Featured Image: Google Chrome (Scenery)

Adventures in beta testing, continued: Google Chrome Canary

Or, If you’re living on the bleeding edge, expect some paper cuts.

The Chromium team (the open-source project behind Google Chrome) is doing an amazing job of constantly moving the web forward and making the web a safer place for users of Google Chrome.

Recently, many users of the latest pre-release versions of Google Chrome have notified us that the 1Password extension refuses to work in OS X and Windows, showing the following error message:

1Password extension looking for app

What is going on?

The Google Chrome developers have started implementing changes to the types of connections extensions are allowed to establish. These changes are part of a larger and more complex plan to harden Google Chrome against certain kinds of web-based attacks (like cross-site request forgery attacks), in which a malicious website or extension attempts to compromise internal network devices and processes listening on the localhost IP address.

Unfortunately, in the process of implementing these new security measures, something was broken in a way that results in many Chrome extensions, including 1Password, not working anymore in the Canary build and the dev channel of Chrome.

What seems to be the issue?

The 1Password web browser extension needs to communicate with a helper process that runs in the background to access your 1Password data (1Password mini in OS X and 1Password Helper in Windows). This is facilitated by establishing WebSocket protocol connections at the localhost address of a computer. WebSocket connections are similar to the typical HTTP requests your web browser performs when visiting a website.

The way we understand the current situation is this:

  1. An extension tries to open a ws:// (WebSocket) connection.
  2. Chrome recognises the chrome-extension protocol and checks whether the connection attempt has a secure origin.
  3. If Chrome determines that the connection is not secure, it rejects the attempt and any further connection requests are never even attempted beyond that.

In the case of 1Password, this results in the extension thinking that the 1Password application does not exist on the PC/Mac in the first place or that something is blocking the WebSocket connection.

What is going to happen?

This is an ongoing issue that we’re still investigating but so far it is clear that the Chromium development community has recognised that many extensions communicate with host applications using WebSocket and other protocols. To our current knowledge, they are treating this issue as a regression in need of fixing, but any fix requires careful consideration in light of their efforts to increase security.

There are various active discussion threads and bug reports related to this situation in the Chromium project. To name only a few:

What to do now?

Testing pre-release software can be fun and is incredibly useful for the developers of that software and the developers of apps that interact with it — seriously, we love our beta testers. 1Password supports the latest stable builds of Safari, Chrome, Firefox, and Opera. While we make every effort to maintain compatibility with Beta, Dev, Nightly, Canary builds or other birds or browsers, we can’t guarantee that 1Password will always work as browsers go through their various development and release cycles.

If 1Password is as essential to your daily life as it is to ours, our suggestion is to temporarily return your browser to the stable version and check out the new Canary build/dev channel releases in a week or two — did I mention how much we appreciate beta testers sending in feedback? If you do want to live on the bleeding edge, please be aware of the potential for bugs in development and public beta versions of browsers and software in general and be patient with the developers of browsers, apps, and extensions as they negotiate a shifting landscape. We’ve added the article, “Prerelease (beta, dev, nightly) browser builds,” to our knowledge base to keep you apprised of any issues with unfinished versions of browsers.

As with any other questions regarding 1Password, please sound off about any issues you run into when using 1Password with pre-release versions of browsers in our discussion forums.

Windows v4 blog

1Password and Windows 10: On the Edge of greatness

With the release of Microsoft’s latest operating system, you might be asking yourself, “Self, am I ready for Windows 10?” And while we at AgileBits wouldn’t presume to answer that question for you, we’re pleased to announce that 1Password is ready when you are!

Using Windows 10

A number of us have already been using Windows 10 regularly—and loving it. And it turns out that 1Password loves Windows 10 too! But while you’ll be able to hit the ground running and use 1Password as you always have, just be sure that your other hardware and software are ready to make the leap. And back up, back up, and back up some more.

