1PM icon 1024

Adventures in beta testing: 1Password, El Capitan, and iOS 9

Let’s talk about betas. Specifically, let’s talk about Apple’s operating system betas. It used to be that you had to be an active member of the Apple Developer Program to get access to the betas. Last year, Apple launched a beta software program that enables anyone to sign up to test-drive pre-release versions of OS X. This year, for the first time, anyone can sign up to evaluate iOS 9 beta in addition to OS X 10.11 El Capitan beta.

Newshiny

There’s something thrilling about using beta software. It’s exciting to experience the software development process, with frequent updates that fix and improve things before our very eyes. It’s gratifying to participate in that process, seeing our bug reports get resolved and change requests considered and sometimes implemented. I don’t know about you, but I love feeling like I’ve helped make an improvement from which everyone using the software will benefit.

Hark, the cheers from developers far and wide

One of the most difficult things for software developers is getting the feedback they need before an application version goes public. This is because the pool of beta testers is generally so small. We could think everything is just fine, and then it gets out there and—BOOM—suddenly there are all these edge cases that never came up during the beta, because there are so many more people using it.

Public betas can be a real boon to developers, in that they help to increase the size of the beta pool and the degree to which the beta application is tested.

Hard hats required

under construction

Perhaps you remember those “Under construction” images from the early days of web publishing? It’s a very real metaphor for beta software. The most important thing to remember1 is that beta software is incomplete. Some things will not be implemented yet, some will be broken, and some may cause unexpected system kerfufflery.

Here are a few tips to help make your beta experience safe and enjoyable:

Spare a square

Ideally, beta software should be installed on spare hardware. If you have only one Mac, you can install El Capitan beta on separate partition of your Mac’s hard drive. If the iPhone you use every day is your only iOS device, it’s probably best not to install iOS 9 beta. If you have a non-critical iPad or an iPod touch, that would be a good place to install the beta.

Back that thang up

I know some of you are going to ignore me completely and install the betas on your mission-critical devices. Before you do that, please make sure to create a reliable backup!

We hear you

Your feedback is indispensable. If you notice anything wonky, be sure to report it to developers. I’ve seen beta issues reported in App Store reviews. While developers certainly read those and learn from them, they have no way of reaching out to the customer to help. It is best to contact developers directly with your beta feedback.

If you’re using 1Password beta, we have dedicated beta discussion forums. The beta forums are monitored by our developers and our support team is around to help you seven days a week!

If something you report isn’t immediately addressed, don’t worry. Developers may not be able to do anything about it just yet. Rest assured that the issue will be resolved as quickly as possible.

1Password 5, El Capitan, and iOS 9

I’m happy to tell you that we have thus far encountered no major issues in our testing. I have noticed a couple of graphical and layout issues in El Capitan beta, but it’s too early to tell whether the issues are in 1Password 5 for Mac or in El Capitan beta. We don’t want to spend time fixing something that may not actually be broken on our end, so for the moment we’re waiting to see how things pan out. We’ve documented the issues so we don’t lose track of them.

How to test 1Password beta for Mac

You are warmly invited to join our family of beta testers. The more, the merrier! 1Password 5.4 beta for Mac doesn’t require El Capitan beta, but it does require that you use the AgileBits Store version of 1Password, not the Mac App Store version. It’s very easy to switch over, but you will not be able to sync with iCloud.

How to test 1Password beta for iOS

Apple’s TestFlight Beta Testing program enables developers to extend a limited number of invitations to customers. There has been a great deal of interest in 1Password beta for iOS, and we are not looking for additional testers at this time. You can be the first to hear about opportunities to join our beta family for iOS by following @1PasswordBeta on Twitter.

1Password beta for Mac does not require 1Password beta for iOS.

1Password happy face

Have fun!

I lied earlier. The most important thing is to have fun, but keeping in mind the foibles of beta software and protecting yourself against them are a close second. =)

DevBits, featured image

Debugging Next Key View Loops

When you create a window and populate it with views, AppKit automatically links your controls into a tab loop by setting the nextKeyView property on each view. This process is handled by the recalculateKeyViewLoop method inside NSWindow. The order of your views in this loop is based on the geometric location of each view in the window. Most of the time, this automatic mechanism works great, and you don’t have to think about it. But sometimes a window is too complex, and the automatic method produces incorrect results. When this happens, manual adjustment of the nextKeyView loop is required.

