Shield Security header

When a Leak Isn’t a Leak

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.

AgileKeychain & OPVault Data Formats

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

In December 2012, we introduced a new format that encrypted much more of the metadata. OPVault, our newer and stronger data format, provided authenticated encryption as well as many other improvements for 1Password users.

This format worked well in situations where we didn’t need to worry about backwards compatibility, including iCloud and local storage on iOS and Mac. For Windows, Android, and Dropbox syncing, however, we needed to decide if we should migrate to the new format or provide compatibility with older versions of 1Password.

We decided to take a conservative approach and not automatically migrate everyone over to OPVault because many users depend upon older versions of 1Password and they wouldn’t be able to log into their accounts. We knew we could trust the security of the AgileKeychain to protect confidential user data so we didn’t want to rush into something that would disrupt people’s workflows.

Switching to OPVault

Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users. For users who would like to switch to OPVault sooner than this, here’s how you can get started immediately:

To avoid losing access to your data, be sure to back up your 1Password data beforehand, and only follow these instructions if you are NOT using any legacy versions of 1Password. If you have any questions or concerns, or would like to migrate but aren’t sure if your version of 1Password is affected, our knowledgebase, forums and support team are here to help.

1Password 5 for Mac logo

1Password 5.4 for Mac: The Convenience Edition

Picture this. You’re on your Mac, and this website is asking you to enter particular characters from your password. But your password is 50 characters of 1Password-generated gibberish; how are you supposed to find the 5th, 14th, and 32nd characters without losing your place? Wouldn’t it be amazing if 1Password could make it just a little bit easier for you?

Picture this. You’ve just found out about the great Multiple Vaults feature and excitedly set up a vault to share with your family. Awesome. But sometimes, secondary vault passwords need to be changed. Wouldn’t it be cool if 1Password made it easy for you to do that?

As of today, it can. And it does. You’ll find these and other new convenience and security features in 1Password 5.4 for Mac: The Convenience Edition, ready to download right now in the Mac App Store and from our website. Read on for the lovely details, then sally forth and download—for the low, low price of free, if you’ve already bought 1Password 5 for Mac.

Large type option now available for passwords

Easily enter specific characters from your password with the new Large Type feature. Selecting this option for your password will display it in big, friendly, colour-coded letters on your screen.

1Password 5.4 for Mac: Large Type

You already know that you can hover over a password in an item’s detail view to copy or reveal it. You’ll see the new large type option in that same menu, always within easy reach.

1Password 5.4 for Mac: Large Type menu option

This feature is also great if you need to enter your Apple ID password on the Apple TV across the room or give guests access to your home Wi-Fi network.

Change the password of a secondary vault

Since your 1…Password (that never gets old around here) unlocks your primary vault and your secondary vaults, it’s very easy to create a secondary vault and never think about its password again. Until now, changing that secondary vault password meant basically recreating the vault.

We’ve made things much more convenient for you in 5.4: you can now change the secondary vault password at will. While you’re at it, don’t forget that it’s a good idea to save this password in your primary vault; since you don’t use it all the time, it’s easy to forget! If you’ve already done that, fantastic! Don’t forget to update that item when you change the secondary vault’s password. =)

A view from the top

Did you know that 1Password for Mac offers multiple layouts? The default is a three-column view, but there’s also a “top” layout option. If you’re a fan of the classic layout, you’ll like this one. You can try it out by selecting the View > Item List Layout > Top menu option. We’ve made some improvements to this view in 5.4, all based on your feedback. Thanks for your help!

A new layer of security

We all rely on 1Password to keep our secrets secure. In the 5.4 update for 1Password for Mac, our developers have made 1Password securer than ever by adding a new secret agent to safeguard the communication between 1Password and your web browser.

Safari 9 in Yosemite and El Capitan includes important security updates that address the XARA vulnerability, so please update to the latest Safari and to El Capitan as soon as possible. Our 1Password update works hand in hand with Apple’s OS X security updates to ensure that cross-process communication between 1Password and the web browser in OS X remains secure and properly authenticated.

Because this is a brand new way for the various bits of 1Password to talk to each other, it currently requires the beta browser extension. We’d love your help in ensuring that we didn’t break anything. It’s easy: simply use 1Password in your web browser as you normally do, and let us know if something unexpected happens. If you’re interested in helping us out, please install the 1Password beta extension in your web browser and let us know how things are working in our forums. Thanks very much!