Livin’ on the Edge

One significant change in Windows 10 that will be of interest to 1Password users is the addition of Microsoft’s latest and greatest web browser, Edge. Previously known as “Spartan,” we’ve found it to be fast, stable, and rather pleasant to use.

However, there’s a catch: Edge does not yet support extensions, so at this time there is no way to use the 1Password extension in Edge as you do in Firefox, Chrome, and Internet Explorer.

The good news is that Internet Explorer is still around, and 1Password works great in IE 11, along with our other favourite browsers. Word on the street is that Microsoft Edge will support extensions in the near future; we’re looking forward to seeing if that will enable us to provide 1Password extension support in the new browser.

Wi-Fi Sense, and the cost of convenience

One thing that you should know about is a new feature called Wi-Fi Sense. This feature has been present on Windows Phone for a while now, but it’s a new addition to the desktop OS. Wi-Fi Sense shares Wi-Fi network access between you and your Outlook, Skype, and Facebook contacts. While this may be convenient (even magical) for some, it also presents some security fodder for your consideration. With Windows 10 now unleashed, it’s especially important to understand how Wi-Fi Sense works, and then make an informed decision.

The Lowdown

Wi-Fi Sense can share most of your saved Wi-Fi connections. Windows keeps your saved Wi-Fi connections when you upgrade, so if you’ve been using Windows for a while, this might be a lengthy list. All the networks to which you’ve previously connected have the potential to be shared using Wi-Fi Sense.

It’s also important to note that Wi-Fi Sense doesn’t let you individually choose with whom you share your Wi-Fi connections; rather, they’re available to all of your contacts on a service (Outlook, Skype, Facebook) if that service is enabled.

The Downlow

One aspect of Wi-Fi Sense that is easy to overlook is that sharing is a two-way street: not only are you sharing your saved Wi-Fi connection information with your contacts, they’re also sharing theirs with you. Additionally, open hotspots are crowdsourced; unless you opt out, your Windows 10 devices will automatically connect to many unsecured Wi-Fi networks. Since these can be compromised or spoofed, we definitely recommend using protection (such as VPNs and encryption) any time you connect to Wi-Fi networks you don’t control.

The more you know…

If you’ve only ever used a wired connection, Windows won’t have a Wi-Fi connection saved, and therefore won’t be able to give it away to Facebook Guy and the rest. You can disable Wi-Fi Sense in Windows 10 by going to Wi-Fi > Network settings > Manage Wi-Fi settings and flipping the switch to turn it off. If you add “_optout” to end of your SSID (network name), your Wi-Fi network will be opted out of Wi-Fi Sense.

Windows 10 Wi-Fi Sense

Microsoft’s Wi-Fi Sense FAQ contains a lot of information to help you decide whether to keep this feature enabled. Here are some highlights:

  • When using Express setup, many of the Wi-Fi Sense options are enabled by default
  • Your contacts don’t see your Wi-Fi network password
  • You choose which Wi-Fi network connections you want to share
  • Network connections are shared only with contacts who also have Wi-Fi Sense enabled
  • Network connections are shared with your contacts, but not their contacts

If you’re a Windows Insider or early adopter, we hope you’re enjoying Windows 10. If you have any questions or feedback about 1Password, please share your thoughts in our discussion forums. We love hearing from you.

Windows v4 blog

1Password 4.6 for Windows: Fine-tuning the air conditioner

I’m not sure what it’s like where you are, but it’s been HOT lately, here in Germany. Recent days have had many on the team wishing they could work in their underwear. (Spoiler alert: I believe many already do.)
And just like fine-tuning an air conditioner in the house can make the difference between melting like ice in the sunshine and constantly looking like a plucked goose, we’re using version 4.6 of 1Password for Windows to make some useful improvements and fix a few bugs, to make things extra comfy for you.

