[Updated] If you use 1Password 3 for iOS and Dropbox sync, take action by September 1


Our sale ended September 6, thanks everyone!


We’ve used Dropbox in 1Password for… forever. It’s a fantastic way to sync your data between all your devices. Dropbox continues to improve and innovate, making the service more accessible, faster, and even more secure. As part of this progress, Dropbox will disable its legacy API—the bridge that lets apps talk to Dropbox—in favor of its next-generation API on September 1st.

As we all know, sync and innovating are hard work, so we sympathize with Dropbox’s need to retire an old API that’s done its bit for king and country. If you use 1Password 3 for iOS and sync through Dropbox, you need to take action before September 1. If you use any other 1Password apps, they are already built for Dropbox’s next-generation API; you don’t need to do anything.

State of 1Password and Dropbox sync

In other words:

  • 1Password 3 for Mac and 1Password 1 for Windows sync directly to the Dropbox folder on the local file system and will continue to sync with Dropbox just fine.
  • 1Password 4 for iOS (released last year) uses the latest version of the Dropbox API and will continue to sync with Dropbox just fine.
  • 1Password 1 for Android also uses the latest version of the Dropbox API and will continue to sync with Dropbox just fine.
  • 1Password 1 for Windows Phone uses an open source API based on the latest Dropbox API and will continue to sync just fine.
  • 1Password 3 for iOS, which was removed from the App Store last year, used the legacy Dropbox API. Come September 1st, this old version of 1Password will no longer be able to sync with Dropbox.

If you use 1Password 3 for iOS and sync with Dropbox, please read on for alternative sync options.

What should 1Password 3 for iOS users do?

iOS-Versions-AffectedUsers of 1Password for Mac, Windows, Android, and Windows Phone, as well as 1Password 4 for iOS, have nothing to do. If you use 1Password 3 for iOS and sync through Dropbox, you need to take action before September 1.

First, confirm you are using 1Password 3 for iOS. To do this, look at the 1Password icon on your home screen and see if it matches one of the icons on the right. Now that you have confirmed your version, you have the following options.

Upgrade to 1Password 4 for iOS

1Password 4 for iOS is a brand new app from pixel to bit. It’s a single, universal app for iPhone and iPad that brought over 20 major new features and a ton of little ones like an incredible, full-featured web browser, Favorites, quick Action Bar, folders, private item sharing. It was also designed to use Dropbox’s latest sync technology.

To make this transition as easy as possible, we’re putting 1Password 4 for iOS on sale! Update: The sale ended September 6, thanks everyone!

You can switch to Wi-Fi Sync

1Password 3 for iOS supports Wi-Fi sync with 1Password 3 for Mac. We have a support document & video to help you set this up, and our stellar customer support team stands by to answer any questions. Note: 1Password for Windows does not currently support Wi-Fi sync.


Why don’t you update 1Password 3 for iOS?

The short answer is: we’d like to, but we can’t. When we launched 1Password 4 for iOS last year, we removed our three previous versions of 1Password 3 for iOS from the App Store to avoid confusion. Apps removed from sale can no longer be updated.

As a small team we need to focus our development efforts on making the current versions of 1Password even better.

Do you still support 1Password 3 for iOS?

Absolutely! While 1Password 3 for iOS will no longer be updated, our Customer Support team is always willing and able to help you with any questions you have for 1Password 3 for iOS.

What if my device cannot run iOS 6?

1Password 4 for iOS requires iOS 6, which is compatible with:

  • iPhone: iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5
  • iPod touch: iPod touch 4th & 5th generation
  • iPad: iPad 2, iPad 3, iPad 4, iPad mini

If your device cannot run iOS 6, your next option is to sync with 1Password 3 for Mac over Wi-Fi, as mentioned above.

If you have any questions about how you are impacted, please contact our support team.

Heads up 1Password 3 for iPhone, iPad users: Dropbox changes are coming

1Password in DropboxSure, we released the major, year-in-the-making upgrade that is 1Password 4 in December, but we still make the previous version 3 of 1Password Pro, 1Password for iPhone, and 1Password for iPad available in the Purchased section of the App Store on your device. In fact, we still offer our critically acclaimed support to customers who use them!