This is the situation we faced with the item detail view in 1Password for Mac 5. The detail view consists of a view-based NSTableView with multiple custom cell views. During the development of this view, we were constantly breaking the nextKeyView loop. Every time a new text field was added, or a button moved, some part of the nextKeyView loop would invariably break.

To make this debugging simpler, we wrote a utility class to visually overlay nextKeyView information on top of the detail view. Here is how it works.

The header

Let’s start with the header (.h):

//
//  OPTestKeyLoopView.h
//

#import <Cocoa/Cocoa.h>

@interface OPTestKeyLoopView : NSView

+ (void)enableForView:(NSView *)startView;
+ (void)disable;

@end

The header provides a simple interface to enable and disable key loop debugging on a particular view. OPTestKeyLoopView is a Singleton, so these methods operate on the Class.

Private class to store visual overlay info

Moving on to the implementation (.m):

First, let’s define a simple private class used to store the visual overlay information about a particular view.

//
//  OPTestKeyLoopView.m
//

#import "OPTestKeyLoopView.h"


@interface OPTestKeyView : NSObject

@property (nonatomic, strong) NSString *title;
@property (nonatomic, strong) NSString *subtitle;
@property (nonatomic, strong) NSColor *color;
@property (nonatomic, strong) NSFont *font;
@property (nonatomic, assign) NSRect frame;

@end


@implementation OPTestKeyView

@end

This class doesn’t do anything other than store the properties of a view overlay.

OPTestKeyLoopView implementation

Next, we begin implementing OPTestKeyLoopView by writing the Singleton and Class methods.

@interface OPTestKeyLoopView ()

@property (nonatomic, strong) NSView *rootView;
@property (nonatomic, strong) NSMutableArray *keyViews;
@property (nonatomic) NSRect rootFrame;

@end


@implementation OPTestKeyLoopView

+ (OPTestKeyLoopView *)sharedTestKeyLoopView {
    static OPTestKeyLoopView *sharedView = nil;
    
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        sharedView = [[self alloc] init];
        sharedView.autoresizingMask = NSViewWidthSizable | NSViewHeightSizable;
    });
    
    return sharedView;
}

+ (void)enableForView:(NSView *)startView {
    [self sharedTestKeyLoopView].rootView = startView;
    [[NSNotificationCenter defaultCenter] addObserver:[self sharedTestKeyLoopView] selector:@selector(mainWindowFlagsChanged:) name:OPMainWindowFlagsChangedNotification object:nil];
}

+ (void)disable {
    [self sharedTestKeyLoopView].rootView = nil;
    [[self sharedTestKeyLoopView] clear];
    [[NSNotificationCenter defaultCenter] removeObserver:self];
}

Sidebar: OPMainWindowFlagsChangedNotification

This is a good time to pause and talk about the OPMainWindowFlagsChangedNotification notification. We want our overlay to appear when you press the Option key. The standard way to catch an Option key down event is to override

- (void)flagsChanged:(NSEvent *)theEvent

in your NSWindow or NSWindowController subclass. In our case, our window controller overrides this method and posts a notification so that other parts of the UI can easily respond to modifier key events. Here is what it looks like:

// From our NSWindowController subclass
- (void)flagsChanged:(NSEvent *)theEvent {
    [super flagsChanged:theEvent];
    [[NSNotificationCenter defaultCenter] postNotificationName:OPMainWindowFlagsChangedNotification object:nil];
}

Add the notification handler

Moving back to the implementation of OPTestKeyLoopView, next we’ll add the notification handler:

- (void)mainWindowFlagsChanged:(NSNotification *)aNotification {
    NSUInteger modifierFlags = ([NSApp currentEvent].modifierFlags & NSDeviceIndependentModifierFlagsMask);
    if (modifierFlags & NSAlternateKeyMask) {
        NSView *hitView = self.rootView;
        while (YES) {
            NSPoint mouse = [hitView convertPoint:[[self.rootView window] mouseLocationOutsideOfEventStream] fromView:nil];
            BOOL hitSubView = NO;
            for (NSView *subview in hitView.subviews) {
                if (subview == self) {
                    continue;
                }
                if (NSMouseInRect(mouse, subview.frame, hitView.isFlipped)) {
                    hitView = subview;
                    hitSubView = YES;
                    break;
                }
            }
            if (!hitSubView) {
                break;
            }
        }
        
        if (modifierFlags & NSShiftKeyMask) {
            [self showPreviousKeyViewLoopForView:hitView];
        }
        else {
            [self showNextKeyViewLoopForView:hitView];
        }
    }
    else {
        [self clear];
    }
}

This method checks for the Option key down and locates the furthest child view under the mouse. This child view will be the start of our next key view loop. Then we call a method to show the next key view loop overlay. If the shift key is also held down, we reverse the loop and show the previous key view loop.

