Shield Security header

When a Leak Isn’t a Leak

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.

AgileKeychain & OPVault Data Formats

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

In December 2012, we introduced a new format that encrypted much more of the metadata. OPVault, our newer and stronger data format, provided authenticated encryption as well as many other improvements for 1Password users.

This format worked well in situations where we didn’t need to worry about backwards compatibility, including iCloud and local storage on iOS and Mac. For Windows, Android, and Dropbox syncing, however, we needed to decide if we should migrate to the new format or provide compatibility with older versions of 1Password.

We decided to take a conservative approach and not automatically migrate everyone over to OPVault because many users depend upon older versions of 1Password and they wouldn’t be able to log into their accounts. We knew we could trust the security of the AgileKeychain to protect confidential user data so we didn’t want to rush into something that would disrupt people’s workflows.

Switching to OPVault

Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users. For users who would like to switch to OPVault sooner than this, here’s how you can get started immediately:

To avoid losing access to your data, be sure to back up your 1Password data beforehand, and only follow these instructions if you are NOT using any legacy versions of 1Password. If you have any questions or concerns, or would like to migrate but aren’t sure if your version of 1Password is affected, our knowledgebase, forums and support team are here to help.

Featured Image: Google Chrome (Scenery)

Adventures in beta testing, continued: Google Chrome Canary

Or, If you’re living on the bleeding edge, expect some paper cuts.

The Chromium team (the open-source project behind Google Chrome) is doing an amazing job of constantly moving the web forward and making the web a safer place for users of Google Chrome.

Recently, many users of the latest pre-release versions of Google Chrome have notified us that the 1Password extension refuses to work in OS X and Windows, showing the following error message:

1Password extension looking for app

What is going on?

The Google Chrome developers have started implementing changes to the types of connections extensions are allowed to establish. These changes are part of a larger and more complex plan to harden Google Chrome against certain kinds of web-based attacks (like cross-site request forgery attacks), in which a malicious website or extension attempts to compromise internal network devices and processes listening on the localhost IP address.

Unfortunately, in the process of implementing these new security measures, something was broken in a way that results in many Chrome extensions, including 1Password, not working anymore in the Canary build and the dev channel of Chrome.

What seems to be the issue?

The 1Password web browser extension needs to communicate with a helper process that runs in the background to access your 1Password data (1Password mini in OS X and 1Password Helper in Windows). This is facilitated by establishing WebSocket protocol connections at the localhost address of a computer. WebSocket connections are similar to the typical HTTP requests your web browser performs when visiting a website.

The way we understand the current situation is this:

  1. An extension tries to open a ws:// (WebSocket) connection.
  2. Chrome recognises the chrome-extension protocol and checks whether the connection attempt has a secure origin.
  3. If Chrome determines that the connection is not secure, it rejects the attempt and any further connection requests are never even attempted beyond that.

In the case of 1Password, this results in the extension thinking that the 1Password application does not exist on the PC/Mac in the first place or that something is blocking the WebSocket connection.

What is going to happen?

This is an ongoing issue that we’re still investigating but so far it is clear that the Chromium development community has recognised that many extensions communicate with host applications using WebSocket and other protocols. To our current knowledge, they are treating this issue as a regression in need of fixing, but any fix requires careful consideration in light of their efforts to increase security.

There are various active discussion threads and bug reports related to this situation in the Chromium project. To name only a few:

What to do now?

Testing pre-release software can be fun and is incredibly useful for the developers of that software and the developers of apps that interact with it — seriously, we love our beta testers. 1Password supports the latest stable builds of Safari, Chrome, Firefox, and Opera. While we make every effort to maintain compatibility with Beta, Dev, Nightly, Canary builds or other birds or browsers, we can’t guarantee that 1Password will always work as browsers go through their various development and release cycles.

If 1Password is as essential to your daily life as it is to ours, our suggestion is to temporarily return your browser to the stable version and check out the new Canary build/dev channel releases in a week or two — did I mention how much we appreciate beta testers sending in feedback? If you do want to live on the bleeding edge, please be aware of the potential for bugs in development and public beta versions of browsers and software in general and be patient with the developers of browsers, apps, and extensions as they negotiate a shifting landscape. We’ve added the article, “Prerelease (beta, dev, nightly) browser builds,” to our knowledge base to keep you apprised of any issues with unfinished versions of browsers.

