1Password for Windows: our new Safari extension is out of beta!

1Password extension - LoginsGreetings Windows-slinging Agile Readers! Remember that all-new 1Password extension we began testing with Safari a couple weeks ago? I’m happy to say that you may feel free to remove its beta badge at your earliest convenience.

Wait, scratch that. Safari should automatically do it for you, if it hasn’t already. Hooray for automatic extension updates! To make sure Safari has you covered, you can hit the gear menu and to go Preferences > Extensions. Click the Updates panel and make sure “Install Updates Automatically” is enabled. If you haven’t grabbed the new extension yet, here’s how:

  • Make sure you have the latest version of 1Password by going to Help > Check for Updates
  • Click the Preferences button, go to the Browsers pane, and click the Safari option
  • Follow the instructions on our extension download website that opens

Yes, the new version of our extension has gone official for Safari for Windows, and so have its many slick new features. User feedback was great, so we’re getting to work on bringing it to the other Windows browsers we support. As far as a timeline goes, though, I can’t say anything just yet. You’ll just have to stay tuned here on the blog, on Twitter @1Password and @AgileBits, and on Facebook!

1Password for Windows: Our new extension is ready to try in Safari

Sometimes, a browser extension comes along that changes everything. Your philosophy on life is forever altered. The way you experience the internet fundamentally shifts. Your dog and cat go apartment hunting together. Nothing is the same.

Our new 1Password browser extension will not do any of those things to your world, valiant Windows users, but it will make a huge improvement to the way you browse the internet with 1Password. We’ve re-imagined our 1Password browser extension to bring you a better, faster experience, and put more of your 1Password data than ever before at your fingertips, right inside your browser.

Today we’re releasing the new version of our 1Password browser extension in beta for Windows users to test, and we’re starting by supporting one of our most requested browsers: Safari for Windows. Of course, support for more browsers will follow soon.

How to get it

To get it, you’ll need to opt into our beta testing process:

  • Open 1Password
  • Click the Preferences toolbar button (or press Control-P)
  • Go to the Updates pane, enable the Beta option, click Check Now, and update to the latest beta (it should be at least version 1.0.9.BETA-237 or higher)

Now, to get the new Safari extension:

  • Visit our Windows extension page to download and install our new Safari extension
  • Enjoy testing our new Safari extension!

Note: the first time you unlock the extension, the initial sync might take a little longer than usual. That’s normal, and the next time you unlock shouldn’t take nearly as long.

How to use it

So, what’s the big deal about the new extension? The redesign allows it to be much more flexible and make more of your information available, even editable, right in your browser—no need to stop what you’re doing and open the main 1Password app. Here are some quick highlights and tips to help you get the most out of the new extension:

  • Control-\ is your one-stop-shop: The new default Logins pane does double-duty, displaying “Logins for the Current Site” at the top, and a list of “All Logins” just below. Just hit Control-\ to open the extension on any webpage (you can configure this shortcut in the 1Password app’s settings)
  • Arrow keys are your friend: If you’re a keyboard ninja, you can arrow up and down the list of Logins. If you hit return on a Login in the ‘Submit Login’ section, 1Password will fill it into the current site. If it’s in the ‘All Logins’ section below, 1Password will open a new tab, take you straight to the site, and log you in
  • Type to search: If mousing around and arrow keys aren’t your style, you can type in any pane to start filtering on the fly. A search box will appear at the top, and the item list will instantly slim down to just what you’re looking for (note: this is basically a quick way to enable the new search icon in the upper left)
  • View, copy item details in your browser: Say you need to copy a password for a Flash site, or you need to paste a 1Password detail into some other app. You can click the right arrow next to any item in the new extension, or hit your keyboard’s right arrow key, to view most of its details right within the extension. Mouse over any detail and click it to quickly copy it to your clipboard for pasting elsewhere
  • Click headers to change behavior: Do you need to complete a CAPTCHA on some sites before logging in? Or perhaps you prefer to open new windows instead of new tabs. You can click the headers in the Logins pane to change how they behave. You can chose to just fill a Login instead of fill and submit (in case you need to do other things on the page), and instead of opening Logins in a new tab, you can choose to open them in a new window or even the current tab
  • Fill Credit Cards and Identities: Any Credit Cards and Identities you’ve added to the main 1Password app are available in their own panes below Logins. Filling them into websites is just as easy: you can open the 1Password extension, mouse or arrow your way to the Credit Card or Identity you need, and click or hit Return to fill it into the site’s form
  • Tab between panes: You can use the Tab key to quickly switch between the Logins, Credit Cards, Identities, Strong Password Generator, and Settings panes

Check out more screenshots in our gallery at the end of this post!

