, and tricks, to help you realize the full potential of the 1Password Extension API in your iOS apps.

If you have any questions, you can comment on our GitHub project or email I look forward to talking to you!

1Password tips

Quick Tip: iOS 9 Spotlight search and 1Password

Some of the geekiest arguments I’ve ever heard have been over the way people organize apps on their iPhones and iPads. I keep my most heavily used apps on my main screen, then shove almost everything else into folders on my other screens.

The reason I can do this is because of the wonders of Spotlight search. It’s easy for me to search for and launch the app I want to use, so I don’t have to spend my mental energy trying to remember where I’ve put things.

Apple opened up Spotlight to third-party developers like us in iOS 9. My searches are now supercharged! I’ve gotta say, I love being able to find my 1Password items right from my iPhone’s home screen. I enabled Spotlight search in 1Password by going to Settings > General > Enable Spotlight Search. Now I can just pull down, type in part of the item’s title, then tap on its name in the search results. 1Password opens right to that item.

iOS 9 Spotlight search

You might have questions about the new Spotlight search and how it works with 1Password, so I put together some answers for you. If your question isn’t addressed, please let me know; I’ll be sure to update it in response to your feedback.

I’m also curious: what are your favorite iOS 9 features? Let me know in the comments!

1Password tips

Quick Tip: 1Password 6 and Slide Over

Slide Over Happy Chris

It’s been just over a week since I received my delightfully thin and light iPad mini 4. I got the orange Smart Cover, and it looks fantastic. The primary reason I decided to upgrade my iPad mini this year was to take full advantage of everything iOS 9 has to offer.

iOS 9 has a metric ton of new features, but by far my favorite is Slide Over. Combining 1Password with Slide Over is a game changer for saving time and using every bit of power 1Password has to offer.

Logging into third-party apps doesn’t get any easier than using the 1Password Extension, which is supported by many apps. However, there is the occasional app that doesn’t (yet) support the extension, and this is where Slide Over shines.

Slide Over is a new iOS 9 feature for the iPad1 that lets you swipe from the right edge of the display to bring up another app on top of the one you are currently using. Multitasking has never been faster or easier.

Let’s say I’m using my banking app, which sadly hasn’t added the 1Password extension. In iOS 8, my workflow would have looked like this: close the banking app, launch 1Password, copy the password, switch back to the banking app, and then paste.

With the combined power of iOS 9, Slide Over, and 1Password 6, I can simplify the process.

Swipe left to right in your item list to reveal the Copy Password option

Swipe left to right in your item list to reveal the Copy Password option

While in my banking app, I can swipe in from the right, unlock 1Password, slide from left to right on the bank’s Login item in the list to copy the password, and slide 1Password away. It’s that simple.

If you have an iPad that supports Slide Over, give it a shot the next time you find yourself in an app without 1Password support. And then be sure to write a nice note to the developer of that app and ask them to integrate the 1Password app extension for iOS.

We always love hearing from you. Start a conversation with us on our Support Forums, Twitter, or Facebook.

1 Supported on iPad mini 2, 3, and 4; iPad Air and Air 2; iPad Pro


Everything you need to know about 1Password and XcodeGhost

Over the past few days, security researchers from Palo Alto Networks discovered that 39 apps infected with malware found their way into the Apple App Store in China. Since the news broke, the malicious apps have been pulled from the App Store— and we’ve had a few questions about what this might mean for 1Password and password managers in general. To put your mind (and your passwords!) at ease, we’re answering some of the most common questions and concerns that iOS users have had about malware, compromised apps, and the security of 1Password.

So wait… what happened? How did this get in the App Store?

It’s kind of a long story, but we’ll make it short. In software development, there are many, many tools that can be used to build an app, and iOS developers rely on a compiler called Xcode as part of that process. A compromised version of that compiler made its way to the web in China, and was downloaded from an untrusted source. In this case, all apps built using the malicious compiler, XcodeGhost, were modified to sneak malicious code into the App Store. Though Apple works to review and screen apps for malware before they reach the App Store, in this case Apple confirmed that the attackers were able to make it through the review process without raising any red flags.

What does this malware do?