We thank Apple for giving us the tools we need to keep 1Password secure. We’ll have a blog post coming later today explaining the details of this important fix.

But wait, there’s more!

You can find the entire list of new features, improvements, and bug fixes in the release notes.

1Password 5.4 for Mac is available now as a free update if you already have a 1Password 5 for Mac license (or downloaded 1Password 5 from the Mac App Store). Choose the 1Password 5 > Check for Updates menu option, or grab the new version from our downloads page. If you are a Mac App Store customer, the update will download automatically or appear on the Updates tab in the App Store app, depending on your settings.

Got feedback? We’d love to hear from you. Add a comment here or in our discussion forums, or start a conversation with us on Twitter, ADN, or Facebook.

Featured Image: Google Chrome (Scenery)

Adventures in beta testing, continued: Google Chrome Canary

Or, If you’re living on the bleeding edge, expect some paper cuts.

The Chromium team (the open-source project behind Google Chrome) is doing an amazing job of constantly moving the web forward and making the web a safer place for users of Google Chrome.

Recently, many users of the latest pre-release versions of Google Chrome have notified us that the 1Password extension refuses to work in OS X and Windows, showing the following error message:

1Password extension looking for app

What is going on?

The Google Chrome developers have started implementing changes to the types of connections extensions are allowed to establish. These changes are part of a larger and more complex plan to harden Google Chrome against certain kinds of web-based attacks (like cross-site request forgery attacks), in which a malicious website or extension attempts to compromise internal network devices and processes listening on the localhost IP address.

Unfortunately, in the process of implementing these new security measures, something was broken in a way that results in many Chrome extensions, including 1Password, not working anymore in the Canary build and the dev channel of Chrome.

What seems to be the issue?

The 1Password web browser extension needs to communicate with a helper process that runs in the background to access your 1Password data (1Password mini in OS X and 1Password Helper in Windows). This is facilitated by establishing WebSocket protocol connections at the localhost address of a computer. WebSocket connections are similar to the typical HTTP requests your web browser performs when visiting a website.

The way we understand the current situation is this:

  1. An extension tries to open a ws:// (WebSocket) connection.
  2. Chrome recognises the chrome-extension protocol and checks whether the connection attempt has a secure origin.
  3. If Chrome determines that the connection is not secure, it rejects the attempt and any further connection requests are never even attempted beyond that.

In the case of 1Password, this results in the extension thinking that the 1Password application does not exist on the PC/Mac in the first place or that something is blocking the WebSocket connection.

What is going to happen?

This is an ongoing issue that we’re still investigating but so far it is clear that the Chromium development community has recognised that many extensions communicate with host applications using WebSocket and other protocols. To our current knowledge, they are treating this issue as a regression in need of fixing, but any fix requires careful consideration in light of their efforts to increase security.

There are various active discussion threads and bug reports related to this situation in the Chromium project. To name only a few:

What to do now?

Testing pre-release software can be fun and is incredibly useful for the developers of that software and the developers of apps that interact with it — seriously, we love our beta testers. 1Password supports the latest stable builds of Safari, Chrome, Firefox, and Opera. While we make every effort to maintain compatibility with Beta, Dev, Nightly, Canary builds or other birds or browsers, we can’t guarantee that 1Password will always work as browsers go through their various development and release cycles.

If 1Password is as essential to your daily life as it is to ours, our suggestion is to temporarily return your browser to the stable version and check out the new Canary build/dev channel releases in a week or two — did I mention how much we appreciate beta testers sending in feedback? If you do want to live on the bleeding edge, please be aware of the potential for bugs in development and public beta versions of browsers and software in general and be patient with the developers of browsers, apps, and extensions as they negotiate a shifting landscape. We’ve added the article, “Prerelease (beta, dev, nightly) browser builds,” to our knowledge base to keep you apprised of any issues with unfinished versions of browsers.

As with any other questions regarding 1Password, please sound off about any issues you run into when using 1Password with pre-release versions of browsers in our discussion forums.