How to get in touch

Since this is a beta, we’re hoping to hear some feedback in our Windows beta forum with your thoughts on how it’s going, and especially when you run into bugs. After all, there’s a reason we’re using the beta badge.

In case you didn’t catch that, yes: it was a wink wink, nudge nudge to please leave feedback in our Windows beta forum.

How to stay tuned

We’ll update 1Password and this new extension based on your feedback, and we’ll have announcements of more Windows browser support soon. Until then, follow us on Twitter @1Password and @AgileBits, like us on Facebook, and subscribe here to stay on top of all our update news!

Defending against 1Password harvesters

We have some bad news and good news today about the state of Mac security. The bad news is that there’s a new malware variant out for the Mac, a trojan called DevilRobberV3, that tries to collect various pieces of data, including your 1Password data file. The good news is that your 1Password data is very well encrypted, but we still want to take this opportunity to review a few details of what’s going on.

We don’t think this poses any real danger to 1Password users. But because our knowledge of DevilRobberV3 is still fairly limited, I want to revisit some of our long-standing recommendations for ensuring your 1Password data stays safe.

What do we know about DevilRobberV3?

At this time, we know little about DevilRobberV3 beyond what has been reported by F-Secure. It is a trojan that can be installed when someone tries to download and install a pirated version of Pixalmator from websites that offer stolen software. The fake Pixalmator installer instead installs DevilRobber3, which mostly just gathers system information and sends it off to the malware’s creators.

The main business of DevilRobber3 is that it steals time on an infected computer to engage in creating bitcoins, a type of virtual currency used by some internet services. But what matters to us here is the system information that is also gathered, and that list can vary depending on variant of DevilRobber3. So far, here is a rough list of information that might be collected if DevilRobber3 gets onto a Mac: OS X Keychain; Safari browsing historynumber of files with “truecrypt” in the name, “pthc”, and “vidalia”; shell command history; bitcoin wallet contents; 1Password file contents; system log file; external IP address of the infected machine; downstream and upstream bit rate of the infected network; malware’s port mapping attempt status; and time the malware was executed. Earlier versions also took a screenshot.

Because they are collecting so much information along with running the bitcoin farming, I expect that this is more of a fishing (not phishing) expedition. They are trying to learn about systems in general and do not have a plan of attack using any collected data. I am speculating, of course, so let’s take a look at the worst an attacker could do with your 1Password data.

Defending against the worst case

First I’d like to reassure everyone that your key 1Password data is extremely well encrypted. Our Strong Password Generator tool creates extremely strong passwords for websites, and we use the best encryption tools and protocols available for encrypting those passwords (learn more about how 1Password encrypts your information in our support doc). I doubt that anyone is actually specifically trying to exploit 1Password data files they might obtain, but because we can’t rule it out, we need to consider what bad guys could do with captured data.

1. Guessing your Master Password

Since day one, we’ve highlighted how important it is to have a strong, memorable Master Password. If you want some help to create a great Master Password or improve the one you have, please see one of our many  previous blog posts with tips and tricks, the geek edition of that post, or this help doc. Note that changing your master password after your data file is stolen will not protect the captured data. So don’t wait until there is some sort of breach on your machine before making sure you have a good Master Password.

2. Attacking the websites you visit

In our current 1Password data file format, the URL of a Login is not encrypted. If you have an account on Amazon.com, an attacker who has obtained your data file can see that you do, but cannot see your username or password.