I bring this up because Dropbox is making some changes that 1Password 3 for iOS users will want to know about, especially those who haven’t used the service for sync yet. If you’re a 1Password 4 user, just keep on passwordin’; none of these changes affect you because 1Password 4 for iOS already uses Dropbox’s spiffy new services.

Long story short: Dropbox is growing like crazy, and it recently made some significant changes to its API, the service that apps like 1Password use to move your data around. 1Password 3 uses the old version of this API, which will continue to work after March, but will no longer accept new users.

If you already use Dropbox to sync your 1Password 3 for iOS data

You’re fine. We worked out a deal with Dropbox to keep that door open for the time being.

If you own 1Password 3 for iOS but never hooked up Dropbox for sync

You may have a decision to make. If you hook up 1Password 3 for iOS to Dropbox before the end of March, you’ll get grandfathered in with our other customers and can continue to use Dropbox for sync past March. If you don’t hook it up, that option will disappear when the clock strikes midnight on Monday, April 1.

No, this isn’t an elaborate and ultimately unfunny setup for an April Fool’s joke. Our April Fool’s jokes are much nerdier.

Give it some thought, but remember you only have a couple weeks to decide. Give 1Password 4 for iOS a look as well. You don’t have to take our word for it, but it really is our finest work to date with over 20 major new features like Web Mode with a full browser and form filling for Logins, Credit Cards, and Identities, the ActionBar, Global Search, viewing attachments, and more.

Either way, we love all our customers and are happy to help with any questions you have!

1Password Stories: Tips and Tricks from our customers

We hear a lot of great 1Password tips and stories from customers. Sometimes it’s a clever trick, others it’s a great story about helping a family member, friend, or coworker discover 1Password or make a feature click in just the right way. Eventually, one of our Agile folks asked a simple question: why keep all this great stuff to ourselves?

Enter 1Password Stories, a new series we want to use to share these nuggets of awesome so everyone can get more out of 1Password. To kick this off, I want to start with some clever tricks that customers shared in our Agile forums and our Facebook Page:

  • Nick Peelman says he started using 1Password to store serial numbers for all his hardware. “I used to keep the note stored in plain text in Dropbox,” Nick wrote in our forum, “but using 1Password makes it a little easier to access, and as expected, more secure.”But wait, there’s more to it: “It’s handy to have a running list of serials for your hardware should anything ever go missing or get stolen. Storing that list securely in a cloud-based system makes it that much handier. It’s also a good way to identify your stuff among other people’s, should similar items ever get jumbled together.”Nick’s trick can be useful for all sorts of other situations, like adding these things to your insurance policy or calling customer support for service.
  • “bbinder” says he stopped bookmarking sites in browsers and started relying on 1Password and trick involving a couple of third-party apps. After all, by saving a site for a Login, you’re already creating a bookmark in 1Password, right? bbinder fancies LaunchBar, which is a great productivity utility that lets you control your Mac and do all sorts of things with just a couple strokes of the keyboard. In June this year, LaunchBar added support for looking up and opening your 1Password Logins, which was right up bbinder’s alley: “With LaunchBar’s 1Password integration, I hit the shortcut to open LaunchBar, then type in “1p” > space bar > and start typing away to get to the 1,000+ sites I have, condensed to what I am looking for.”A similar trick works with the 1Password extension in Chrome, and bbinder is all over it: “Since Chrome is my default browser on my Mac, I get the site opened [via my LaunchBar process] and get to work after 1Password fills in the site credentials and I’m on my way. If there are other sites I need to get to in a hurry, It’s a quick Command+T to open a new tab, type in 1p and hit the tab key and start typing in the site name and 1P automatically shows the relevant sites I’m looking to access. Select the site and it directs me there and logs me in.”In other words: if you’re curious about getting more done on your Mac with just your keyboard, bbinder just might be a person to talk to.
  • Richard Gaywood, PhD, 1Password customer, and TUAW writer extraordinaire, also shared a smart idea that I’ve heard from other customers in the past: “Before my wife went into hospital last week with could-have-been-serious problems, she put her 1Password password in my 1Password. Just in case.”It’s better to be safe than sorry in unfortunate circumstances like this. Fortunately, Richard’s wife came home yesterday and I think it’s safe to say that, while this is a good idea, it’s also a good thing they didn’t have to get much use out of it.
  • Penelope Pitstop shared a great idea in our forum, too: “I use 1PW pronounceable random passwords for my security questions on any account that requires them and store them in the notes field along with the original questions — something Jeff already advocates on the Agile Blog. “I’m not going to lie, this is a great idea that we are indeed big fans of, and Penelope nails why: “It’s easier to provide them verbally if required and mitigates against social engineering attacks.”