As with any other questions regarding 1Password, please sound off about any issues you run into when using 1Password with pre-release versions of browsers in our discussion forums.

Windows v4 blog

1Password and Windows 10: On the Edge of greatness

With the release of Microsoft’s latest operating system, you might be asking yourself, “Self, am I ready for Windows 10?” And while we at AgileBits wouldn’t presume to answer that question for you, we’re pleased to announce that 1Password is ready when you are!

Using Windows 10

A number of us have already been using Windows 10 regularly—and loving it. And it turns out that 1Password loves Windows 10 too! But while you’ll be able to hit the ground running and use 1Password as you always have, just be sure that your other hardware and software are ready to make the leap. And back up, back up, and back up some more.

Livin’ on the Edge

One significant change in Windows 10 that will be of interest to 1Password users is the addition of Microsoft’s latest and greatest web browser, Edge. Previously known as “Spartan,” we’ve found it to be fast, stable, and rather pleasant to use.

However, there’s a catch: Edge does not yet support extensions, so at this time there is no way to use the 1Password extension in Edge as you do in Firefox, Chrome, and Internet Explorer.

The good news is that Internet Explorer is still around, and 1Password works great in IE 11, along with our other favourite browsers. Word on the street is that Microsoft Edge will support extensions in the near future; we’re looking forward to seeing if that will enable us to provide 1Password extension support in the new browser.

Wi-Fi Sense, and the cost of convenience

One thing that you should know about is a new feature called Wi-Fi Sense. This feature has been present on Windows Phone for a while now, but it’s a new addition to the desktop OS. Wi-Fi Sense shares Wi-Fi network access between you and your Outlook, Skype, and Facebook contacts. While this may be convenient (even magical) for some, it also presents some security fodder for your consideration. With Windows 10 now unleashed, it’s especially important to understand how Wi-Fi Sense works, and then make an informed decision.

The Lowdown

Wi-Fi Sense can share most of your saved Wi-Fi connections. Windows keeps your saved Wi-Fi connections when you upgrade, so if you’ve been using Windows for a while, this might be a lengthy list. All the networks to which you’ve previously connected have the potential to be shared using Wi-Fi Sense.

It’s also important to note that Wi-Fi Sense doesn’t let you individually choose with whom you share your Wi-Fi connections; rather, they’re available to all of your contacts on a service (Outlook, Skype, Facebook) if that service is enabled.

The Downlow

One aspect of Wi-Fi Sense that is easy to overlook is that sharing is a two-way street: not only are you sharing your saved Wi-Fi connection information with your contacts, they’re also sharing theirs with you. Additionally, open hotspots are crowdsourced; unless you opt out, your Windows 10 devices will automatically connect to many unsecured Wi-Fi networks. Since these can be compromised or spoofed, we definitely recommend using protection (such as VPNs and encryption) any time you connect to Wi-Fi networks you don’t control.

The more you know…

If you’ve only ever used a wired connection, Windows won’t have a Wi-Fi connection saved, and therefore won’t be able to give it away to Facebook Guy and the rest. You can disable Wi-Fi Sense in Windows 10 by going to Wi-Fi > Network settings > Manage Wi-Fi settings and flipping the switch to turn it off. If you add “_optout” to end of your SSID (network name), your Wi-Fi network will be opted out of Wi-Fi Sense.

Windows 10 Wi-Fi Sense

Microsoft’s Wi-Fi Sense FAQ contains a lot of information to help you decide whether to keep this feature enabled. Here are some highlights:

  • When using Express setup, many of the Wi-Fi Sense options are enabled by default
  • Your contacts don’t see your Wi-Fi network password
  • You choose which Wi-Fi network connections you want to share
  • Network connections are shared only with contacts who also have Wi-Fi Sense enabled
  • Network connections are shared with your contacts, but not their contacts

If you’re a Windows Insider or early adopter, we hope you’re enjoying Windows 10. If you have any questions or feedback about 1Password, please share your thoughts in our discussion forums. We love hearing from you.