The password strength indicator (whether 1Password considers your password to be strong or weak) is also not encrypted in the current form of the database. Generally, this lets us strike a good balance between securing your most important data (such as usernames and passwords), allowing the 1Password data file to be stored and synced securely with cloud services like Dropbox, and still offering features like sorting your Logins by URL or by password strength. You can learn more about why the 1Password data file has been designed this way in our cloud storage security doc.

So even though your passwords are extremely well encrypted in your 1Password data file, an attacker might learn that you have a weak password for www.example.com. If the attacker can also guess your username (I, for one, use pretty much the same couple of usernames everywhere), and you used a weak password on a site instead of our Strong Password Generator, they may be able to use this knowledge to attempt a brute force (guessing lots of passwords) directly against www.example.com. Fortunately, the vast majority of websites will block or delay logins after some number of failed login attempts.

If you think you might have some weak passwords saved in 1Password, perhaps from The Old Days before you started using our Strong Password Generator, take a look at our previous advice on how to find and update weak passwords. This involves sorting your 1Password data by password strength in the 1Password application, then updating your password using 1Password’s Strong Password Generator feature. Note that sorting data by password strength may soon be removed (so that the strength is no longer stored unencrypted), which means that this specific tips may be limited to data created and viewed with 1Password for Mac (App store) version 3.9.2 and prior, 1Password for Mac (non-MAS) 3.8.10 and prior, and 1Password for Windows and prior.

Those are steps you can take to increase your already high level of security. There is always a “weakest link”, which is what we need to look at when considering worst case scenarios.

What we can do

Although users need to pick good passwords, it is not our intention push the entire security responsibility on to users. Our goal has always been to make it easy and convenient for you to behave securely. So the question is: what are we doing to guard against the dangers listed above? First of all, the security is already extremely strong. But we are always looking at where we can improve upon the weakest link.

1. Moving ahead with new data format

We have already discussed how the data format currently used in 1Password 3 needs to be improved in the light of increased computer power and increased risk of data theft. Work on our new data format is coming along, but it is still not ready for all platforms (we need to make certain that it works on every platform that 1Password supports). So this doesn’t present an immediate solution to the news of malware that collects 1Password data. Once it does arrive though, our new data file format will offer some advantages, one of them being that even more of your data (including Login URLs) is encrypted.

2. Increasing PKBDF2 iterations

I’ve discussed the role that PBKDF2 plays in protecting your Master Password from automated password guessing systems. We are currently exploring increasing the number of PBKDF2 iterations, but, I don’t want to promise anything specific until we’re confident to release it. We need to work through compatibility across platforms, and performance specifically on mobile platforms when syncing data. But we are actively testing things as I write this. (We put in hooks into the code a while back anticipating the need to increase PBKDF2 iterations.)

3. Removing password strength information

We are also testing at the moment the consequences of removing unencrypted password strength information from the current data format. If we do this, it will have more visible consequences for users. This will almost certainly mean changes to how users will need to find weak passwords among their data.

So look for updates soon that will make 1Password your 1Password data even more resistant to attack.

In summary

If you become a victim of the DevilRobberV3 trojan, we have no reason to doubt the security of your 1Password data file. Ever since 1Password was just a few scribbles on bar napkins, we’ve designed and coded the 1Password data file to remain secure in scenarios such as your computer or mobile device getting stolen, or something like a trojan gets ahold of it. The particular changes that we are looking at for the immediate future are things that we’ve been working on for months.


One lesson, if I can be forgiven for repeating myself, is that security is a dynamic process. We re-assess threats, our own design, and our implementation of that design. A security product is never really done; it is, instead, an on-going process.

Another lesson is that you should be part of that on-going process. The advice listed above isn’t new, and so regular readers of this blog will already have the extra level of security. My somewhat tautological advice, then, is that you should follow our advice.

Finally, and this should go without saying, don’t download and install software from unknown or untrustworthy sources. There are enormous numbers of reasons to not download pirated software, but one of those reasons is that the people you are downloading from are criminals. You never know what you might end up really installing. Even if you are not trying to pirate software be very careful of deals that “seem too good to be true”. It may be a topic for another day, but Wil Shipley has some nice recommendations about how Apple can help with software distribution in a way that would reduce the opportunity for trojans to be installed on OS X.