So that’s it for now, I don’t want to drown you in too many awesome 1Password ideas from our customers all at once.

If you have your own creative use for 1Password or a great story to share about how you helped a friend, family member, or coworker discover it, please tell us on our Facebook Page or in this Agile forums thread! The best part (besides helping everyone get even more out of 1Password!) is that we’re going to send t-shirts to some of our favorite storytellers!

Thanks to everyone who has shared so far, and we’ll be back soon with more 1Password Stories.

PSA: closing the book on iOS 3 soon, here’s how to backup your app

1Password Pro iconThere comes a time in every app’s life when it has to part ways with previous OSes. Sometimes the app has grown to the point where it must simply move on, sometimes it’s a mutually beneficial separation of the bytes. This time it’s a little bit of both.

1Password 3.7.1 for iPhone and iPad is in review with Apple, and it contains some typical fit and finish you would expect in a small update like this. This version will also remove support for iOS 3.0 (or, for the tech history nerds in the audience, what was originally called iPhone OS 3.0). We’ve found that the vast majority of our users have upgraded to iOS 5 and 6, so it’s time for us to streamline the app and our workflow to make 1Password even better. Plus, the latest version of Xcode, which we need in order to keep making 1Password all it can be, simply no longer supports iOS 3.

If, for whatever reason, you will continue using devices that cannot upgrade past iOS 3.x, we highly recommend backing up your current  copy of the app, just in case you ever need to reinstall it (of course, you should also backup your app’s data, too, and often). As far as I know, the App Store on iPhone and iPad will not display updates that do not support the device’s OS, but iTunes may be a different story. Besides, it never hurts to be prepared for a rainy day.

Fortunately, we have instructions for backing up your current copy of the 1Password app for both Mac and Windows users. Our update is in review with Apple, but it will arrive soon and we’d like you to be better safe than sorry. As for our new minimum OS requirement, 1Password now needs iOS 4.3 or later.

1Password for iPhone, iPad 3.7 now in the App Store

Hot on the heels of our 1Password Pro 3.7 update yesterday are 1Password for iPhone and 1Password for iPad 3.7. Now they’re like three peas in one big, happy, extremely secure pod!

We basically split out the new features and fixes you saw in 1Password Pro for each individual version. So for the iPhone, you get better iPhone 5 support and bug fixes, but also a new trick: when you generate a new password, it is automatically copied to your clipboard.

For iPad, you have improved VoiceOver support, bug fixes, and a new Generated Passwords section. As long as you generate passwords on Mac, Windows, or iPhone, and sync your data file with your iPad, you can view passwords you’ve generated on those platforms.

These free updates are now live in the store, so go grab em!

1Password Tips: use our built-in browser on iPhone and iPad

1Password Pro iconWe’ve been getting questions lately on how to add a 1Password button to Mobile Safari for iPhone and iPad. While I may have a little bit of bad news about that, I’m happy to say I have good news too. In fact, I think it’s great news about a really handy feature built right into 1Password that can save you quite a bit of time.

To cut to the chase, we can’t add our spiffy little 1Password button to Mobile Safari because Apple isn’t really feeling the extension vibe on iOS just yet. Have you noticed how you can’t add buttons for Evernote, Instapaper, or any of the other neat tools you can find in the desktop Safari Extensions Gallery? Fortunately, constraint breeds innovation. Since we can’t bring 1Password to Mobile Safari on iPhone and iPad yet, our masterful developer ninjas decided to bring some Safari to 1Password.