1Password 5 for Mac logo

Adventures in beta testing: 1Password, El Capitan, and iOS 9

Let’s talk about betas. Specifically, let’s talk about Apple’s operating system betas. It used to be that you had to be an active member of the Apple Developer Program to get access to the betas. Last year, Apple launched a beta software program that enables anyone to sign up to test-drive pre-release versions of OS X. This year, for the first time, anyone can sign up to evaluate iOS 9 beta in addition to OS X 10.11 El Capitan beta.


There’s something thrilling about using beta software. It’s exciting to experience the software development process, with frequent updates that fix and improve things before our very eyes. It’s gratifying to participate in that process, seeing our bug reports get resolved and change requests considered and sometimes implemented. I don’t know about you, but I love feeling like I’ve helped make an improvement from which everyone using the software will benefit.

Hark, the cheers from developers far and wide

One of the most difficult things for software developers is getting the feedback they need before an application version goes public. This is because the pool of beta testers is generally so small. We could think everything is just fine, and then it gets out there and—BOOM—suddenly there are all these edge cases that never came up during the beta, because there are so many more people using it.

Public betas can be a real boon to developers, in that they help to increase the size of the beta pool and the degree to which the beta application is tested.

Hard hats required

under construction

Perhaps you remember those “Under construction” images from the early days of web publishing? It’s a very real metaphor for beta software. The most important thing to remember1 is that beta software is incomplete. Some things will not be implemented yet, some will be broken, and some may cause unexpected system kerfufflery.

Here are a few tips to help make your beta experience safe and enjoyable:

Spare a square

Ideally, beta software should be installed on spare hardware. If you have only one Mac, you can install El Capitan beta on separate partition of your Mac’s hard drive. If the iPhone you use every day is your only iOS device, it’s probably best not to install iOS 9 beta. If you have a non-critical iPad or an iPod touch, that would be a good place to install the beta.

Back that thang up

I know some of you are going to ignore me completely and install the betas on your mission-critical devices. Before you do that, please make sure to create a reliable backup!

We hear you

Your feedback is indispensable. If you notice anything wonky, be sure to report it to developers. I’ve seen beta issues reported in App Store reviews. While developers certainly read those and learn from them, they have no way of reaching out to the customer to help. It is best to contact developers directly with your beta feedback.

If you’re using 1Password beta, we have dedicated beta discussion forums. The beta forums are monitored by our developers and our support team is around to help you seven days a week!

If something you report isn’t immediately addressed, don’t worry. Developers may not be able to do anything about it just yet. Rest assured that the issue will be resolved as quickly as possible.

1Password 5, El Capitan, and iOS 9

I’m happy to tell you that we have thus far encountered no major issues in our testing. I have noticed a couple of graphical and layout issues in El Capitan beta, but it’s too early to tell whether the issues are in 1Password 5 for Mac or in El Capitan beta. We don’t want to spend time fixing something that may not actually be broken on our end, so for the moment we’re waiting to see how things pan out. We’ve documented the issues so we don’t lose track of them.

How to test 1Password beta for Mac

You are warmly invited to join our family of beta testers. The more, the merrier! 1Password 5.4 beta for Mac doesn’t require El Capitan beta, but it does require that you use the AgileBits Store version of 1Password, not the Mac App Store version. It’s very easy to switch over, but you will not be able to sync with iCloud.

How to test 1Password beta for iOS

Apple’s TestFlight Beta Testing program enables developers to extend a limited number of invitations to customers. There has been a great deal of interest in 1Password beta for iOS, and we are not looking for additional testers at this time. You can be the first to hear about opportunities to join our beta family for iOS by following @1PasswordBeta on Twitter.

1Password beta for Mac does not require 1Password beta for iOS.

1Password happy face

Have fun!

I lied earlier. The most important thing is to have fun, but keeping in mind the foibles of beta software and protecting yourself against them are a close second. =)

DevBits header

Debugging Next Key View Loops

When you create a window and populate it with views, AppKit automatically links your controls into a tab loop by setting the nextKeyView property on each view. This process is handled by the recalculateKeyViewLoop method inside NSWindow. The order of your views in this loop is based on the geometric location of each view in the window. Most of the time, this automatic mechanism works great, and you don’t have to think about it. But sometimes a window is too complex, and the automatic method produces incorrect results. When this happens, manual adjustment of the nextKeyView loop is required.

