Introducing 1Password Business

Since 2015, over 30,000 businesses have signed up for 1Password Teams and discovered how 1Password can help them be secure while also increasing their productivity.

We’ve learned a lot by working with these companies and found that what works for a team of 20 doesn’t necessarily work for a company of 20,000. So we got to work.

Today, I am thrilled to announce the results of that work: 1Password Business. 🎉

1Password Business

1Password Business provides the features you need as a larger team. It gives you the tools to protect your employees, secure your most important data, and stay compliant. Your administrators will love it for the control it gives them, and your employees will love how easy it is to use.

Control access and be compliant

GDPR, HIPAA, SOC2, PCI, PIPEDA… man, there’re enough compliance requirements to make your head spin.

Thankfully, 1Password helps by keeping you in control of who has access to what. Each employee gets a place to store their private, work-related passwords. But there are times when passwords need to be shared. For those times, it’s easy to share passwords with only the people who need them.

Fine-grained permissions – give employees exactly the access they need.
Custom Groups and Roles – organize your staff and their access.
Device Restrictions – limit where access is granted.
Managed Travel Mode – restrict employee access when travelling.

Control access and be compliant

We ourselves are growing quickly and long gone are the days where everyone worked on every project. We are looking to hire another 100 people this year, and 1Password helps us stay compliant with our SOC2 regulations as we grow.

Automated provisioning

Sometimes you are growing so fast, or have gotten so large, that no matter how simple the onboarding steps, they just aren’t fast enough. In these cases automation comes to your rescue.

Active Directory Integration – automate provisioning and de-provisioning.
Okta Integration – allow Okta to manage your team for you.
Command line Integration – integrate 1Password into your custom business flows.

Automated provisioning

Now that we are starting to use Azure AD ourselves, onboarding those next 100 people should be a breeze. 😉

Adding a second third factor

1Password protects your passwords behind both your Master Password and your Secret Key. Now you can add yet another layer of protection with our multi-factor authentication (MFA) support.

Team members can turn on two-factor authentication to further protect their 1Password accounts. Or, if your company uses Duo, you can require its use for your entire team.

Multi-factor authentication

Advanced auditing and reporting

In 1Password Business, we’ve created some super useful reports for you and your administrators. It’s never been easier to keep track of everything happening on your team.

Employee Access Report – see which shared passwords an employee has used.
Shared Password Report – audit shared passwords to see who has used them.
Activity Log – review administrative actions taken by your team.
Action Dashboard – view activities that are awaiting your action.

Advanced auditing and reporting

Free family accounts

Worth more than $50 per user

Your business data is only as safe as your employees’ habits. If anyone brings unsafe password habits from home into your work environment, they put your entire business at risk. Now, you can protect your business by keeping those you work with safe at home.

With 1Password Business, each employee on your team gets a free 1Password Families membership. This way they can learn the habits they need to protect themselves and your company.

Try 1Password Business today

Sign up today for a free 30 day trial and see for yourself how 1Password can help your company. Your data will be more secure and your employees more productive than ever.

Sign up for 1Password Business

If you have any questions or would like to schedule a demo, contact our business team. We’ll be happy to show you how 1Password can work for your business. After using 1Password for a few weeks at your company I promise you’ll wonder how you ever lived without it!

MyFitnessPal Shows How to Handle a Breach

We all witnessed something refreshing last week when MyFitnessPal announced their data breach. They were open and honest about what happened and they should be congratulated.

Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak.

MyFitnessPal provides a great case study on how to handle a data breach and protect customer information. Let’s start with the announcement itself.

The Announcement

First it needs to be said that it was awesome that there actually was an announcement and that it was published in a timely manner. This is a very good thing!

There was an in-app notification, direct emails, and a pinned Twitter post.

They also posted Frequently Asked Questions that were excellent and when I emailed their support team with some questions for this post, their automated reply included information about the breach and what they were doing to protect their customers.

MyFitnessPal was incredibly open and transparent about everything and at no point did they try to hide details from their users, myself included! That allowed me to update my password and get on with my life.

I wasn’t overly attached to qdd84b7UayEwM9J6dZV anyway so I didn’t mind changing it. And since I only used this password on myfitnesspal.com I didn’t need to update any other websites.

Strong unique passwords FTW! 🙂

Secure Handling of Passwords

Equally commendable was how MyFitnessPal stored passwords in their systems. Or more to the point, how they didn’t store passwords.

Many sites choose to store the plain text password, which is bad. The fact that Have I Been Pwned? now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is.