In general, most malware is designed to capture personal information and/or user credentials, and send them back home to the attacker who compromised your device. While XcodeGhost does not directly affect the 1Password application, it indirectly affects those who use the application through your device’s clipboard. In a post outlining the malware’s capabilities, senior malware researcher Claud Xaio noted that this particular strain could:

  • Prompt a fake alert dialog to phish user credentials
  • Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps
  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

Additionally, according to one developer’s report, XcodeGhost has already launched phishing attacks to prompt a dialog asking victims to input their iCloud passwords.

Should I be worried? Does this affect me?

There are a few very specific factors that determine whether your device is at risk, but overall, this vulnerability is a rare occurrence for the App Store.

  • At present, this issue mostly affects devices using the Chinese App Store, though researchers have found compromised apps in the Canadian App Store as well.
  • The malware is only in applications built using a compromised code compiler. A list of affected apps can be found on the Palo Alto Networks blog, but security researchers believe that as many as 344 apps may be vulnerable to the attack.

Will 1Password protect my data if an app on my iPhone or iPad has been infected by XcodeGhost?

We have designed 1Password with your privacy in mind at all times. We use strong, reliable encryption and take many, many measures to make our application breach-resistant. Combined, the many layers of security we’ve implemented work together to secure your passwords and protect your most sensitive data— but if your device has been compromised, there’s almost nothing that 1Password can do to defend it. As previously stated in a post on malware by Jeffrey Goldberg, our Chief Defender Against the Dark Arts:

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

Eek! My phone is infected with this— what should I do?!

First (and most importantly): don’t panic! There are a few simple things you can do to to return things to normal. If you’re positive that you’re using an app that was affected, here’s what you can do immediately to protect your data:

  1. Delete the compromised app(s) from your phone. If you are uncertain about whether an app has been compromised, it’s okay to delete it out of an abundance of caution.
  2. Change any passwords that you think may have been compromised through your device’s clipboard. Any passwords that you may have accessed through the 1Password extension are safe from this strain of malware, and do not need to be changed.
  3. Avoid redownloading or reinstalling any of the compromised apps until they have been updated. When an update has been released, be sure to download it from a trusted source once the developer has officially confirmed that a new, secure version is ready for you to use. If you’re uncertain of this, you can visit the developer’s site or check with their support team for help.

The XcodeGhost vulnerability doesn’t directly affect 1Password— we have not used the malicious version of Xcode, and the malware it injects into applications was not designed to directly compromise or target our application. Though the malware in compromised apps on any platform has the potential to put any user’s credentials at risk, especially when it can access a device’s clipboard, all technology users benefit from the work security researchers do to find vulnerabilities like this.

If you’ve made it this far down the post and still have questions or concerns, please leave a comment here or start a conversation with us in our discussion forums. You can also reach out to us on Facebook and Twitter.

iOS app update

1Password 6 for iOS: The Extreme Makeover Edition is here!

We all have a ton of passwords and important information to keep track of, and 1Password is the best place to keep it all safe and sound. Whether it’s your passwords, passport number, or credit card information, 1Password makes it convenient for you to stay secure, because we love you. 💙

Over the years, as our data has moved from our desks to our pockets to our wrists, we’ve built (and rebuilt) 1Password to have the strongest defenses and the easiest usability. With iOS 9 we’ve created some amazing new additions and we’re finally ready for the big reveal.

Meet 1Password 6 for iOS.

1Password 6 Hero

A lovely shade of #1A8CFF

One of the first things we noticed when starting this project was that 1Password was looking a little, well, monochrome. Our designers spent hours holding up paint chips under different lights and finally settled on #1A8CFF to make everything pop. We affectionately call it Bits Blue. We’ve also pushed around the pixels of the category icons to make them more delightful, and beautified 1Browser. Don’t worry, everything you know and love is still in a familiar spot; it just looks shiny, new, and wonderful.

Rolling around new passwords

A password’s greatest strengths are its length and its randomness. But let’s be honest, sometimes you need to type in a password by hand and typing ErymQd3svcqM3BPYKWh is hard.

With our new Wordlist Password Generator, you can create long passwords out of randomly chosen real words: cellist-dander-signify-esteem-elver is easy to read, easy to type, and super secure. The new generator is inspired by Arnold Reinhold’s Diceware. We think it’s an amazing concept and aligns perfectly with our goal of making it simple and convenient for you to secure your digital life.

Pro tip: Diceware passwords make terrific answers to security questions! To have 1Password remember them for you, add a custom section with a custom password field to the Login item (Pro Features required for custom fields).