If you need to log into a site on your iPhone or iPad, you can, of course:

  • manually type the site URL into Mobile Safari
  • double-tap your Home button to switch to 1Password
  • find the Login item
  • tap the password, then tap copy
  • double-tap your Home button again to switch back to Safari
  • paste the password
  • go on about your way

Or you could save yourself some tapping and switching and swiping and just tap the URL of your Login item. Yeah, you read that right: we built a browser right into 1Password for iPhone and iPad.

1Password will spring open a built-in browser to open the login page, into which it should fill your credentials. In case you need to give it a hand, tap the world icon in 1Password’s browser toolbar to copy and paste anything you need. Otherwise, you can tap the site’s sign in button and go on about your business right inside 1Password, no app switching required.

You can see some examples of this stuff in action in the gallery I embedded above. Naturally, we never stop thinking about ways to improve 1Password, so let us know what you think in the forums. For now, though, I hope 1Password’s built-in browser for iPhone and iPad can save you some time while getting things done on-the-go.

1Password users should wait a bit before trying Dropbox’s two-step verification

1Password in DropboxDropbox has just released a new, optional, two-step authentication process. 1Password 3 (Mac and iOS) and 1Password for Windows use Dropbox for synchronizing your 1Password data across systems and platforms. So anything that has to do with Dropbox security is of interest to us and to 1Password users.

The bottom line is that I recommend 1Password users not be early adopters of this. Early adopters should:

  • understand the data security gains and risks thoroughly (discussed below)
  • take steps to reduce those risks (have great backups), and
  • be very comfortable using pre-release systems

My recommendation does not reflect any criticism of Dropbox’s experimental system. It looks (from my brief exploration) like it is done extremely well. But for the large majority of 1Password users, it’s just a little early to start using their two-step authentication system.

If you would like to know more about the two-step authentication system Dropbox has just rolled out and why I am recommending a “wait-and-see” approach at this point, read on.

Stop trying to scare us away from it. What does it do?

I will return to scaring 1Password users away from jumping on Dropbox’s beta two-step authentication system later in this article. But it will be easier to do so after I’ve outlined how it works. There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies. I will be describing how things may superficially appear to users, not how it really works.

Dropbox calls their system “two-step verification”, and that is an excellent name for communicating what it does. I will continue to use the term “two-step authentication” because I will need to make use of the more technical term, “authentication”, further on.

Logging in

Google Authenticator

Once you have set up two-step authentication with Dropbox, then every time you log
into Dropbox with a web browser or authorize a new computer or service to use Dropbox, you will be prompted to enter a special six digit code. It will be a different six digit code each time, and the code that you need to enter will be sent to your phone. So in addition needing your Dropbox username and password to connect to Dropbox, you will also need access to your phone.

There are a number of ways that Dropbox can send the six digit code to your phone. I have been testing with Google Authenticator, and so far (I’ve only been playing with this for a few hours), it works as advertised and is easy to use.

Already authorized devices

When you first set up Dropbox on your computer or set up 1Password on your iPhone to sync with Dropbox you do not need to authenticate those again. The ability to connect remains until you take specific steps break that link. Enabling two-step authentication doesn’t break those existing links. So if you already have 1Password on your iPhone syncing with Dropbox, you will not need to enter in a six digit code into 1Password to allow that syncing.

Linking new devices

Dropbox has just released a new version of their desktop software which is capable of dealing with their two-step authentication directly.  This is great for the desktops, but you might find that you need to download the latest version from Dropbox’s download page.  It looks like version 1.4.17 is the first non-beta version that natively supports two-step authentication.

As I mentioned, if you have already set up Dropbox syncing for 1Password on your mobile device it will continue to sync after you turn on Dropbox two-step authentication. If you do need to setup Dropbox syncing from 1Password after you have enabled two-step authentication, there are some additional steps you need to take. I talk about those in a separate section.

What happens when you lose your phone?

The people at Dropbox know full well that people lose access to their phones. It would be terrible if having your phone lost, stolen, or drenched meant that you could no longer get to your Dropbox data. So when you first set up two-step authentication, you will be given a “backup code”. This is a long, random, sixteen character, and impossible-to-remember code. You need to keep this someplace secure because you will need it to reset two-step authentication if you lose your phone.

The obvious place to keep such an important and hard to remember backup code is in 1Password. I set up a Generic Account under Accounts for this and added it as a Note to my Login for Dropbox in 1Password.