On 1Password and iCloud

Just in case this is the first blog post you’ve checked since swearing off reading tech news for the past ten months or so: this is a pretty massive week for new Apple goodies (also: thanks for making this the first post you’ve read in almost a year!). Yesterday, Apple released iOS 5 and its many fantastic new features to the world, as well as a bunch of new apps like Find My Friends, AirPort Utility for iOS, and Cards. Tomorrow, the iPhone 4S becomes available, and Apple’s new service that ties it all together—iCloud—offers some great potential to third-party apps like 1Password.


Naturally, we’re getting a lot of questions about whether we will offer iCloud as a sync option in 1Password for Mac, Windows, iPhone, iPad, and Android, either as a replacement or an alternative to our current preferred sync service, Dropbox.

What I can say so far is that we’re just as excited about iCloud as you are, and we’re definitely looking into what it can do for 1Password and you. Fortunately, you can actually enjoy one of iCloud’s perks if you upgraded your iPhone, iPod touch, or iPad to iOS 5 and created an iCloud account: automatic, once-a-day, over-the-air backup and restore of all your iOS app data, which includes 1Password for iOS. Go to Settings > iCloud to learn more and configure.

Without us having to do anything, iOS 5 can at least wirelessly backup your 1Password data, and let you restore that data should you ever need to wipe your device or replace it with a new one. So really, the million dollar question is whether iCloud can function as a great solution for syncing 1Password data between computers and devices.

We don’t want to say anything more about iCloud right now or whether it will turn out to be the great sync solution we know 1Password customers demand. But rest assured, we’re definitely looking into it. As soon as we have more to say, you’ll hear about it here, on our @1Password and @AgileBits accounts, and on our 1Password Facebook page.

Retrospective: One month of Lion and 1Password

It’s been just over a month since Apple released OS X Lion and quite literally reversed the definitions of “up” and “down”. At least when it comes to scrolling. And only if you don’t go to System Preferences > Trackpad/Mouse and disable “Natural Scrolling”. But I digress.

Time flies when you’re fervently updating 1Password and releasing all-new browser extensions for such massive releases as Safari 5.1, Firefox 6.0, and Chrome 143.28.852, or whatever version they’re up to today. In fact, when I tally everything up, we’ve released over 40 updates in the past five weeks across our Mac, Windows, Safari, Firefox, and Chrome editions of 1Password—and that doesn’t even include beta releases for testing! But that long list of updates *does* include a completely redesigned extension interface and a lot of improvements, changes, nips, tucks, and bug fixes—all thanks to your awesome feedback in our forum.

Big transitions like new OS X releases—especially one like Lion which made so many major changes to both over- and under-the-hood technologies—and Firefox 6 are never easy, and we know 1Password has had a bumpy ride over the last month. I want to thank you all for your great feedback in our forum and here on the blog, as well as your patience as we fix bugs and polish 1Password to be a great Lion and cross-browser citizen.

Moving forward, we have a lot of great stuff in store. Our top priorities are polishing the new extension for all platforms (including getting it ready for Windows browsers!), improving the Firefox 6 experience, and bringing the extension to Chrome. Of course, we have a couple other buns in the oven, but we’re not quite ready to get the butter out of the fridge, if you follow my meaning. Wink wink, nudge nudge.

Thanks again for being the best customers a small software shop could ask for. We’ll keep the 1Password updates coming, and we can’t wait to hear from you in our forum.

1Password 1.0.6 for Windows gets Firefox 5, System Tray support

We updated 1Password for Mac to support Firefox 5 and some other odds and ends, and now we’re back with a new Windows release!