Insert overlay view into view hierarchy

Next, we implement methods to insert our overlay view into the view hierarchy, and to build our list of keyViews. We do this by following the nextKeyView (or previousKeyView) property of the starting view and recording information about each view we encounter.

- (void)insertIntoViewHirarchy {
    if (self.superview) {
        [self removeFromSuperview];
    }
    self.frame = [[[self.rootView window] contentView] frame];
    [[[self.rootView window] contentView] addSubview:self positioned:NSWindowAbove relativeTo:nil];
}

- (void)showPreviousKeyViewLoopForView:(NSView *)startView {
    [self insertIntoViewHirarchy];
    
    if (!self.keyViews) self.keyViews = [NSMutableArray new];
    [self.keyViews removeAllObjects];
    
    NSLog(@"+++PreviousKeyViewLoop");
    NSView *view = startView;
    NSMutableSet *visitedViews = [NSMutableSet new];
    NSInteger num = 0;
    do {
        NSRect frameInWindow = [view convertRect:view.bounds toView:nil];
        OPTestKeyView *keyView = [[OPTestKeyView alloc] init];
        keyView.frame = [self convertRect:frameInWindow fromView:nil];
        keyView.title = [NSString stringWithFormat:@"%ld", num];
        keyView.color = [NSColor redColor];
        keyView.font = [NSFont fontWithName:@"Menlo" size:12];
        
        NSLog(@"%ld %@", num, [view className]);
        [self.keyViews addObject:keyView];
        
        [visitedViews addObject:view];
        view = view.previousKeyView;
        num--;
    } while (view && ![visitedViews containsObject:view]);
    NSLog(@"---");
    
    self.rootFrame = [self convertRect:[startView convertRect:startView.bounds toView:nil] fromView:nil];
    [self setNeedsDisplay:YES];
}

- (void)showNextKeyViewLoopForView:(NSView *)startView {
    [self insertIntoViewHirarchy];
    
    if (!self.keyViews) self.keyViews = [NSMutableArray new];
    [self.keyViews removeAllObjects];
    
    NSLog(@"+++NextKeyViewLoop");
    NSView *view = startView;
    NSMutableSet *visitedViews = [NSMutableSet new];
    NSInteger num = 0;
    do {
        NSRect frameInWindow = [view convertRect:view.bounds toView:nil];
        OPTestKeyView *keyView = [[OPTestKeyView alloc] init];
        keyView.frame = [self convertRect:frameInWindow fromView:nil];
        keyView.title = [NSString stringWithFormat:@"%ld", num];
        keyView.color = [NSColor blueColor];
        keyView.font = [NSFont fontWithName:@"Menlo" size:12];
        
        NSLog(@"%ld %@", num, [view className]);
        [self.keyViews addObject:keyView];
        
        [visitedViews addObject:view];
        view = view.nextKeyView;
        num++;
    } while (view && ![visitedViews containsObject:view]);
    NSLog(@"---");
    
    self.rootFrame = [self convertRect:[startView convertRect:startView.bounds toView:nil] fromView:nil];
    [self setNeedsDisplay:YES];
}

- (void)clear {
    [self.keyViews removeAllObjects];
    [self removeFromSuperview];
}

Draw the overlay

Now that we have overlay information to display, and our OPTestKeyLoopView is in the view hierarchy, we can draw the overlay.