This is the situation we faced with the item detail view in 1Password for Mac 5. The detail view consists of a view-based NSTableView with multiple custom cell views. During the development of this view, we were constantly breaking the nextKeyView loop. Every time a new text field was added, or a button moved, some part of the nextKeyView loop would invariably break.

To make this debugging simpler, we wrote a utility class to visually overlay nextKeyView information on top of the detail view. Here is how it works.

The header

Let’s start with the header (.h):

//  OPTestKeyLoopView.h

#import <Cocoa/Cocoa.h>

@interface OPTestKeyLoopView : NSView

+ (void)enableForView:(NSView *)startView;
+ (void)disable;


The header provides a simple interface to enable and disable key loop debugging on a particular view. OPTestKeyLoopView is a Singleton, so these methods operate on the Class.

Private class to store visual overlay info

Moving on to the implementation (.m):

First, let’s define a simple private class used to store the visual overlay information about a particular view.

//  OPTestKeyLoopView.m

#import "OPTestKeyLoopView.h"

@interface OPTestKeyView : NSObject

@property (nonatomic, strong) NSString *title;
@property (nonatomic, strong) NSString *subtitle;
@property (nonatomic, strong) NSColor *color;
@property (nonatomic, strong) NSFont *font;
@property (nonatomic, assign) NSRect frame;


@implementation OPTestKeyView


This class doesn’t do anything other than store the properties of a view overlay.

OPTestKeyLoopView implementation

Next, we begin implementing OPTestKeyLoopView by writing the Singleton and Class methods.

@interface OPTestKeyLoopView ()

@property (nonatomic, strong) NSView *rootView;
@property (nonatomic, strong) NSMutableArray *keyViews;
@property (nonatomic) NSRect rootFrame;


@implementation OPTestKeyLoopView

+ (OPTestKeyLoopView *)sharedTestKeyLoopView {
    static OPTestKeyLoopView *sharedView = nil;
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        sharedView = [[self alloc] init];
        sharedView.autoresizingMask = NSViewWidthSizable | NSViewHeightSizable;
    return sharedView;

+ (void)enableForView:(NSView *)startView {
    [self sharedTestKeyLoopView].rootView = startView;
    [[NSNotificationCenter defaultCenter] addObserver:[self sharedTestKeyLoopView] selector:@selector(mainWindowFlagsChanged:) name:OPMainWindowFlagsChangedNotification object:nil];

+ (void)disable {
    [self sharedTestKeyLoopView].rootView = nil;
    [[self sharedTestKeyLoopView] clear];
    [[NSNotificationCenter defaultCenter] removeObserver:self];

Sidebar: OPMainWindowFlagsChangedNotification

This is a good time to pause and talk about the OPMainWindowFlagsChangedNotification notification. We want our overlay to appear when you press the Option key. The standard way to catch an Option key down event is to override

- (void)flagsChanged:(NSEvent *)theEvent

in your NSWindow or NSWindowController subclass. In our case, our window controller overrides this method and posts a notification so that other parts of the UI can easily respond to modifier key events. Here is what it looks like:

// From our NSWindowController subclass
- (void)flagsChanged:(NSEvent *)theEvent {
    [super flagsChanged:theEvent];
    [[NSNotificationCenter defaultCenter] postNotificationName:OPMainWindowFlagsChangedNotification object:nil];

Add the notification handler

Moving back to the implementation of OPTestKeyLoopView, next we’ll add the notification handler:

- (void)mainWindowFlagsChanged:(NSNotification *)aNotification {
    NSUInteger modifierFlags = ([NSApp currentEvent].modifierFlags & NSDeviceIndependentModifierFlagsMask);
    if (modifierFlags & NSAlternateKeyMask) {
        NSView *hitView = self.rootView;
        while (YES) {
            NSPoint mouse = [hitView convertPoint:[[self.rootView window] mouseLocationOutsideOfEventStream] fromView:nil];
            BOOL hitSubView = NO;
            for (NSView *subview in hitView.subviews) {
                if (subview == self) {
                if (NSMouseInRect(mouse, subview.frame, hitView.isFlipped)) {
                    hitView = subview;
                    hitSubView = YES;
            if (!hitSubView) {
        if (modifierFlags & NSShiftKeyMask) {
            [self showPreviousKeyViewLoopForView:hitView];
        else {
            [self showNextKeyViewLoopForView:hitView];
    else {
        [self clear];

This method checks for the Option key down and locates the furthest child view under the mouse. This child view will be the start of our next key view loop. Then we call a method to show the next key view loop overlay. If the shift key is also held down, we reverse the loop and show the previous key view loop.