Here’s the new coolness:

1Password + Yandex = best pals

The 1Password extension now works nicely in the privacy-focused Yandex browser. To install it, simply visit our browser extensions page in Yandex. Yandex will identify itself as Google Chrome (it’s based on the Chromium project) and from there you can install the extension like you usually would in Google Chrome.

Usernames column in the Logins category

You asked for it, we’ve listened. Now you can have a username column in the Logins category. To enable it, select View > Columns > Show Username in Logins in the menu bar.

Reordering Favorites

Don’t like the order of your favorites? Now you can reorder them by right-clicking the item you want to move up or down and selecting the appropriate menu option.

New custom field type: Phone

Once you add a custom phone field to an item, clicking the phone number will allow you to dial it with your favorite VoIP application or hand off the call to your smartphone by using a remote phone app for Android or Windows Phone.
phone-field-type

More cool stuff…

  • The reliability of 1Click Bookmarks in Internet Explorer has been vastly improved.
  • The date picker in all categories now includes month digits next to the month name.
  • Our translators have further refined the localization of the app.

You can find the entire list of new features, improvements, and bug fixes in the release notes.

1Password 4.6 for Windows is available now as a free update for all existing owners. Choose Help > Check for New Version in the menu bar, or grab the new version from our downloads page.

because we love you sale, feature image

The Because We Love You Sale

UPDATE: The Because We Love You Sale will be ending the evening of May 27, 2015.

Everything we do here at AgileBits is with you in our hearts & minds: whether it’s sharing tips & tricks to enhance your security, squashing bugs & implementing exciting new features, or answering your questions in our Support Forums, our focus is always on you.  And every once in a while we like to go all out and show how much we appreciate you by having a good old-fashioned sale.

We usually like to focus a sale around a holiday or a release from a certain California-based fruit company, but today we were searching for another reason to celebrate. So we gathered our crack marketing team around the MacBook and started brainstorming ideas:

  • Dinosaurs are awesome! Okay, maybe we’re just really excited for that new prehistoric blockbuster that’s coming soon to a theater near you.
  • Someone on the team had a birthday! It’s true, there’ve been a number of May birthdays here at AgileBits, but we’ve already overdosed on sugary frosting.
  • Baseball’s back! But really, we just wanted to sing “Take me out to the ballgame.”
  • Spring is here?  It’s been done a billion times before.  Boring.
  • We love you! Oh, there it is. What better reason do we need than just to simply say…

we love you. And to show how much we care, we’re knocking 30% off 1Password across the board on Mac, Windows, iOS, and Android.

While our love for you will last forever, this sale won’t. So if you or someone you love has been holding off on buying 1Password, now is the time to say, “I love you, too.”

You can pick up a Mac/Windows bundle (or grab them separately) on our AgileBits Store. 1Password for Mac is also available on the Mac App Store. And 1Password for iOS is on the iOS App Store, and 1Password for Android on Google Play.

Windows v4 blog

Turbo boost 1Password for Windows with new 4.5 version

Ctrl+\ has become muscle memory for millions of 1Password users all around the world. It’s hard to beat the speed of a customizable keyboard shortcut. Unless, of course, we focus on what happens after you invoke the 1Password extension in your web browser.

The technology behind the extension is what fills your 1Password information in web forms. It’s an incredibly complex system that we lovingly call The Brain, and it has received a serious upgrade in 1Password 4.5 for Windows. What this means for you is that filling web forms is now faster and more accurate than ever before.

An upgraded Brain is only one of the time-saving, experience-enhancing improvements in 1Password 4.5, which is a free update and available to download right now from our website.

Time-based, One-Time Passwords (TOTPs)

These single-use passwords are becoming more commonplace as a supplementary security measure to protect online accounts. If you’re not familiar with them, our blog post will help you learn how to use them in 1Password. Not only is it possible to add a time-based, one-time password to your Login items in 1Password 4.5, but it’s a cinch to do it.