- (NSDictionary *)attributesWithFont:(NSFont *)font color:(NSColor *)color {
    NSMutableParagraphStyle *paragraphStyle = [[NSParagraphStyle defaultParagraphStyle] mutableCopy];
    [paragraphStyle setAlignment:NSCenterTextAlignment];
    [paragraphStyle setLineBreakMode:NSLineBreakByTruncatingTail];
    [paragraphStyle setLineSpacing:0];
    
    NSDictionary *attributes = [[NSDictionary alloc] initWithObjectsAndKeys:
                                font, NSFontAttributeName,
                                color, NSForegroundColorAttributeName,
                                paragraphStyle, NSParagraphStyleAttributeName, nil];
    return attributes;
}

- (void)drawRect:(NSRect)dirtyRect {
    if (self.keyViews.count > 0) {
        [[NSColor colorWithDeviceRed:1 green:0 blue:0 alpha:0.03] set];
        NSRectFillUsingOperation(self.rootFrame, NSCompositeSourceOver);
    }
    
    for (OPTestKeyView *keyView in self.keyViews) {
        [keyView.color set];
        [NSBezierPath setDefaultLineWidth:0.5];
        [NSBezierPath strokeRect:NSOffsetRect(NSIntegralRect(keyView.frame), 0.25, 0.25)];
        NSDictionary *attributes = [self attributesWithFont:keyView.font color:keyView.color];
        NSSize size = [keyView.title sizeWithAttributes:attributes];
        NSRect textRect = NSIntegralRectWithOptions(NSInsetRect(keyView.frame, (keyView.frame.size.width - size.width)/2, (keyView.frame.size.height - size.height)/2), NSAlignMinXOutward|NSAlignMaxXInward|NSAlignMinYOutward|NSAlignMaxYInward);
        [[NSColor whiteColor] set];
        NSRectFill(textRect);
        [keyView.title drawInRect:textRect withAttributes:attributes];
    }
}

In drawRect: we loop through our keyView array and draw the overlay information for each keyView.

Tidy up

Lastly, we do some housekeeping by making sure our OPTestKeyLoopView is non-opaque and does not respond to mouse clicks.

- (BOOL)isOpaque {
    return NO;
}

- (NSView *)hitTest:(NSPoint)aPoint {
    return nil;
}

@end

Here is what this looks like in action:

Debugging Next Key View Loops

Here is the code contained in this article (under an MIT license):

We’ve found this technique extremely useful when dealing with complex windows, and we hope you find it helpful too.

Security

1Password inter-process communication: a discussion

Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.”  It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password.

The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances.  But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.

For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini; however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. A recent paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF),  by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. He and his team have been excellent at providing us with details and information upfront.

As always, we are limited in what we can do in the face of malware running on the local machine. It may be useful to quote at length the introduction of that article

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer [could obtain your 1Password data].

That was written more specifically about  keystroke loggers, and there are some things that set the new attack apart. Like superficial keystroke loggers it doesn’t require “admin” or “root” access, but they were able to sneak a proof of concept past Apple reviewers.

The threat

The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren’t using 1Password.

Background

1Password provides its own security. What I mean by this is that for the bulk of what we do, we don’t generally rely upon security mechanisms like sandboxing or iOS Keychain. So it doesn’t matter whether those sorts of security measures provided by the operating system fail.

The careful reader will note, however, that I used phrases like “for the bulk of what we do” and “don’t generally rely upon” in the previous paragraph. There are some features and aspects for which some of 1Password’s security makes use of those mechanisms, and so vulnerabilities in those mechanisms can allow for harm to us and our customers.

1Password mini listens to the extension

Application sandboxing is a good thing for security. But it limits how the 1Password browser extension can actually exchange data with 1Password itself. Indeed, the extension (correctly) has no direct access to your data. Keeping your data out of the browser (a relatively hostile environment) is one of our security design choices. But this does mean that the 1Password browser extension needs to find a way to talk to something that does actually manage your data. 1Password mini (originally the 1Password Helper) was invented for this purpose.

One of the few ways that a browser extension can communicate locally is through a websocket. Browser extensions are free to talk to the Internet as a whole, but we certainly don’t want our browser extension doing that; we only want it talking to 1Password locally. So we restrict the browser extension to only talking to 1Password mini via a local websocket.

Mutual authentication

Obviously we would want 1Password mini and the browser extension to only talk to bona fide versions of each other, so this becomes a problem of mutual authentication. There should be some way for 1Password mini to prove to the extension that it is the real one, and there should be a way for the browser extension to prove to 1Password mini that it is a real 1Password browser extension.

The difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead, we employ a number of separate mechanisms of authentication, but each has its own limitations. We have no way to guarantee that when the browser extension reaches out to 1Password mini it is really talking to the genuine one.