Insert overlay view into view hierarchy

Next, we implement methods to insert our overlay view into the view hierarchy, and to build our list of keyViews. We do this by following the nextKeyView (or previousKeyView) property of the starting view and recording information about each view we encounter.

- (void)insertIntoViewHirarchy {
    if (self.superview) {
        [self removeFromSuperview];
    self.frame = [[[self.rootView window] contentView] frame];
    [[[self.rootView window] contentView] addSubview:self positioned:NSWindowAbove relativeTo:nil];

- (void)showPreviousKeyViewLoopForView:(NSView *)startView {
    [self insertIntoViewHirarchy];
    if (!self.keyViews) self.keyViews = [NSMutableArray new];
    [self.keyViews removeAllObjects];
    NSView *view = startView;
    NSMutableSet *visitedViews = [NSMutableSet new];
    NSInteger num = 0;
    do {
        NSRect frameInWindow = [view convertRect:view.bounds toView:nil];
        OPTestKeyView *keyView = [[OPTestKeyView alloc] init];
        keyView.frame = [self convertRect:frameInWindow fromView:nil];
        keyView.title = [NSString stringWithFormat:@"%ld", num];
        keyView.color = [NSColor redColor];
        keyView.font = [NSFont fontWithName:@"Menlo" size:12];
        NSLog(@"%ld %@", num, [view className]);
        [self.keyViews addObject:keyView];
        [visitedViews addObject:view];
        view = view.previousKeyView;
    } while (view && ![visitedViews containsObject:view]);
    self.rootFrame = [self convertRect:[startView convertRect:startView.bounds toView:nil] fromView:nil];
    [self setNeedsDisplay:YES];

- (void)showNextKeyViewLoopForView:(NSView *)startView {
    [self insertIntoViewHirarchy];
    if (!self.keyViews) self.keyViews = [NSMutableArray new];
    [self.keyViews removeAllObjects];
    NSView *view = startView;
    NSMutableSet *visitedViews = [NSMutableSet new];
    NSInteger num = 0;
    do {
        NSRect frameInWindow = [view convertRect:view.bounds toView:nil];
        OPTestKeyView *keyView = [[OPTestKeyView alloc] init];
        keyView.frame = [self convertRect:frameInWindow fromView:nil];
        keyView.title = [NSString stringWithFormat:@"%ld", num];
        keyView.color = [NSColor blueColor];
        keyView.font = [NSFont fontWithName:@"Menlo" size:12];
        NSLog(@"%ld %@", num, [view className]);
        [self.keyViews addObject:keyView];
        [visitedViews addObject:view];
        view = view.nextKeyView;
    } while (view && ![visitedViews containsObject:view]);
    self.rootFrame = [self convertRect:[startView convertRect:startView.bounds toView:nil] fromView:nil];
    [self setNeedsDisplay:YES];

- (void)clear {
    [self.keyViews removeAllObjects];
    [self removeFromSuperview];

Draw the overlay

Now that we have overlay information to display, and our OPTestKeyLoopView is in the view hierarchy, we can draw the overlay.

- (NSDictionary *)attributesWithFont:(NSFont *)font color:(NSColor *)color {
    NSMutableParagraphStyle *paragraphStyle = [[NSParagraphStyle defaultParagraphStyle] mutableCopy];
    [paragraphStyle setAlignment:NSCenterTextAlignment];
    [paragraphStyle setLineBreakMode:NSLineBreakByTruncatingTail];
    [paragraphStyle setLineSpacing:0];
    NSDictionary *attributes = [[NSDictionary alloc] initWithObjectsAndKeys:
                                font, NSFontAttributeName,
                                color, NSForegroundColorAttributeName,
                                paragraphStyle, NSParagraphStyleAttributeName, nil];
    return attributes;