MyFitnessPal was much smarter than that as they never stored the actual password. Instead they stored a hash of the password, most of which were created using bcrypt. Our Chief Defender Against The Dark arts wrote at length about bcrypt and how it can be used to protect user passwords.

It’s possible to go even further than bcrypt and avoid sending passwords to the server by using Secure Remote Password. We use this in 1Password and are quite smitten with it.

Avoiding Other Sensitive Information

The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. From their FAQ:

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously.

MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation.

For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt.

P.S. A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. Thank you for the inspiration, Benjamin! ❤️

Hi Dave,

I know you get hundreds of emails but I can’t help but send this email. I received an email from MyFitnessPal today and of course the news-breaking headlines.

In reading the email, I simply smiled. Headed to my 1password vault and checked the password.

Sure enough, there was a 40 character, numbers + symbols password. I smiled smugly and thought of you.

Your amazing product keeps my data safe every single day. I have not one single duplicated password. Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ).

I have recommended so many people to your platform knowing that you have an amazing product and just as importantly, a fantastic support team.

Take care my friend and I send you a warm-hearted thanks from Darwin, Northern Territory, Australia!

Keep doing what you’re doing!
Benjamin Fox.

We really do have the best users in the world. 😘

The 1Password 7 Beta for Mac Is Lit and You Can Be, Too

Guess what, Mac fam? 1Password 7 for Mac is on its way! 🎉👏

This first beta is just a taste of what’s to come and it’s already packed full of new features and improvements. Here’s what we have so far.

Beta bling

The awesome starts with the lock screen but the real magic happens when those doors open.

Enhanced sidebar

1Password 7 comes at you fast with its bold, beautiful sidebar. The sidebar shows more information than ever, but the dark theme and monochrome icons allow you to focus your attention on what matters most: your items.

Drag and drop

You can now see all your vaults in the sidebar. This makes it easy to drag and drop items between vaults to organize them. You can even drag them between two different accounts. And if you drag items onto New Vault, a vault will be created for you right there and then. It’s never been easier to share and organize your information.

Easily edit vaults

With the new sidebar it seemed fitting to allow you to manage your vaults directly from there. So that’s what we did. Edit vault names, change their descriptions, choose an avatar or upload your own. All without ever leaving 1Password.

Rich formatting in notes

Are you feeling bold? How about emphatic? You can now express your emotions in secure notes. Use Markdown in any of your notes to add clickable links, ordered and unordered lists, and eye catching styles.

Nested tags

Tag fanatics rejoice! Not only can you organize your items with tags but you can also organize your tags. There’s an Inception joke here somewhere; while you wait for me to find it, add a forward slash to your tag names and 1Password will do the rest.

Pop-out items

If you use lots of different apps on your Mac or enjoy viewing multiple items at once, you’re going to love this: click the icon on the toolbar and your item details are whisked away into a new sticky window that will stick around until you dismiss it.

Our own font: Courier Prime Bits

No design is ever complete without finding the perfect font. We’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely Courier Prime). Alan Dague-Greene is the creative genius behind this font and it makes your passwords look alive.

Finding pwned passwords 🕵🏼‍♀️

Troy Hunt has collected more than 500 million passwords from various breaches in his Have I Been Pwned? database. Easily check if your password is among them.

Secure Enclave for Touch ID

Secure Enclave protects your Master Password when Touch ID is enabled. This greatly improves your security when using Touch ID because the encryption keys are protected by the hardware in your Mac and are not accessible to any other programs or the operating system.

Safari App Extension

Our Safari extension now comes built in to 1Password 7. There’s no need to manage it separately, it updates whenever 1Password updates, and it’s more secure to boot!

Single process architecture

We completely rearchitected 1Password 7 to run within a single process. This eliminates connection issues between the main app and mini, greatly speeds up loading, and improves performance everywhere.

Grab bag of lit-ness

The changelog for beta 1 is huge. Coming in at nearly 100 additional features and improvements, it’s literally too much to read. Here are the CliffsNotes (or Coles Notes if you’re reppin’ Canada):

  • Collapse the sidebar entirely so your items get all the love
  • Share vaults directly from the sidebar
  • Easily see your currently selected vault and account
  • Login details now highlight one-time passwords
  • Tags are monogrammed with their initials
  • Select which vaults to focus on right from the sidebar
  • Quickly find items with our new Spotlight integration
  • Use Handoff to view iOS items right from your Dock
  • Login icons have never looked better

Get it now

Getting lit with beta 1 is easy!

Download 1Password 7 Beta For Mac

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when the beta first opens. Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99. You can also try a membership and start enjoying 1Password 7 today with your first month free.