There are a number of checks that we can (and do) perform to see if everyone is talking to who they think they are talking to, but those checks are not perfect. As a result, malware running on your Mac under your username can sometimes defeat those checks. In this case, it can pretend to be 1Password mini when talking to the browser extension and thus capture any information sent from the 1Password browser extension that is intended for the mini.

What can be done

Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.

What you can do

1. Check “Always Keep 1Password Mini Running” in Preferences > General

In the specific attack that Luyi Xing demonstrates, the malicious malware needs to be launched before the genuine 1Password mini is launched. By setting 1Password mini to always run, you reduce the opportunity for that particular attack.

keep mini running

 

 

2. Keep using the 1Password browser extension

Although what is described is an attack against the communication between 1Password mini and the browser extension through specialized malware, using the 1Password browser extension protects you from a more typical malware attack of pasteboard/clipboard sniffers. Likewise, the 1Password extension helps fend off phishing attacks because it will refuse to fill into pages that don’t match the domain for your saved Logins.

Quite simply, the 1Password extension not only makes life easier for you, but it is an important safety feature on its own.

3. Pay attention to what you install

As always be careful about what software you run and install on your system. On your Mac, open System Preferences > Security & Privacy > General. You’ll see an Allow apps downloaded from: setting there. We strongly recommend confirming that this setting is configured so that only apps from trusted sources can be opened. You can read more about the setting and its options on Apple’s support site.

Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.

What we can do

There are additional (defeasible) mechanisms that we can add to our attempts at mutual authentication between the extension and 1Password mini. I will briefly mention a few that we’ve considered over the years.

Encryption with an obfuscated key

One option is to have a shared obfuscated key in both 1Password mini and the extension. (Remember that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.)

Obfuscation only makes things harder for attackers until someone breaks the obfuscation, and every system designer should assume that obfuscation will be broken. See our discussion of Kerckhoffs’ Principle in our article, “You have secrets; we don’t,” for some background on why we tend to be reluctant to use obfuscation. Of course, it may be warranted in the absence of a more effective alternative, so this remains under consideration.

In anticipation of a likely suggestion, I should point out that even the magic of public key encryption wouldn’t save us from having to rely on obfuscation here; but I will save that discussion for our forums.

Using the OS X keychain

Another option would be to store authentication secrets in the OS X keychain, so that both our browser extension and 1Password mini would have access to it. This could be made to work for authenticating 1Password mini to the extension for those browsers that allow easy use of the OS X keychain.

This might solve half the problem for some browsers, but to date we’ve been focusing on solutions that work across all of the browsers we support.

An extreme solution

In the extreme case, we could have some explicit pairing (sort of like Bluetooth) between 1Password mini and the extension.  That is, the browser extension may display some number that you have to type into 1Password mini (or the other way around).  With this user intervention we can provide solid mutual authentication, but that user action would need to be done every time either the browser or 1Password mini is launched.

Quite frankly, there is no really good solution for this. To date, our approach has been to put in those authentication checks that we have and keep an eye out for any hints of malware that exploits the known limitations of what we do.

Is 1Password for iOS affected?

The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS.

Shared data security

1Password for iOS shares some of its data with the 1Password app extension. As most of that data is encrypted with your Master Password, it is not a substantial problem if that data becomes available to attackers. The exception, of course, is the TouchID secret.

As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates.

Conclusion

We truly are grateful for the active security community, including Luyi Xing and his team, who take the time to test existing security measures and challenge us to do better. Our analysis of the researchers’ findings will continue and we will post an update if further action is necessary.

1Password tips

Quick Tip: Migrate your details between 1Password items

We all have our own ways of keeping things neat and tidy, and having something out of place can just throw your whole day out of whack. Luckily, 1Password mini can help you keep things organized just the way you like them.

Let’s say someone sends you the details for the Wi-Fi router at their house, but it’s in a Secure Note instead of the Wireless Router template for 1Password.

Wireless network data stored in a Secure Note

If you’re like me, this is the kind of thing that could make you a bit, well…

homer_go_crazy

So, let’s move the relevant data over to a new Wireless Router item and set things right with a few simple steps:

1. Create the new item

In 1Password, create a new item in the proper category. Launch 1Password, and choose File > New Item > Wireless Router. This is the new item where the previous Secure Note’s content will go. Leave this new item in edit mode.