- (void)drawRect:(NSRect)dirtyRect {
    if (self.keyViews.count > 0) {
        [[NSColor colorWithDeviceRed:1 green:0 blue:0 alpha:0.03] set];
        NSRectFillUsingOperation(self.rootFrame, NSCompositeSourceOver);
    for (OPTestKeyView *keyView in self.keyViews) {
        [keyView.color set];
        [NSBezierPath setDefaultLineWidth:0.5];
        [NSBezierPath strokeRect:NSOffsetRect(NSIntegralRect(keyView.frame), 0.25, 0.25)];
        NSDictionary *attributes = [self attributesWithFont:keyView.font color:keyView.color];
        NSSize size = [keyView.title sizeWithAttributes:attributes];
        NSRect textRect = NSIntegralRectWithOptions(NSInsetRect(keyView.frame, (keyView.frame.size.width - size.width)/2, (keyView.frame.size.height - size.height)/2), NSAlignMinXOutward|NSAlignMaxXInward|NSAlignMinYOutward|NSAlignMaxYInward);
        [[NSColor whiteColor] set];
        [keyView.title drawInRect:textRect withAttributes:attributes];

In drawRect: we loop through our keyView array and draw the overlay information for each keyView.

Tidy up

Lastly, we do some housekeeping by making sure our OPTestKeyLoopView is non-opaque and does not respond to mouse clicks.

- (BOOL)isOpaque {
    return NO;

- (NSView *)hitTest:(NSPoint)aPoint {
    return nil;


Here is what this looks like in action:

Debugging Next Key View Loops

Here is the code contained in this article (under an MIT license):

We’ve found this technique extremely useful when dealing with complex windows, and we hope you find it helpful too.


1Password inter-process communication: a discussion

Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.”  It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password.

The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances.  But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.

For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini; however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. A recent paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF),  by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. He and his team have been excellent at providing us with details and information upfront.

As always, we are limited in what we can do in the face of malware running on the local machine. It may be useful to quote at length the introduction of that article

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer [could obtain your 1Password data].

That was written more specifically about  keystroke loggers, and there are some things that set the new attack apart. Like superficial keystroke loggers it doesn’t require “admin” or “root” access, but they were able to sneak a proof of concept past Apple reviewers.

The threat

The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren’t using 1Password.


1Password provides its own security. What I mean by this is that for the bulk of what we do, we don’t generally rely upon security mechanisms like sandboxing or iOS Keychain. So it doesn’t matter whether those sorts of security measures provided by the operating system fail.

The careful reader will note, however, that I used phrases like “for the bulk of what we do” and “don’t generally rely upon” in the previous paragraph. There are some features and aspects for which some of 1Password’s security makes use of those mechanisms, and so vulnerabilities in those mechanisms can allow for harm to us and our customers.

1Password mini listens to the extension

Application sandboxing is a good thing for security. But it limits how the 1Password browser extension can actually exchange data with 1Password itself. Indeed, the extension (correctly) has no direct access to your data. Keeping your data out of the browser (a relatively hostile environment) is one of our security design choices. But this does mean that the 1Password browser extension needs to find a way to talk to something that does actually manage your data. 1Password mini (originally the 1Password Helper) was invented for this purpose.

One of the few ways that a browser extension can communicate locally is through a websocket. Browser extensions are free to talk to the Internet as a whole, but we certainly don’t want our browser extension doing that; we only want it talking to 1Password locally. So we restrict the browser extension to only talking to 1Password mini via a local websocket.

Mutual authentication

Obviously we would want 1Password mini and the browser extension to only talk to bona fide versions of each other, so this becomes a problem of mutual authentication. There should be some way for 1Password mini to prove to the extension that it is the real one, and there should be a way for the browser extension to prove to 1Password mini that it is a real 1Password browser extension.

The difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead, we employ a number of separate mechanisms of authentication, but each has its own limitations. We have no way to guarantee that when the browser extension reaches out to 1Password mini it is really talking to the genuine one.

There are a number of checks that we can (and do) perform to see if everyone is talking to who they think they are talking to, but those checks are not perfect. As a result, malware running on your Mac under your username can sometimes defeat those checks. In this case, it can pretend to be 1Password mini when talking to the browser extension and thus capture any information sent from the 1Password browser extension that is intended for the mini.

What can be done

Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.