Windows v4 blog

1Password 4.6 for Windows: Fine-tuning the air conditioner

I’m not sure what it’s like where you are, but it’s been HOT lately, here in Germany. Recent days have had many on the team wishing they could work in their underwear. (Spoiler alert: I believe many already do.)
And just like fine-tuning an air conditioner in the house can make the difference between melting like ice in the sunshine and constantly looking like a plucked goose, we’re using version 4.6 of 1Password for Windows to make some useful improvements and fix a few bugs, to make things extra comfy for you.

Here’s the new coolness:

1Password + Yandex = best pals

The 1Password extension now works nicely in the privacy-focused Yandex browser. To install it, simply visit our browser extensions page in Yandex. Yandex will identify itself as Google Chrome (it’s based on the Chromium project) and from there you can install the extension like you usually would in Google Chrome.

Usernames column in the Logins category

You asked for it, we’ve listened. Now you can have a username column in the Logins category. To enable it, select View > Columns > Show Username in Logins in the menu bar.

Reordering Favorites

Don’t like the order of your favorites? Now you can reorder them by right-clicking the item you want to move up or down and selecting the appropriate menu option.

New custom field type: Phone

Once you add a custom phone field to an item, clicking the phone number will allow you to dial it with your favorite VoIP application or hand off the call to your smartphone by using a remote phone app for Android or Windows Phone.

More cool stuff…

  • The reliability of 1Click Bookmarks in Internet Explorer has been vastly improved.
  • The date picker in all categories now includes month digits next to the month name.
  • Our translators have further refined the localization of the app.

You can find the entire list of new features, improvements, and bug fixes in the release notes.

1Password 4.6 for Windows is available now as a free update for all existing owners. Choose Help > Check for New Version in the menu bar, or grab the new version from our downloads page.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.

Windows v4 blog

Turbo boost 1Password for Windows with new 4.5 version

Ctrl+\ has become muscle memory for millions of 1Password users all around the world. It’s hard to beat the speed of a customizable keyboard shortcut. Unless, of course, we focus on what happens after you invoke the 1Password extension in your web browser.

The technology behind the extension is what fills your 1Password information in web forms. It’s an incredibly complex system that we lovingly call The Brain, and it has received a serious upgrade in 1Password 4.5 for Windows. What this means for you is that filling web forms is now faster and more accurate than ever before.

An upgraded Brain is only one of the time-saving, experience-enhancing improvements in 1Password 4.5, which is a free update and available to download right now from our website.

Time-based, One-Time Passwords (TOTPs)

These single-use passwords are becoming more commonplace as a supplementary security measure to protect online accounts. If you’re not familiar with them, our blog post will help you learn how to use them in 1Password. Not only is it possible to add a time-based, one-time password to your Login items in 1Password 4.5, but it’s a cinch to do it.

Personalize Secure Notes with custom fields

Custom fields are great. They let you modify an item’s details view to hold exactly the information you want, formatted in a way that makes sense to you. In version 4.5, we’ve introduced custom fields to the Secure Notes item type.

Adding custom fields to your secure notes

1Password speaks your language

We have begun localizing 1Password for Windows and are kicking things off with nine languages. Thanks to our wonderful translators, they are:

  • Czech
  • Dutch
  • English
  • French
  • German
  • Italian
  • Polish
  • Spanish
  • Swedish

If you’d like to help translate 1Password into your language, you can create a free Crowdin account and join us at

Report website issues with Synapse

The 1Password extension is pretty much continuously being improved. It has to be, because there are umpteen billion websites out there, many with their own quirks and many others constantly changing. Now, you can help us ensure maximum compatibility by reporting any website issues you encounter.

In the extension menu, select the option to report an issue with the current website.

In the old days, you’d report a website and we’d ask you all sorts of questions, trying to learn any detail that might help us reproduce and diagnose the problem. No more! There are no lengthy questions to answer and you don’t have to know every minute detail about your web browser or the website. Our new website reporter makes it super easy: simply select the option in the extension menu and all the relevant information is already filled out for you.