Installing a Spotlight

Spotlight search has always been a handy tool in iOS, helping you find things very quickly on your iOS device: a friend’s phone number, directions to a restaurant, or that important email that is somewhere in your inbox.

Spotlight is supercharged in iOS 9, and we’re taking advantage of it. New in 1Password 6 for iOS, Spotlight can search your 1Password data from the iOS home screen and take you straight to the desired item! It’s never been faster to find an item, and 1Password doesn’t even need to be open to do it.

To start using Spotlight with 1Password, enable the feature in 1Password > Settings > General.

Landscaping improvements

1Password has always been a portrait of amazingly convenient security, but its landscape mode has been limited to the larger screen of the iPad. We’ve made some significant improvements to landscape view support on iPad, iPhone 6 Plus, and iPhone 6s Plus.

On supported iPad models, 1Password will take advantage of the new Slide Over and Split View features in iOS 9, automatically scaling to the view size you set. On iPhone 6 Plus and 6s Plus, 1Password will now use that extra space to stretch out in landscape mode, displaying your categories and items in a column alongside the detail view.

1Password 6 Landscape Hero

A more watchful security companion

You’ve been telling us how convenient it is to look up Logins, Credit Cards, Secure Notes, and Passwords on your Apple Watch, but you’ve also told us you wanted more. By popular demand, 1Password for Apple Watch now supports more category types.

Say hello to Passports, Wireless Routers, Driver’s Licenses, Social Security Numbers, and Bank Accounts right on your wrist! To add items from these categories, open the item in the iPhone app and tap Add to Apple Watch.

We’ve also added a convenient way to manually lock 1Password for Apple Watch: simply Force Touch the screen and tap the Lock button.

How much does this extreme makeover cost?

Given the fantastic new features and improvements, you might be thinking 1Password 6 is a paid upgrade, which makes what I’m about to tell you even more incredible. Basic features are still free for everyone, and if you’ve already purchased the Pro features in 1Password 5, you still have them in 1Password 6 for no additional cost. 1Password 6 is available on the App Store.

If you find 1Password useful, please take a couple of moments to leave a rating and review on the App Store. It makes a huge difference to us. Thank you very much! Remember that we can’t reply to App Store reviews, so please post requests for technical support on our forums, or email

We always love hearing from you. Start a conversation with us on our Support Forums, Twitter, or Facebook.


Jessysaurus Rex joins the AgileBits team!

An adventure 65 million years in the making

A couple of weeks ago, we introduced you to the wonder women of AgileBits, who make this company and 1Password what they are today. We’re happy to announce that a new member has joined that illustrious team. If you follow the world of online security, you may already be familiar with her (or at the very least with one of her security sign bunnies hopping around Twitter!).

JessysaurusRex - Jessy Irwin

Her name is Jessy Irwin, and she is an influential voice in the world of information security. She also happens to love dinosaurs. A published writer and presenter, Jessy champions online privacy and security and spends much of her time educating people about the need for strong, unique passwords; secure software development; and operational security (opsec). She works to raise security awareness among students and educators, and helps the average Internet citizen learn what they can do to keep themselves, their data, and their online identities secure. She’s an obvious choice and a natural fit for our team, and we’re so glad that she’s here. @1Password and Jessy have been each other’s Twitter boo for a long time, a courtship that culminated in a grand proposal. (Spoiler alert: She said yes!)

Thanks for the Storify and kind words, Matthew!

This week, Jessy was a guest on Threatpost’s Digital Underground podcast. She and host Dennis Fisher had a great discussion about passwords, student privacy, how Jessy got her start in the world of information security, and her new role at AgileBits. You can subscribe to the Threatpost podcast on iTunes or listen to Jessy’s episode on the Threatpost website.

If you’re interested in learning more about online security, I highly recommend following @1Password and Jessy on Twitter. Jessy frequently shares her thoughts on the latest tech developments (such as Wednesday’s Apple event) and how they might impact your security, as well as great articles and blog post written by some of the smartest hackers and security researchers in the world. I enjoy following her on Twitter and having her do the work of curating all those interesting articles for me.

1Password tips

Quick Tip: Move a locally synced vault

Pop quiz, hotshot. You’ve chosen to sync your vault to local storage using 1Password 4 for Android. Now you’ve got a new device and you need to migrate that data onto it. What do you do? What do you do?

Not to worry. Migrating your vault to another device isn’t as daunting as it may appear at first glance. You’ll just need access to a desktop computer and a USB cable.