Create a new Wireless Router item

2. Open the original item in 1Password mini and anchor it

Click the 1Password mini icon in the toolbar and search for or browse to the Secure Note containing the details you want to migrate to the new entry. Click the anchor button in the bottom left of the detail view to keep the item on screen.

Copy and paste the details

3. Copy and paste

At this point, you can copy and paste the relevant information from the original item. You can also create new sections and fields for any important information that doesn’t fit elsewhere. When you’re finished, save the new item.

4. Delete the original item

At this point, the original item is no longer needed and can be safely deleted.

5. Bonus points: share!

Share the new entry with the person who sent you the Secure Note version using the item’s Share button.

Share the item

This use case comes up for me more often than I would have thought in the past. The Wireless Router example is a real one from a recent trip to visit the team in our Toronto office. Beyond that, I have quite a few items I exported from Yojimbo long ago, and those only exported as plain text files. I imported those text files as Secure Notes in 1Password and I have been migrating them to proper 1Password entries here and there over time. Instead of switching back and forth between items in 1Password, using 1Password mini’s anchored windows helps to make the process of migrating data between categories a lot simpler.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.

more than just passwords

Staying on top of deadlines and expiry dates

1Password is at its best when it’s helping us forget — not just our passwords and credit card numbers, but also where we put that thing. 1Password remembers, so we don’t have to. It’s easy to get hooked on this line of thinking. You start to ask yourself: what else can I afford to forget about?

How about deadlines? I’m not talking about calendar appointments. Think instead of the warranty on your laptop — the one that always runs out days before you need to use it. Think of the gift card you need to spend before Father’s Day. The domain name you keep forgetting to renew. The annual subscription you plan to cancel before you get charged again.

So much of our sensitive information comes with a best before date — and 1Password is great at keeping track of best before dates.

expires soon

You’re probably used to filling in the expiry date field for your credit card, but you might know that it’s also built into lots of other 1Password items — Passports, Memberships, Driver’s Licenses, etc. You can also add it to your own items using custom fields.

Once you assign expiry dates to all your time-sensitive items, you’re one smart folder away from seeing anything that needs your immediate attention.

expiry smart folder

The key to making this work is the second field (“Any Value” -> “contains”), which I’ve set to the current year. You could also fill in “2015-05″ to see only the items that expire in May, but tweaking this value every month might be too fiddly for your tastes. I find a year’s worth of expiry dates is manageable so long as I review the folder every once in a while.

1Password won’t ever replace my calendar, but there are some due dates it handles with style — especially when it comes to information I can’t risk keeping anywhere else.

How do you use 1Password to make your life a little more manageable? We’d love to find out. Share your creative ideas in the comments!

1PM icon 1024

1Password 5.3 for Mac: The Bionic Edition is out!

We last heard from our hero, 1Password for Mac, in version 5.1. Sadly, version 5.2 suffered a tragic accident. The development team refused to give up. “We can rebuild it,” they said. “We have the technology. We have the capability to make the world’s first bionic password manager. 1Password 5.3 for Mac will be that app. Better than it was before. Stronger…Faster…Better.”

We proudly present 1Password 5.3 for Mac, now available for Mac App Store and AgileBits Store customers, and it won’t cost six million dollars (it’s a free update for all 5.x owners).

Two-Steps Stronger

Barcode Scanner With BorderWe recently introduced our TOTP feature — Time-Based One-Time Passwords — in iOS and Windows, and now we’re bringing it to the Mac. TOTPs are increasingly used as an extra layer of security by companies from Dropbox to Tumblr, so now you’re ready for them with 1Password for Mac. To learn how to add TOTP to 1Password for Mac, check out our handy dandy guide and video!

Faster Communication

1Password makes you more secure online, but it also saves you time by logging you in and filling long, tedious forms with a single click. Now it can help you make phone calls and start emails with one click, too.

We’ve added great new features in v5.3 to make it even easier for you to keep in contact with your sidekick. You can click on phone numbers that you’ve added to Identities to start FaceTime Audio or Skype calls, or click on an email address to start emails.

This works not only in the default fields for these in items like Identities and Software Licenses, but also in custom fields.

synapse_brainA Better Brain

Did you know 1Password has a Brain that handles the under-the-hood tasks of figuring out webpages and filling your Logins, Identities, and Credit Cards into forms? In v5.3, we gave the Brain a heavy dose of B and D vitamins, as well as some omega–3 dev classes and shared objects to make it much faster and smarter when filling said forms and generally saving you oodles of time.