Now, suppose you are traveling and your phone gets stolen or damaged. If you don’t have access to a computer or device that is already linked to your Dropbox account, you won’t be able to reset two-step authentication. You won’t be able to access your 1Password data, which in turn means that you won’t be able to access many of the accounts and services you need. At least, you won’t be able to until you either get to the piece of paper where you wrote down your backup code or get to a computer or device that is already linked to your Dropbox account.

Data availability is part of data security

Dropbox’s two-step authentication eliminates one particular risk—someone breaking into your Dropbox account because they’ve discovered your Dropbox password. But it would not, for example, protect against a general Dropbox breach. Also, your 1Password data is already designed to withstand sophisticated attacks if someone does get a copy of it. Thus, the actual security gain for your 1Password data that Dropbox’s two-step authentication adds is minimal. It is of most use to people who have poor password practices and have secret, but unencrypted, data stored on Dropbox.

Data availability is just as much a part of data security as data secrecy. It is the ability to get and use your own data when you need it. For a dramatic case of what it means when people lose access to their own data, consider what happened to Mat Honan. If he had not found a way to get back into his Dropbox account after all of his personal devices and computers were wiped clean, he would have lost all access to his 1Password data.

Because phones can be easily lost, stolen, or damaged, using Dropbox’s two-step authentication increases the risk to data availability. In opting to enable two-step authentication, you are balancing one risk against another. Indeed, most security trade-offs involve balancing one kind of security with another. In this case we are considering a very small gain in protecting data secrecy against a potentially larger, but hard to estimate, risk of losing data availability.

If you insist

If you insist on trying Dropbox’s new two-step authentication process, here are a few recommendations.

1. Be obsessive about data backups

You should have backups of your 1Password data that will:

  1. be recoverable before you have access to your 1Password data. For example, if your backup is encrypted, you will need a way to get to that password before you have restored your 1Password data
  2. be recoverable if your house burns down
  3. be recoverable if your computers and devices are subject to the kind of “remote wipe” attack that Mat Honan experienced

Another way of looking at this is, if you enable two-step authentication, you should not think of Dropbox as a backup system (you shouldn’t anyway for other reasons). I know that I’ve gotten lazier about personal backups since using Dropbox (despite the fact that I shouldn’t). Any such laziness needs to be reversed if you enable tw0-step authentication.

One option is to make a copy of your 1Password data and burn it to a CD. Your 1Password data should include your Dropbox credentials, including the backup code. You may wish to keep a copy of that CD in your car or some location away from your other backups.

2. Write down your Dropbox backup code

Keep copies of the Dropbox rescue or backup code in a variety of places, including on paper. You need this if you lose your phone. And if you lose your phone and have serious loss of access to data on your computers, you will need to reset two-step authentication without having access to what is on Dropbox.

Setting up and using Dropbox’s two-factor authentication with 1Password

To enable Dropbox’s two-step verification, check out this document in their help center. Dropbox wants everyone who uses two-step verification to participate in their discussion forums. You should join that discussion to see instructions for enabling two-factor authentication in the first place. That is where help, updates, and important changes are discussed.

Once you have set things up and Dropbox is working correctly on your desktops, there is nothing that you need to do with 1Password on your Desktop. 1Password on the desktop doesn’t actually talk to Dropbox; it just makes use of what is in your Dropbox folder.

As I’ve mentioned before, if 1Password on your phones or iPads is already configured to do Dropbox syncing, then again, you are all set to go. Nothing changes. Dropbox has already given a token to the 1Password app which it can use for logging in. It is only if you need to set up Dropbox syncing that you need to take a few extra steps:

Step 1: Follow the normal instructions for setting up Dropbox syncing in 1Password on your device. Note that after you enter your Dropbox username and password, the login attempt will fail.

Step 2: Check your email (the email address that is your Dropbox username). You should get some email from Dropbox that looks like thisDropbox 2-step email

Step 3: When you follow the link in that email you will (once you’ve logged onto Dropbox in your web browser) get to a page that looks like thisDropbox one-time password page

Use the one time password presented on that page as a temporary Dropbox password back in 1Password on your mobile device.

Why am I such a downer?