What you can do

1. Check “Always Keep 1Password Mini Running” in Preferences > General

In the specific attack that Luyi Xing demonstrates, the malicious malware needs to be launched before the genuine 1Password mini is launched. By setting 1Password mini to always run, you reduce the opportunity for that particular attack.

keep mini running



2. Keep using the 1Password browser extension

Although what is described is an attack against the communication between 1Password mini and the browser extension through specialized malware, using the 1Password browser extension protects you from a more typical malware attack of pasteboard/clipboard sniffers. Likewise, the 1Password extension helps fend off phishing attacks because it will refuse to fill into pages that don’t match the domain for your saved Logins.

Quite simply, the 1Password extension not only makes life easier for you, but it is an important safety feature on its own.

3. Pay attention to what you install

As always be careful about what software you run and install on your system. On your Mac, open System Preferences > Security & Privacy > General. You’ll see an Allow apps downloaded from: setting there. We strongly recommend confirming that this setting is configured so that only apps from trusted sources can be opened. You can read more about the setting and its options on Apple’s support site.

Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.

What we can do

There are additional (defeasible) mechanisms that we can add to our attempts at mutual authentication between the extension and 1Password mini. I will briefly mention a few that we’ve considered over the years.

Encryption with an obfuscated key

One option is to have a shared obfuscated key in both 1Password mini and the extension. (Remember that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.)

Obfuscation only makes things harder for attackers until someone breaks the obfuscation, and every system designer should assume that obfuscation will be broken. See our discussion of Kerckhoffs’ Principle in our article, “You have secrets; we don’t,” for some background on why we tend to be reluctant to use obfuscation. Of course, it may be warranted in the absence of a more effective alternative, so this remains under consideration.

In anticipation of a likely suggestion, I should point out that even the magic of public key encryption wouldn’t save us from having to rely on obfuscation here; but I will save that discussion for our forums.

Using the OS X keychain

Another option would be to store authentication secrets in the OS X keychain, so that both our browser extension and 1Password mini would have access to it. This could be made to work for authenticating 1Password mini to the extension for those browsers that allow easy use of the OS X keychain.

This might solve half the problem for some browsers, but to date we’ve been focusing on solutions that work across all of the browsers we support.

An extreme solution

In the extreme case, we could have some explicit pairing (sort of like Bluetooth) between 1Password mini and the extension.  That is, the browser extension may display some number that you have to type into 1Password mini (or the other way around).  With this user intervention we can provide solid mutual authentication, but that user action would need to be done every time either the browser or 1Password mini is launched.

Quite frankly, there is no really good solution for this. To date, our approach has been to put in those authentication checks that we have and keep an eye out for any hints of malware that exploits the known limitations of what we do.

Is 1Password for iOS affected?

The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS.

Shared data security

1Password for iOS shares some of its data with the 1Password app extension. As most of that data is encrypted with your Master Password, it is not a substantial problem if that data becomes available to attackers. The exception, of course, is the TouchID secret.

As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates.


We truly are grateful for the active security community, including Luyi Xing and his team, who take the time to test existing security measures and challenge us to do better. Our analysis of the researchers’ findings will continue and we will post an update if further action is necessary.

1Password tips

Quick Tip: Migrate your details between 1Password items

We all have our own ways of keeping things neat and tidy, and having something out of place can just throw your whole day out of whack. Luckily, 1Password mini can help you keep things organized just the way you like them.

Let’s say someone sends you the details for the Wi-Fi router at their house, but it’s in a Secure Note instead of the Wireless Router template for 1Password.

Wireless network data stored in a Secure Note

If you’re like me, this is the kind of thing that could make you a bit, well…


So, let’s move the relevant data over to a new Wireless Router item and set things right with a few simple steps:

1. Create the new item

In 1Password, create a new item in the proper category. Launch 1Password, and choose File > New Item > Wireless Router. This is the new item where the previous Secure Note’s content will go. Leave this new item in edit mode.

Create a new Wireless Router item

2. Open the original item in 1Password mini and anchor it

Click the 1Password mini icon in the toolbar and search for or browse to the Secure Note containing the details you want to migrate to the new entry. Click the anchor button in the bottom left of the detail view to keep the item on screen.

Copy and paste the details

3. Copy and paste

At this point, you can copy and paste the relevant information from the original item. You can also create new sections and fields for any important information that doesn’t fit elsewhere. When you’re finished, save the new item.

4. Delete the original item

At this point, the original item is no longer needed and can be safely deleted.

5. Bonus points: share!

Share the new entry with the person who sent you the Secure Note version using the item’s Share button.