Move the vault from the old device

1P4 Android bot

The first thing you’ll need to do is connect your Android phone or tablet to your desktop with a USB cable. Then, open the device to view its files and folders on your computer.

Note: If you’re using a Mac, make sure you have installed the Android File Transfer tool.

Using Finder or Windows Explorer, navigate through your device’s local storage until you find the .agilekeychain folder that is your 1Password vault. Copy the entire folder to the desired location on your computer.

Migrate to a new device

To get that vault onto a new Android device, connect the new Android to the computer with the USB cable. Then, copy the entire folder to your new device’s local storage.

Once the folder is on the new device, configure 1Password for Android to sync with local storage, as usual.

Migrating to Dropbox

If you’ve decided to switch to Dropbox for easier syncing between devices, you can do that easily. Make sure that Dropbox is installed on your Mac or Windows PC.

Once you’ve got Dropbox installed, open the Dropbox folder on your device and copy the .agilekeychain folder to it. You can use 1PasswordAnywhere to confirm that your vault transferred to Dropbox properly.

That’s it! If you’re syncing to local storage with 1Password 4 on Android, it’s a good idea to back up your vault to another device this way every now and then, just in case something bad should happen. That’s just perfectly normal paranoia. Everyone in the universe has that. :shifty_eyes:

The AgileBits team wearing their finest tin foil hats

The AgileBits team wearing their finest tin foil hats

Questions? We’d love to hear from you. Leave a comment here or join us in the forums. If you’d like to join our beta family and be the first to try new features, you’re most welcome to sign up for our beta newsletter.

Here’s to you, Mr. Sheridan!

One of the challenges we face as a tech company is making our software accessible to everyone. It’s sometimes hard to gauge, because we’re so close to it. Doing research to answer customers’ questions makes it even more difficult to take a step back and make sure we’re not getting tooooo nerdy.


That’s why I was so excited when I heard from my friend Allison Sheridan this morning. Allison hosts the fantastic NosillaCast, a technology podcast with an ever so slight (ahem) Macintosh bias. She’s previously documented her own experience of switching to 1Password, but yesterday she spoke to Ken Sheridan, her octogenarian father-in-law.

1Password for Mac logo

In this lovely interview, we learn how Mr. Sheridan was managing his passwords before Steve (his son and Allison’s husband) helped him set up 1Password. My favourite part is that we also learn how 1Password has made his digital life so much easier and more secure. This enables him to more frequently do things like check his financial accounts, which he used to do only occasionally because it was such a hassle.

We want everyone to have a great experience with our software, and Mr. Sheridan makes me feel like we’re on the right track. Have you shared 1Password with friends, kids, or parents, possibly less geeky than you? We’d love to hear your experience. Leave a comment below or stop by our discussion forums.

Thanks for introducing your family to ours, Allison. Mr. Sheridan, we’re so happy to welcome you.

The Work Smarter Sale header

The Work Smarter Sale

Over the past month, we’ve been publishing Passwords 101 lessons to Facebook and Twitter. It’s now time to apply what you’ve learned to your everyday lives, at work and at school. Of course, you could give your brain a workout and keep all these strong and unique passwords stored inside your head, but 1Password is the best way to make security simple. We’re making it easier for you to get started: 1Password is now on sale across all platforms! Save 30% on 1Password for Mac and Windows, and 50% on 1Password for iOS and Android.

Do we have any stragglers or class cutters among us? No worries! Let’s review what we covered over the past few weeks.

Password length

Length is not the only thing that will keep an attacker from figuring out your passwords, but it’s significant. 1Password makes it super easy to generate unique, long passwords; but equally important, it remembers them for you so that you don’t even have to think about trying to recall a lengthy phrase.

Personal information is NOT for passwords

It’s scary how easy it is for a determined person to find personal information about anyone on the Internet. For this reason, it’s best to keep such information out of your passwords. If your password is 30 characters long and 25 of them have some personally identifiable information, that leaves only 5 random characters! To protect your accounts, make sure that there’s zero personal information in your passwords.

Substitutions are not secure

When 1Password first started teaching me about password security, I thought I was really clever when I changed letters to numbers and symbols. They resembled the letters enough that I wouldn’t make mistakes when entering the passwords from memory. Totally secure, right? Unfortunately, no. It turns out that the bad guys are also very clever, and they account for this in their attacks! The best thing is to have 1Password generate truly random passwords for you.