Accessibility, Wi-Fi Sync, and more

If you use the NVDA screen reader, you should notice a marked improvement in this release. We are committed to making 1Password fully accessible to you, and there’s always room for improvement. We’d love your help in determining what most needs our attention. Please let us know how we’re doing!

Last on the list of highlights, but certainly not least, is Wi-Fi Sync. This is a wonderful way for you to sync 1Password for Windows with 1Password for iOS when you’re on the same wireless network, if you prefer not to use cloud-based services. We are constantly working to improve performance and reliability, and Wi-Fi Sync has received a nice coat of polish in this update.

1Password 4.5 for Windows is available now as a free update for existing owners (Help > Check for New Version), or you can grab a new copy from our downloads page. Thank you for choosing 1Password!

Windows v4 blog

1Password 4.2 for Windows is chock-full of perks and improvements

I don’t get to pull ‘chock’ off the shelf very often, but this is a special occasion. 1Password 4.2 for Windows is here, and it’s a free update with all sorts of new goodies to help you work and play better.

Check out the greatest hits in this release:

  • new users get a much better experience
  • You can use the View menu to hide the Wallet and Accounts groups from the sidebar
  • Wi-Fi Sync is now clearer about what it’s up to
  • The password strength meter is much strength-ier
  • We added Secure Desktop buttons to the Change Password window
  • The Auto-Save dialog now allows adding tags
  • We improved how we log into non-web-browser apps
  • Added support for logging into SAP
  • Our Internet Explorer extension now catches and prompts to save changed passwords

Oh, and new keyboard shortcuts are in the house:

  • Ctrl+E – Edit item
  • Ctrl+S – Save item
  • Ctrl+1 – Ctrl+9 – Switch between vaults

These join a laundry list of improvements our Windows team has been making lately, as well as some upcoming surprises they have in store. Auto-Type working with Skype and OneDrive, one-time passwords, the option to lock 1Password when your browser is closed, and better subdomain matching all make cameos on our extensive release notes.

1Password 4.2 for Windows is available now as a free update for existing owners (Help > Check for new version), or you can take a new copy for a spin from our downloads page.

Windows v4 blog

1Password for Windows gets TOTP, more control

Yep, it was a busy holiday season and early 2015 for us. We have a lot planned for 2015, and rolling out support for TOTP—Time-Based One-Time Passwords—to our Windows customers is just the next big step.

Available in our latest Windows update, 1Password 4 for Windows joins our iOS version with support for creating and managing TOTPs. A growing number of services implement them as a secondary layer of security, and you can learn more about this system at

We also packed in support for Terminal Services and Citrix, polished up the Quick Start and Welcome process for new customers, improved the Dropbox vault picker, and improved plenty of other stuff.

You can see the full list of changes in our release notes, or fire up 1Password’s in-app updater to get the details. Let us know what you think on Twitter @1Password and on, and stay in touch with the AgileBits Newsletter!

1PW4 expand notes field

1Password for Windows Tips: The Incredible Expanding Notes

All 1Password items have a notes field where you can add any extra details you want. Some people add street addresses to items that have physical locations, others add device serial numbers to their maker’s Login items for quick reference.

A nice trick in 1Password 4 for Windows is the Notes field can expand when you need more room. If you simply mouseover the Notes field’s bottom bar (the one that separates it from Tags), you can click and drag to make it larger and add whatever you need.

1P icon 200

1Password 4.1 for Windows puts more control at your fingertips

1P icon 200I have to say, 1Password 4 for Windows has been our 1Passwordiest yet. You’ve given us a ton of great feedback, so we’re back with our first big, free update.

To put it simply, you get more control over some of 1Password’s little details that make a big difference. In v4.1, you can enable rich icons for an even prettier view of your items (View > Show Rich Icons) and lock 1Password when you close your browser (check File > Preferences (Ctrl+P) > Security).

For those who often have many Logins for a particular site, check File > Preferences (Ctrl+P) > Logins > Show X more items… to see more of them at a time.

We also made a ton of improvements across the board to everything from keyboard shortcuts to icon display, linking our fantastic new help guides, adding attachments to items and support for the Comodo Dragon browser, and much more. Check out our full v4.1 release notes for the quite the list of details.

The latest version of 1Password 4.1 for Windows is available now via our built-in automatic updater.