Too much more to list

We also implanted a plethora of custom field options, some great 1Password mini nips and tucks, and Secure Notes can now have custom fields and sections.

Actually, I’d love to list all the great stuff we packed into this free update, but there’s a chance such an extensive post might break WordPress. Instead, you can check out the full details in our release notes. To get the update, just hit the Mac App Store’s Updates tab, or for our AgileBits Store version, click 1Password 5 > Check for Updates in the menubar.

1PM icon 1024

The new wonderful-ness of Wi-Fi sync

The ability to have your secure password data with you on all of your devices is one of the most important features of 1Password. Of course, strong encryption of your data is vital as well, but it is sync that ensures that you can use these strong and unique passwords across all your devices easily.

Ensuring that users have access to their data everywhere they need it is not always a simple process. Let’s take a look at the development of Wi-Fi sync in 1Password, and see some of the great improvements our developers have made lately.

The beginning of Wi-Fi

We begin back before the dawn of 1Password 4. The Wi-Fi Sync of 1Password 3 provided a… less than ideal user experience. When our developers sharpened their tools to craft 1Password 4, the initial version of 1Password 4 for iOS was released without the feature.

Users were not content with this omission and lobbied us by forum and by email and by all means necessary, declaring their love for Wi-Fi Sync (and as well they should!) Hearing their pleas, our developers went back to the Agile Forge and re-designed Wi-Fi Sync for its triumphant return in 1Password 4 for Mac.

Wi-Fi’s triumphant return

Even after we reintroduced Wi-Fi Sync in 1Password 4 for Mac, we knew we could do better. We kept polishing and strengthening the feature, and now with the release of the Syncerrific Edition, Wi-Fi Sync is the powerful, cloud-free sync option that our users both need and deserve.

Let’s look at some of the improvements to Wi-Fi sync in 1Password 5:

  • Attachments: Wi-Fi sync now syncs every nook and cranny of your vault … including all of your attachments.
  • Multiple Vaults: Got multiple vaults? No problem. Wi-Fi sync can handle that. Sync all your vaults to your mobile devices without ever touching the cloud.
  • Automatic: No more need to frequently type in secrets – sync your data whenever your devices are linked to the same Wi-Fi network as your Mac.

1Password 5 Wi-Fi preferences

Learn about how to set up Wi-Fi sync for all of your vaults in our User Guide.

We’d like to thank all our wonderful users for their persistence. 1Password is a better, stronger, faster product for you today because you keep us on our toes.

Keep being awesome.

1PM icon 1024

1Password 5.1 for Mac: The Syncerrific Edition is here

Judging from the title, you might think this update is about Watchtower enhancements or properly formatting credit card numbers, but you would be only half right! 1Password 5.1 for Mac, rolling out now to the the AgileBits Store and Mac App Store, is all about sync.

In short, we completely overhauled how you manage sync for your primary and secondary vaults to save you time. In Preferences > Sync, you can now view all your vaults and how they sync, and change sync methods with a click.

OPM5 new sync pane

Wi-Fi Sync users also get a whole new Preferences pane that makes setup much easier. Oh, and secondary vaults can now sync via Wi-Fi!

We packed lots of other great changes into v5.1 for Mac, from copying addresses in Identities with just a click to support for Portuguese. You can view the full changelog for all the details.

1Password 5.1 for Mac is a free update available now for all v5 owners. If you’re a Mac App Store customer, please leave us a great rating and review, they really help!

As always, let us know what you think on Twitter and Facebook, and stay in touch with the AgileBits newsletter!

iMore Best 2014 Awards

iMore names 1Password 5 for iOS an App of the Year for 2014!

It isn’t every day that we have a chance at winning a best-of-the-year award from iMore. In fact, I am told that the opportunity comes only once a year.

And this year we won!

We are thrilled and thankful and just plain touched that iMore named 1Password 5 as the iOS Utility App of the Year for 2014, and 1Password 5 for Mac as a runner-up for Mac Utility App of the Year!

iMore reviewed and listed a ton of stuff for its awards this year, from apps to accessories for both iOS and the Mac. It’s a great list from a bunch of smart folks, so be sure to give the entire thing a look!