Personalize Secure Notes with custom fields

Custom fields are great. They let you modify an item’s details view to hold exactly the information you want, formatted in a way that makes sense to you. In version 4.5, we’ve introduced custom fields to the Secure Notes item type.

Adding custom fields to your secure notes

1Password speaks your language

We have begun localizing 1Password for Windows and are kicking things off with nine languages. Thanks to our wonderful translators, they are:

  • Czech
  • Dutch
  • English
  • French
  • German
  • Italian
  • Polish
  • Spanish
  • Swedish

If you’d like to help translate 1Password into your language, you can create a free Crowdin account and join us at https://crowdin.com/project/1password-for-windows-desktop.

Report website issues with Synapse

The 1Password extension is pretty much continuously being improved. It has to be, because there are umpteen billion websites out there, many with their own quirks and many others constantly changing. Now, you can help us ensure maximum compatibility by reporting any website issues you encounter.

In the extension menu, select the option to report an issue with the current website.

In the old days, you’d report a website and we’d ask you all sorts of questions, trying to learn any detail that might help us reproduce and diagnose the problem. No more! There are no lengthy questions to answer and you don’t have to know every minute detail about your web browser or the website. Our new website reporter makes it super easy: simply select the option in the extension menu and all the relevant information is already filled out for you.

Accessibility, Wi-Fi Sync, and more

If you use the NVDA screen reader, you should notice a marked improvement in this release. We are committed to making 1Password fully accessible to you, and there’s always room for improvement. We’d love your help in determining what most needs our attention. Please let us know how we’re doing!

Last on the list of highlights, but certainly not least, is Wi-Fi Sync. This is a wonderful way for you to sync 1Password for Windows with 1Password for iOS when you’re on the same wireless network, if you prefer not to use cloud-based services. We are constantly working to improve performance and reliability, and Wi-Fi Sync has received a nice coat of polish in this update.

1Password 4.5 for Windows is available now as a free update for existing owners (Help > Check for New Version), or you can grab a new copy from our downloads page. Thank you for choosing 1Password!

Windows v4 blog

1Password 4.2 for Windows is chock-full of perks and improvements

I don’t get to pull ‘chock’ off the shelf very often, but this is a special occasion. 1Password 4.2 for Windows is here, and it’s a free update with all sorts of new goodies to help you work and play better.

Check out the greatest hits in this release:

  • new users get a much better experience
  • You can use the View menu to hide the Wallet and Accounts groups from the sidebar
  • Wi-Fi Sync is now clearer about what it’s up to
  • The password strength meter is much strength-ier
  • We added Secure Desktop buttons to the Change Password window
  • The Auto-Save dialog now allows adding tags
  • We improved how we log into non-web-browser apps
  • Added support for logging into SAP
  • Our Internet Explorer extension now catches and prompts to save changed passwords

Oh, and new keyboard shortcuts are in the house:

  • Ctrl+E – Edit item
  • Ctrl+S – Save item
  • Ctrl+1 – Ctrl+9 – Switch between vaults

These join a laundry list of improvements our Windows team has been making lately, as well as some upcoming surprises they have in store. Auto-Type working with Skype and OneDrive, one-time passwords, the option to lock 1Password when your browser is closed, and better subdomain matching all make cameos on our extensive release notes.

1Password 4.2 for Windows is available now as a free update for existing owners (Help > Check for new version), or you can take a new copy for a spin from our downloads page.

Windows v4 blog

1Password 4.1.0.538 for Windows gets TOTP, more control

Yep, it was a busy holiday season and early 2015 for us. We have a lot planned for 2015, and rolling out support for TOTP—Time-Based One-Time Passwords—to our Windows customers is just the next big step.

Available in our latest Windows update, 1Password 4 for Windows joins our iOS version with support for creating and managing TOTPs. A growing number of services implement them as a secondary layer of security, and you can learn more about this system at TwoFactorAuth.org.