1Password 1.0.6 for Windows brings a handful of handy new perks, and you can check out the full details of this release (and all previous versions) in our 1Password for Windows release notes. But if you’re the cliff notes type, let’s hit the highlights:

  • Firefox 5 support – Mozilla released the latest and greatest version of its browser this week, and 1Password for Windows is now ready for it
  • Chrome 13 support – Chrome 13 is currently in Google’s development/beta channel, but we’re able to support it now on Windows with this update
  • New “Close 1Password to System Tray” setting – Want 1Password to never be more than a System Tray click away? You got it
  • Lots of other changes – We now support Dropbox’s new configuration that is coming in version 1.2.x, we switched to a standard .ZIP format for backups, and we squashed plenty of bugs

This update is available now from our site or from 1Password’s Help > Check for Updates option. Enjoy!

1Password for Windows is out, bundle licenses available!

Thanks to some hard work by our developers and a lot of feedback from our awesome beta testers, 1Password for Windows is officially ready to go! You can download it and try it out right now!

Licenses for 1Password for Windows are available individually for US$39.95, and we’ve got a special introductory deal today that will save you $5.

We also know that some of our Windows users will want to use 1Password on both their Mac and their PC, so we’ve got a bundled license deal for you, too. Choose the 1Password Mac + Windows Bundle on the Agile Store and get both licenses for US$59.95, or pick up a 5-user family license for US$99.95! That will save you $20 or more on the combination!

If you already own 1Password for Mac, take advantage of the $5 discount above and get running on both platforms!

Windows Chrome users get some 1Password love, too!

We recently let our Mac users know about the amazing new extension for Chrome on OS X, but we didn’t want our Windows users to feel left out, so… we’re pleased to announce 1Password support for Chrome on Windows!

1Password in Chrome on Windows 7

Download the latest beta of 1Password for Windows and open the preferences (CTRL-P). You’ll find a checkbox for Chrome under the Browsers tab. Check it and click “OK” at the bottom, and your Chrome extension will be installed!

1Password Windows Preferences


An update on 1Password for Windows

1Password for Windows beta

Development of 1Password for Windows is coming along wonderfully. Windows users should be sure to check out the current beta, and we’d love to hear feedback and suggestions in the forums!

We’re offering “early bird” pricing for people who buy a license during the beta period:

  • A single License is only US$19.95 (50% off)
  • A Family License (5 users) is just US$29.95 (57% off)

Download a free copy of the beta today, take it for a spin, and—if it’s as indispensable to you as it is to many of our users—grab a license soon to save more than half the full price!

Dropbox syncing is fully functional, so if you have a Dropbox account set up on a Mac or other Windows computer, you can immediately start syncing your data across multiple machines, as well as to your iPhone or Android running the 1Password for Android beta. You can find instructions for setting up and configuring 1Password with Dropbox here.

1Password for Windows beta

1Password for Windows is available on the downloads page!

1Password protects you from the latest phishing tricks.

Warning: ThiefYou may have heard about the latest scare in phishing attacks: “tabnabbing.” As explained over at TidBITS, tabnabbing changes your tabs while they’re in the background to simulate logins on sites such as GMail or PayPal, even changing the “favicon” in the tab to make it look authentic. You switch back to your tab and, without much consideration, enter your username and password. Poof, your information is sent to the devious hacker who’s been waiting for unsuspecting victims. It’s especially insidious because the link seems completely innocuous to begin with, and offers no sign of being a phishing attack. Fortunately, 1Password protects you here, too.

1Password bases its automatic login selections on the domain of the site you’re logging into. A tabnabbing site can change everything except the URL, so 1Password automatically knows you’re not really on GMail or PayPal (or any spoofed site). Just like in other phishing situations, 1Password offers a fool-proof strategy: if the URL is legitimate, it will match your login information and let you in with ease, but with any non-legitimate URL (which all phishing scams will have), the match won’t be made and you’ll stay protected.

There’s another tricky deception floating around right now: using non-latin characters to build URLs that look exactly like the real thing, but are completely different (and generally dangerous) sites. Correction: This little scare has been thoroughly debunked (see comments here), sorry for unnecessary worry we may have caused. Don’t worry, though, 1Password has this covered, too, using the same technique mentioned above. The URLs may look the same to the eye, but they won’t match up to 1Password.

1Password doesn’t just store your passwords securely, it offers a first line of defense against online attacks. To sum it all up, if you let 1Password handle your logins, you can worry a lot less about your online security!