Never reuse passwords

Sometimes the simplest lessons are the most important. It’s a no-brainer: if you use the same password across accounts, access to one equals access to all. That is as convenient for an attacker as it is for you! Instead, let 1Password generate and remember a unique password for each account.

This sale makes it simpler than ever for you to keep all of your important data secure inside 1Password! Head over to the Mac App Store or the AgileBits Store to purchase 1Password for Mac or Windows for 30% off its regular price. You can also snag the Pro Features in 1Password 5 for iOS and the Premium features in 1Password 4 for Android for 50% off.

As always, this is a limited time sale. Get back to school in style and ensure that you’re working smarter, not harder. If you have any questions, Professor Bits’s office door is always open. Leave a comment here or join us in the forums; we love to hear from you.

DevBits header

Web View Filling ups the awesome factor of the 1Password App Extension

App Developers, this one’s for you!

Since the introduction of the 1Password App Extension API, support for the extension has been added to over 200 apps. We are so excited by this show of support from the development community that we decided to add functionality to the App Extension API to make it even more useful for you and more powerful for your users.

Version 1.5 = (Web View Filling)^2

As most of you already know, the 1Password Extension was originally designed to fill login details (usernames and passwords) in Safari and third-party applications. Thus far, the primary use of 1Password in third-party apps has been to sign in, which means that users likely invoke 1Password only once, right after installing your app.

In the latest update, we’ve made the app extension more powerful and more versatile. I am happy to introduce you to the redesigned Web View Filling capability of the 1Password App Extension API, which will enable your users to use 1Password to fill not only Logins, but also Credit Cards and Identities in any of your app’s web views.

From a technical point of view, this updated capability works in a similar fashion to the original Web View Filling: it can fill 1Password items in web views. However, to get the best user experience from the 1Password Extension, we should treat it as two distinct capabilities. Let’s take a quick look at what makes these two options unique, so that you can determine the best choice for your use case.

Scenario 1: Authentication

Let’s say users have to sign in to a service before they can use your app. When the user opens your app, they are presented with a web view in which they can enter their username and password to log in. In this case, you do not want the user to be distracted or confused by Credit Card and Identity items. You only want the Login for the service to show up in the 1Password Extension so the user can log in quickly.

Login selection screen using app extension API 1.5

Scenario 2: Web Browsing

  • Can your users purchase items from your web store?
  • Can your users sign up for a service by entering their information in to a web view?
  • Does your app have a built-in browser?
  • Does your app have billing and/or shipping forms for users to fill?
  • Would you like the 1Password Extension to show in the share sheet?

If you answered “yes” to at least one of the above questions, consider adding support for 1Password using the wonderful new Web View Filling capability, which will enable you to permit the filling of Credit Cards and Identities. You will also benefit from the fantastic new Brain filling logic we use in 1Browser and Safari.

This capability will help make your users’ browsing experience simple and secure by filling Login details, Credit Card items and Identities.

Fill Login, Credit Card, and Identity info when using app extension API 1.5

The Code

Choosing between the two scenarios is very easy: simply decide whether you want to show the Credit Cards and Identities that the user has stored in 1Password. To show only 1Password Login items in the 1Password app extension, pass YES as the parameter for showOnlyLogins. To unlock the full awesomeness of the 1Password app extension and take advantage of the new Web View Filling of Logins, Credit Cards and Identities, pass NO. That’s really all there is to it!

- (IBAction)fillUsing1Password:(id)sender {
    [[OnePasswordExtension sharedExtension] fillItemIntoWebView:self.webView forViewController:self sender:sender showOnlyLogins:NO completion:^(BOOL success, NSError *error) {
        if (!success) {
            NSLog(@"Failed to fill into webview: <%@>", error);

1Password ❤ App Developers

I want to take this opportunity to thank all of you app developers who have already added the 1Password app extension to your apps; you’re awesome! This new functionality gives you the chance to make security even more convenient for your users, and I can’t wait to see how you use it. Please don’t forget to submit your app to our Apps ❤ 1Password directory.

A newsletter just for you

You can also subscribe to our 1Password App Extension Developers newsletter. We’ll send you an occasional newsletter containing 1Password App Extension news, updates, and tricks, to help you realize the full potential of the 1Password Extension API in your iOS apps.

If you have any questions, you can comment on our GitHub project or email I look forward to talking to you!