I am delighted that Dropbox is rolling out a two-step authentication system. This is a good thing for Dropbox to be doing. It is particularly beneficial to those Dropbox users who use the same password for Dropbox as they do at other sites though, naturally, I hope few 1Password users are among them.

It is also early days for this feature. As development and experiences progresses, we will come to better understand the risks of data loss and so be able to provide advice better tuned to the actual risks. But until that time, I have to take the most pessimistic view. I wouldn’t be surprised if weeks from now I’d be encouraging pretty much everyone to sign up.

A note on multi-step authentication and 1Password

Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. I’m planning to write a more detailed explanation of our developing thoughts on that, but I would like to take this opportunity to discuss the difference between authentication and decryption.

When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. But one disadvantage is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an authentication process, but unlocking your 1Password data is not an authentication process at all. Because there is no 1Password server, there are no (additional) steps we can insist on as part of a (non-existent) login process.

There are approaches that we could take which would approximate the effect of multi-step authentication for what is actually a decryption process. But I will save discussion of those for another day.

Updated on 8/27 to:

  1. Reflect that Dropbox has fully released two-factor verification. When I was writing this article, it was in “beta”. But at about the same time that this article was first published, Dropbox had released released version 1.4.17.
  2. Tell fewer lies about how the second step authentication works. It still pretend that data is transmitted to your phone, but I’ve at least toned down that implication.
  3. In conjunction with Dropbox moving this out of beta and the experience of lots of 1Password users switching over to two-step authentication, I’ve become much more optimistic about when we will feel more comfortable recommending this to 1Password users. I changed my guess of “months” to “weeks”

Some 1Password tips for iPhone and iPad to start your Tuesday off right

1Password Pro icon1Password for iPhone and iPad has some great tricks up its sleeve, including easy ways to let you peek at a password, a quick way to search, and even bumping Safari over in—or possibly out of—your dock. So let’s get started, shall we?

The Basics

  • Swipe to reveal password on iPad – 1Password for iPad behaves like the Mac version in that it conceals your passwords all the time. But if you want to get a quick look at a password, simply swipe to the right to reveal it. Want to conceal it again? Swipe to the left or simply tap another item.
  • Backup. Please – Of course, 1Password Pro for iPhone and iPad is a great companion to 1Password for Mac or Windows, but it works great  as a stand-alone client as well. Even if you use Apple’s iCloud service to backup your entire device though, it’s a very good idea to backup 1Password as well; you can never be too careful. Fortunately, we built a backup mechanism into 1Password Pro that doesn’t require you to sync with the Mac or Windows versions, and we have a doc that explains how to set it up.
  • Tap to get a Copy dialog – You can quickly copy many types of 1Password information to your clipboard with a simple tap (hold it for just a split second). You can tap a Login’s password and username, a Wallet item’s credit card number or bank routing details, and even Software licenses.

The Not-So-Basics

  • Customize your Auto-Lock settings – We set 1Password to lock pretty quickly by default because we want to make sure your information is protected from prying eyes. But let’s say you use 1Password Pro on an iPod touch or iPad that never leaves the house and you’d rather not have to type in your Master Password as often as we set it. If you’d like a little more flexibility in how often you have to unlock 1Password, go to Settings > Security and try out different Auto-Lock settings to find something that fits your environment and workflow.
  • Change your password conceal setting – You can choose whether the iPhone and iPad versions conceal your passwords by default under Settings > Display (on iPhone, tap the More section to get to Settings). Like the Auto-Lock setting, our users asked for some flexibility here to fit the way they work and play with 1Password.

1Password Like a Pro

  • Get to search, quick – Naturally, many users feel the fastest way to find the 1Password item they need is to search for it. One way to go about this is to use a great productivity utility like Launch Center Pro. Think of it as sort of an Alfred or LaunchBarfor 1Password, but for your iPhone (and, hopefully, soon for your iPad). Launch Center Pro is a way to quickly do a wide range of different tasks on your iPhone, and one of them just happens to be launching 1Password and going straight to the search section. After you install Launch Center Pro, add an action from the plus button in the upper right and search for 1Password. There are two options, and one is to search. Give it a name, place it where you want, and boom—you have a quick way to launch 1Password straight to the search dialog, even if you’re halfway across your Home Screen.
  • Use 1P as a browser replacement – I know earlier I told you about a quickly way to copy passwords and other information out of 1Password Pro, but maybe you don’t even have to bother doing that. We built a capable browser right into 1Password that can auto-fill usernames and passwords. All you need to do is find the Login you want to use in 1Password, then tap the arrow next to its URL to spring our browser into action. Depending on the website, you may need to tap the world icon in the browser’s toolbar to copy and paste that site’s Login details while in the browser. But in most cases, 1Password should fill your info in just fine. Simply tap the website’s login button to get on with your business.