We also packed in support for Terminal Services and Citrix, polished up the Quick Start and Welcome process for new customers, improved the Dropbox vault picker, and improved plenty of other stuff.

You can see the full list of changes in our release notes, or fire up 1Password’s in-app updater to get the details. Let us know what you think on Twitter @1Password and on Facebook.com/1Password, and stay in touch with the AgileBits Newsletter!

1PW4 expand notes field

1Password for Windows Tips: The Incredible Expanding Notes

All 1Password items have a notes field where you can add any extra details you want. Some people add street addresses to items that have physical locations, others add device serial numbers to their maker’s Login items for quick reference.

A nice trick in 1Password 4 for Windows is the Notes field can expand when you need more room. If you simply mouseover the Notes field’s bottom bar (the one that separates it from Tags), you can click and drag to make it larger and add whatever you need.

1P icon 200

1Password 4.1 for Windows puts more control at your fingertips

1P icon 200I have to say, 1Password 4 for Windows has been our 1Passwordiest yet. You’ve given us a ton of great feedback, so we’re back with our first big, free update.

To put it simply, you get more control over some of 1Password’s little details that make a big difference. In v4.1, you can enable rich icons for an even prettier view of your items (View > Show Rich Icons) and lock 1Password when you close your browser (check File > Preferences (Ctrl+P) > Security).

For those who often have many Logins for a particular site, check File > Preferences (Ctrl+P) > Logins > Show X more items… to see more of them at a time.

We also made a ton of improvements across the board to everything from keyboard shortcuts to icon display, linking our fantastic new help guides, adding attachments to items and support for the Comodo Dragon browser, and much more. Check out our full v4.1 release notes for the quite the list of details.

The latest version of 1Password 4.1 for Windows is available now via our built-in automatic updater.

Windows v4 blog

Watch what you type: 1Password’s defenses against keystroke loggers

1Password for WindowsI have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer, particularly keystroke loggers, could capture your Master Password.

Safe at rest

Let me clarify one thing before going on. 1Password does protect you from the attacker who breaks into your computer and steals your 1Password data. The 1Password data format is designed with just such attacks in mind. This is why your data is encrypted with keys derived from your Master Password. It is also why we’ve put in measures to make it much harder for an attacker to try to guess your Master Password in the event that they do capture your data.

Even if an attacker gains access to your computer and 1Password data, there is little she can do without your Master Password. In this article, I’m focusing on another kind of attack in which the attacker tries to “listen in” to you typing your Master Password. This attacker is running a program on your computer that attempts to record everything you type on the keyboard or enter through some sort of keyboard-like device.

Countering counter-counter measures

I will get to the details below, but this article aims to describe and explain a change in how 1Password for Windows secures its Secure Desktop, a counter measure against a common type of keystroke logger. This change was added recently to 1Password 1 for Windows and has been included in 1Password 4 for Windows since its launch.

Márcio Almeida de Macêdo and Bruno Gonçalves de Oliveira of Trustwave SpiderLabs have discovered a way that a keystroke logger could work around our use of Secure Desktop and reported this to us. They have now reported this publicly (link might be having trouble, but it’s listed among their Security Advisories). We have since added a mechanism which prevents that particular counter measure to Secure Desktop. We very much appreciate SpiderLabs for giving us the opportunity to put a fix in place before announcing their discovery to the public. Trustwave SpiderLabs might grab fewer headlines by having done the right thing, but they have done the right thing.

Secure Desktop itself is a counter measure to keystroke loggers. De Macêdo and de Oliveira’s discovery is a counter measure to our counter measure. We have now introduced a counter-counter-counter measure. All of this will be explained, but it requires a lot of background into how keystroke loggers work and various ways to defend against them.

Keystroke loggers

Keystroke loggers attempt to capture everything that is typed on a particular computer or keyboard and pass that information on to a third party.