Share the item

This use case comes up for me more often than I would have thought in the past. The Wireless Router example is a real one from a recent trip to visit the team in our Toronto office. Beyond that, I have quite a few items I exported from Yojimbo long ago, and those only exported as plain text files. I imported those text files as Secure Notes in 1Password and I have been migrating them to proper 1Password entries here and there over time. Instead of switching back and forth between items in 1Password, using 1Password mini’s anchored windows helps to make the process of migrating data between categories a lot simpler.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.

More than just passwords header

Staying on top of deadlines and expiry dates

1Password is at its best when it’s helping us forget — not just our passwords and credit card numbers, but also where we put that thing. 1Password remembers, so we don’t have to. It’s easy to get hooked on this line of thinking. You start to ask yourself: what else can I afford to forget about?

How about deadlines? I’m not talking about calendar appointments. Think instead of the warranty on your laptop — the one that always runs out days before you need to use it. Think of the gift card you need to spend before Father’s Day. The domain name you keep forgetting to renew. The annual subscription you plan to cancel before you get charged again.

So much of our sensitive information comes with a best before date — and 1Password is great at keeping track of best before dates.

expires soon

You’re probably used to filling in the expiry date field for your credit card, but you might know that it’s also built into lots of other 1Password items — Passports, Memberships, Driver’s Licenses, etc. You can also add it to your own items using custom fields.

Once you assign expiry dates to all your time-sensitive items, you’re one smart folder away from seeing anything that needs your immediate attention.

expiry smart folder

The key to making this work is the second field (“Any Value” -> “contains”), which I’ve set to the current year. You could also fill in “2015-05” to see only the items that expire in May, but tweaking this value every month might be too fiddly for your tastes. I find a year’s worth of expiry dates is manageable so long as I review the folder every once in a while.

1Password won’t ever replace my calendar, but there are some due dates it handles with style — especially when it comes to information I can’t risk keeping anywhere else.

How do you use 1Password to make your life a little more manageable? We’d love to find out. Share your creative ideas in the comments!

1Password 5 for Mac logo

1Password 5.3 for Mac: The Bionic Edition is out!

We last heard from our hero, 1Password for Mac, in version 5.1. Sadly, version 5.2 suffered a tragic accident. The development team refused to give up. “We can rebuild it,” they said. “We have the technology. We have the capability to make the world’s first bionic password manager. 1Password 5.3 for Mac will be that app. Better than it was before. Stronger…Faster…Better.”

We proudly present 1Password 5.3 for Mac, now available for Mac App Store and AgileBits Store customers, and it won’t cost six million dollars (it’s a free update for all 5.x owners).

Two-Steps Stronger

Barcode Scanner With BorderWe recently introduced our TOTP feature — Time-Based One-Time Passwords — in iOS and Windows, and now we’re bringing it to the Mac. TOTPs are increasingly used as an extra layer of security by companies from Dropbox to Tumblr, so now you’re ready for them with 1Password for Mac. To learn how to add TOTP to 1Password for Mac, check out our handy dandy guide and video!

Faster Communication

1Password makes you more secure online, but it also saves you time by logging you in and filling long, tedious forms with a single click. Now it can help you make phone calls and start emails with one click, too.

We’ve added great new features in v5.3 to make it even easier for you to keep in contact with your sidekick. You can click on phone numbers that you’ve added to Identities to start FaceTime Audio or Skype calls, or click on an email address to start emails.

This works not only in the default fields for these in items like Identities and Software Licenses, but also in custom fields.

synapse_brainA Better Brain

Did you know 1Password has a Brain that handles the under-the-hood tasks of figuring out webpages and filling your Logins, Identities, and Credit Cards into forms? In v5.3, we gave the Brain a heavy dose of B and D vitamins, as well as some omega–3 dev classes and shared objects to make it much faster and smarter when filling said forms and generally saving you oodles of time.

Too much more to list

We also implanted a plethora of custom field options, some great 1Password mini nips and tucks, and Secure Notes can now have custom fields and sections.

Actually, I’d love to list all the great stuff we packed into this free update, but there’s a chance such an extensive post might break WordPress. Instead, you can check out the full details in our release notes. To get the update, just hit the Mac App Store’s Updates tab, or for our AgileBits Store version, click 1Password 5 > Check for Updates in the menubar.