I think that’s about enough 1Password Pro awesomeness to drop on you for today. Got a favorite trick like this? Share it in the forums and I’ll round up a few for a future post!

Canada Day, Independence Day, and AgileBits 30 Percent Off Day! Erm… week!

AgileBits calls both Canada and the U.S. home (and other countries too!), so we have a couple of national celebrations coming up next week. But besides fireworks and traditional cuisine, we figured we could add something to the Canada Day and Independence Day festivities, so we’re having a sale!

Through July 8 (for you last-minute-ers, that’s 11:59pm two Sundays from now), all our products are 30 percent off! This goes for 1Password in the Mac App Store, 1Password Pro for iPhone and iPad, 1Password for WindowsKnox for Mac, and everything from our own web store.

Enjoy the festivities next week. But whether you’re celebrating a national holiday or not, enjoy 30 percent off of 1Password and Knox!

1Password 3.6.5 for iOS is out with PBKDF2 goodness!

1Password Pro icon1Password for iPhone, 1Password for iPad, and 1Password Pro (for both iPhone and iPad) have just been updated to version 3.6.5. All of the changes are behind the scenes, but they include a great security enhancement to how your Master Password is protected. Different versions may become available at different times in different locations, so if your free update isn’t ready for download just yet, try again in a little bit.

In addition to the security enhancements discussed below, there are a few bug fixes, more syncing in the background, and some images tailored for the Retina display in the new iPad. If you just want the cliffnotes, here we go:

★ Improved security. Now using 10,000 PBKDF2 iterations to protect the encryption key.
★ Dropbox authentication tokens are now stored in the system keychain.
★ Better support for iPad retina display.
★ Improved Login filling.
☂ Bug fixes.

But if you want to learn a little more about what we’re doing under the hood to protect your 1Password data, venture on.

10000 PBKDF2 iterations

Your Master Password on your device is now protected with 10,000 iterations of PBKDF2. What this means is that if an attacker were somehow to get hold of your encrypted 1Password data from your phone (not an easy thing to do if you take proper precautions), it will be even harder for them to run automatic password guessing software against your master password. PBKDF2 makes the mathematical process of checking whether a Master Password is correct much longer and more difficult.

Your secrets are very well encrypted and protected by your Master Password, but these new measures strengthen that protection. You can read about PBKDF2 in an old article, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too to get more details as it applies to 1Password on the desktop; the same ideas work on iOS devices.

Why change things now?

We’ve long considered using PBKDF2 in 1Password for iOS. The advantages of using it are clear: It provides substantial additional resistance to attacks by password guessing software if your encrypted data falls into the wrong hands. There are a few reasons why now was the right time.

We have faster devices

The principle reason this didn’t come sooner is that, with PBKDF2, unlocking your 1Password data on older devices will take noticeably longer and will consume more power than not using PBKDF2. People running 1Password on first generation iPhones will now have an unlocking delay that may last up to a couple of seconds, and a delay of about one second on the iPhone 3G and on the  first generation iPod touch. Delays should not be particularly noticeable on newer devices, and the vast majority of our customers now use 1Password for iOS on said newer devices.

A great feature of iOS 5 and OS X 10.7 is that the number of PBKDF2 iterations can be calibrated to the particular device. We will be making use of that in 1Password 4 for iOS, and we already make use of that in 1Password 3.9 on Lion.

Finding the right implementation

A lesser reason is that the development toolkits for iOS 3 don’t include functions for performing PBKDF2. We try to work with established tool kits as much as possible. iOS 4 (and particularly iOS 5) contain built-in features that make it easier to write programs that perform complicated encryption functions.