There are one or two legitimate uses of these (such as in research on writing), but those all involve the consent of those whose key strokes are being logged. More typically, keystroke loggers run surreptitiously, and are an attack on user privacy. I know that people don’t come to this blog for relationship advice, but if you are seriously tempted to install a keystroke logger to spy on a spouse or lover – a popular use of these things – then I have my doubts about the future of your relationship. Since you didn’t come here for relationship advice (and if you did you came to the wrong place), let’s return to how keystroke loggers work.

Logger in the middle

There are many different ways that keystroke loggers can work, but one useful way to think about this is as something (either hardware or software) that sits between your keyboard and the program you are typing into, something which shouldn’t be there.Hardware PS/2 keylogger in action

For keyboards that are attached to a computer with a cable, the simplest keystroke loggers are little physical devices that the attacker plugs into the computer, and then plugs the keyboard cable into that.

The keystroke logger is, in this case, sitting between the keyboard and the computer. The computer thinks it is talking directly to the keyboard, and the keyboard thinks it is talking to the computer, but the keystroke logger is sitting between them.

Alternatively, software keystroke loggers sit between components deep within the operating system and silently grab data. Things that are embedded that deeply or are using hardware loggers are not things that user software can detect or defend against.

Most keystroke logging is shallow

Most keystroke loggers take a simpler approach, rather than inserting themselves deep within the system. It is much simpler to write a program that says “hey, I am a program that needs to know everything that is coming in from the keyboard.” Operating systems provide hooks for programs to do exactly that.

You might be asking why operating systems might make writing keystroke loggers so easy. What business does any program running in the background have in seeing the input to some other program? One reason is to help my poor dog Molly, who suffers from (among other things) diabetes. This has led to sufficient necrosis in her paws so that she cannot easily type using a standard keyboard. The specialized device that she uses involves some clever software that looks at the input and uses various predictive technologies to replace the actual input with the intended text. This system intercepts (and changes) input bound for any program running on her computer; however, as far as most programs know, they are just getting input from a “keyboard”. Assistive technologies similar to the one Molly uses are a big part of making computing and communication accessible to more people.

Not only is a basic keystorke logger easy to write, it doesn’t require a complete break into a system. Different processes on a computer run with different privileges. When Molly logs in to her account and runs a program on a computer, the program is run under her user ID and with her privileges. This means that she isn’t able to interfere with processes that are run by Patty (the other dog). She also isn’t able to interfere with the system as a whole. If Mr Talk (the neighbor’s cat) tricks Molly into running a malicious program, that malware will be limited in the damage it can do.

The really deep and hard-to-avoid keystroke loggers would require full power over the system to install. But one of these simpler keystroke loggers requires only the privileges of the user whose keystrokes are to be recorded. So if Molly gets tricked into running a keystroke logger, it won’t affect Patty even if they use the same computer (as long as they are using different accounts). As you can imagine, the bulk of malicious keystroke loggers that spread through computer infection are of this shallower sort.

Counter measures

Now that we have some idea of how the typical keystroke logger works, it’s time to look at some counter-measures. The two most important counter-measures are:

  • keep your system and software up to date
  • exercise caution in what software you install and run

But let me focus a couple of the counter-measures that 1Password takes.

Counter measures on Mac: Secure Input

On Mac OS X, there are two simple provisions that makes it easy to thwart those shallow key loggers. The first one of these is called “Secure Input” and was introduced with OS X 10.3 Panther in 2003. A program—1Password for example—can say, “when the user types something into this particular input field, it must be done in a way that other processes can’t interfere.” Secure Input needs to be used sparingly, as it blocks all of the sorts legitimate activity, including assistive technologies that many people (and a few dogs) rely on. And Secure Input blocks TextExpander, which I rely on.