That said, we are still able to bring PBKDF2 to 1Password running on iOS 3. Yes, it will be slow and power hungry on older devices, but it is possible because we found a way to take the PBKDF2 function from the OpenSSL libraries and incorporate it into our code. So even though this isn’t in the Apple supplied SDK for iOS 3, we are able to use a well tested and reviewed implementation.

Changes in the threat landscape

There has also been a change in the threat landscape since we first developed 1Password 3 for iOS. There are several “forensic” tool kits on the market for breaking into iOS devices. As new ways in which data can be taken from iOS devices come to light, we need to provide even better protection against off-line attacks on your 1Password data.

It is probably far less likely that that someone will capture your encrypted 1Password data from your iOS device than your 1Password data from your computer. A stolen computer, unless you use FileVault or some other disk encryption, means that your 1Password data will be available to who ever gets a hold of your disk. This is why we built PBKDF2 into 1Password on the desktop a long time ago.

But it is also the case that most people use better Master Passwords on their desktop systems than on their mobile devices. And so, in the less likely event that the data gets captured from an iOS device, the master password could do with extra protection. If everyone had sufficiently strong Master Passwords, PBKDF2 wouldn’t be necessary. But let’s face it: a very strong Master Password on an iPhone is a Master Password that won’t get used much.

Elcomsoft analysis

Although we have long been aware of the benefits of using PBKDF2, a recent report (PDF) by researchers at Elcomsoft highlighted how quickly a master password could be cracked without the additional protection of PBKDF2. We discussed that report in a recent blog post, “Strong Security Requires Strong Passwords“.

Other security improvements

Dropbox OAuth tokens

1Password stores your Dropbox username and password very securely on iOS for automatic syncing, but it hasn’t been quite as careful with the OAuth tokens used when connecting with Dropbox. If this data is copied and used on another device, it would grant access from that other device to a Dropbox account. We have fixed this in 1Password 3.6.5 for iOS.

We’ve discussed this issue extensively in a recent blog post: OAuth, Dropbox, and your 1Password data.

Padding, integrity, and standards

We try to stick to standards when it comes to encryption and protocols, but even well established standards can later be discovered to be flawed. There turns out to be a design problem with the padding scheme used as parts of the PKCS standards. Introducing PBKDF2 (also defined in the same set of standards) gets around the problem.

I won’t go into much detail, but here is a little background into the issue. An encryption algorithm like AES works on a block of data at a time. In the case of AES the blocks are 16 bytes (128-bits) long. Because the data to be encrypted won’t always be a multiple of 16 bytes, some extra data gets added to the end to “pad” it out to a multiple of 16 bytes. The details of the padding scheme have to include some clever tricks so that when the data in decrypted, the decryption process can recognize where the pad begins, so it knows what to remove.

The problem is that the padding scheme has also been used as an integrity check. That is, it provides a signal to the one decrypting the message whether the data has been modified. Padding is not well suited to that purpose, but that usage means that under certain circumstances it can be used to very quickly verify whether something has been decrypted correctly. The attacker is saved an extra decryption trial in testing whether they have “guessed” the right password.

The simple solution is to make use of cryptographically appropriate integrity checks, Message Authentication Codes (MACs) after encrypting the data. That is, the integrity check is performed on the encrypted data instead of on the plaintext. By using PBKDF2 we are forcing an attacker to go through a large number of extra steps with each “guess”, overwhelming any advantage an attacker might gain through the PKCS padding problem.

Processes and products

All this allows me to bring up a point that we’ve made before but will continue to make: Security is a process, not a product. One aspect of this is that a tool that your security depends on is never “done”. This is not the first security improvement we’ve made over the years, and it certainly won’t be the last. But process isn’t only in updating product. Process is about how people do things. That includes our own testing procedures, and it also includes always working to understand how people use 1Password so that we can continue in our effort to make the easy thing to do also the secure thing to do for people.

[Update April 11: Several people, including Quirks In Tech, have correctly pointed out that I should have been much more explicit in this post about the role that the Elcomsoft report played in our decision to start using PBKDF2. Earlier drafts of this included an extensive section on exactly that, but it got lost as I tried to cut this down to size. I’ve added a short section back into this post. -jeff]