1Password declares the field in which you type your Master Password as a “Secure Input field”, then ordinary key loggers won’t have access to it. Since last year’s OS X 10.9 Mavericks, there is another defense built into the operating system. A program can only capture all of a users’ keystrokes if the user has explicitly granted it that permission in System Preferences > Security & Privacy > Privacy under Accessibility. As I described earlier, most (but not all) such software are components of assistive technologies designed to make computers accessible to more people. That is why this system preference is ultimately under Accessibility.

Between these two mechanisms – Secure Input and that any application which has the capacity to log keystrokes must have explicit user approval to do so – OS X defends against these otherwise common sorts of keystroke loggers.

Counter measures on Windows: Secure Desktop

1P Win unlock secure desktop

Windows doesn’t offer the same sorts of defenses that OS X has, but it does allow for the creation of somewhat isolated environments called “Desktops”. On Windows, one can set up different Desktops in which only your program is running (along with system processes). A program running in one Desktop will not be able to listen in on keyboard input in a separate Desktop.

You will find a button that says “Unlock with Secure Desktop” in the upper right corner of the lock screen in 1Password 4. Clicking on that launches the Secure Desktop in which you will be prompted for your Master Password. You can take a look at Unlock with Secure Desktop in action.

Countering Secure Desktop

What de Macêdo and de Oliveira have discovered is that there is a way to set up a keystroke logger that does operate in all desktops, not just the one it was started in. Quite simply, their system launches a process that is able to listen for the creation of new desktops and add a process to each desktop created.

The ease at which they were able to do this (well, everything looks easy in retrospect) reflects the fact that the SwitchDesktop function in Windows was not designed for security purposes. We and others who use Secure Desktop as a mechanism for evading keystroke loggers have been taking advantage of the relatively isolated environment of a separate Desktop. Once the authors of keystroke loggers take our counter measures into account, they can launch counter-counter measures like the one Trustwave describes.

Knowing your environment

We want nothing but system processes and 1Password’s Master Password entry to be running in a Secure Desktop. We don’t want other, probably malicious, processes joining that Desktop. And so, our counter-counter-counter measure is to simply look around and see if there is anything running in the SecureDesktop that is unexpected.

If some unexpected process is found in the Secure Desktop environment, you’ll be prompted to close the Secure Desktop.

Secure Desktop: 1Password has detected an unknown process

Lessons

1. Keep your system and software up to date

The single biggest thing you can do for your computer security is to keep your system and
software up to date. The overwhelming majority of actual break-ins are through vulnerabilities that have already been fixed by the software vendors.

2. Pay attention to what software you install and where you get it from

Keystroke loggers and other malware are often installed unwittingly by the victims themselves. Try not to be one of those victims. Be particularly careful of anything that tries to frighten you into installing it. Fake security software and alerts are a common way to get people to install malicious software.

The move toward curated app stores offers additional protections, but it isn’t a complete solution. Still, using those where available will reduce your risks.

3. Use Windows Defender on Windows

I have long been skeptical of most anti-virus software, but Microsoft Security Essentials is something I can unequivocally recommend for those using Windows 7. In Windows 8, Windows Defender is automatically built in and enabled.

4. Understand what software can and can’t do for you

The core security design of 1Password is extremely strong. Quite simply: if you have a good Master Password, nobody who gets a copy of  your 1Password data will be able to decrypt it. 1Password can and does offer outstanding security.

At the same time, 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race. As you see, we have had to put into place a counter measure to a counter measure to our counter measure against common keystroke loggers.

This is why the first two items on this list are so important.

In conclusion

1Password takes extraordinary and effective steps to protect your data. This is built into every aspect of its design. But you have to help protect 1Password from malware running on your machine. We do what we can to make things harder for the malware writers, but we can’t do it alone. You must try to provide a safe environment for 1Password and all of your software to run in.

This shared responsibility is similar to that which we have with your Master Password. We provide excellent encryption and protections and defenses against automated password guessing. But you have to pick a good Master Password and treat it well. For those who might be wondering, displaying your password on a giant screen is not treating a password well.

wold-cup-wifi