We’re looking forward to sharing more surprises with you on our journey towards 1Password 7. In the meantime, please join us in our beta forums and help craft the future of 1Password. We always love hearing from you. 😘

P.S. This post was heavily inspired by asking the question that we should all ask ourselves from time to time: what would Drake say? I think I got close but if you know Drake, please ask and let me know. 🙂

Introducing 1Password 7 Beta for Windows

1Password 7 for Windows is almost here! 🎉🙌 Today marks our first beta and you’re invited to join in on the fun.

This is a massive release where quite literally everything has changed. And with support for local vaults, everyone can enjoy the awesomeness that is 1Password 7 for Windows.

Read on to see what all the hullabaloo is about and I think you’ll find our excitement is quite contagious. 🙂

Incredible New Design

Our design team has been working their tails off making 1Password 7 for Windows the best it can be, so it seems fitting that we start by showing how great 1Password 7 looks.

The awesome starts with the lock screen.

1Password 7 Beta for Windows Lock Screen

Once you unlock 1Password with your Master Password (or Windows Hello), you’re in for a delightful surprise. I’ll let 1Password speak for itself here.

Main window view from 1Password 7 Beta for Windows

From the typography to the rich icons to the layout, everything has changed. Yet the soul of 1Password remains, so you’re able to jump right in and find everything you need.

The new sidebar is not only gorgeous but it’s more powerful, too. It allows you to navigate between your categories and tags just like you always could, but now your vaults live there as well.

All your vaults, all in one place

Easily browse account vaults and standalone vaults with 1Password 7 Beta for Windows

Organizing your items into vaults is a great way to keep your items tidy and share them with those who need them.

Vaults are so nice that you’ll find yourself adding lots of them. Thankfully the sidebar makes it easy to see every vault you have at a glance. If you want to zoom in and see all the items in a vault or an account, just click on it. When you’re ready to zoom out again, click All Vaults to see all your items.

Between my AgileBits business and Teare family accounts, I now have over 50 vaults. Being able to switch between vaults and accounts makes it super simple to stay focused on the task at hand. Which is perfect for those days when I need to find my mom’s Pokémon password. 🙂

Small passwords. Large passwords!

If you spend as much time looking at computer screens as I do, your eyes will love our new Large Type. Passwords have never looked better!

Large Type Viewer in 1Password 7 Beta for Windows

This is great when you need to type a password into another app. But for browsers, 1Password mini will take care of this large task for you.

1Password mini is always by your side

To keep up with their bigger sibling, 1Password mini has a new design of their own and has learned some new tricks as well. As always, mini will automatically find the logins that are most relevant to the website you are on, making it super easy to sign in.

Quickly fill logins using 1Password mini in 1Password 7 Beta for Windows

And if a website has been breached, mini will alert you so you know which of your logins need to have their passwords changed.

You can also open logins directly within your browser. And as an added bonus, your password will also be filled automatically after the page opens, making 1Password a great way to bookmark websites.

Designed for everybody

We wanted to create 1Password 7 for everybody and be as inclusive as possible. That started with allowing you to sync your vaults yourself as well as supporting 1Password accounts.

1Password also speaks your language and has been localized into 9 languages, including Français, Deutsch, Italiano, 日本語, 한국어, Português, Pyсский, and Español.

Localised 1Password 7 Beta for Windows speaks many languages

Being able to use 1Password in your language is great and it’s even better on High-DPI displays. 1Password 7 has full support for HiDPI in Windows 10 so it looks incredible on 4K monitors and other high density screens.

And for those of you who rely on assistive technologies, rest assured that 1Password 7 is fully accessible. Accessibility is near and dear to my heart and I’m looking forward to seeing your feedback on this beta.

Why hello there, Windows Hello

We also added support for Windows Hello so you can unlock 1Password using your fingerprint or simply your smile. This works great in the main app as well as in mini.

Windows Hello support with 1Password 7 Beta for Windows

To keep things as secure as possible, the first time you unlock 1Password you will need to provide your Master Password. Windows Hello will then be able to unlock 1Password afterwards.

Pricing

1Password 7 is included free with every 1Password membership. This includes individual accounts, as well as anyone who is part of a family or team. If this is you, you’re all set! Jump to the next section to get started with the beta.

For standalone license holders, 1Password 7 for Windows will be a paid upgrade. Once 1Password 7 for Windows is officially released later this year, a new license will be required and will cost $64.99.

If you join the beta you will get access to a special discount to show our thanks for helping us get the beta polished. The code hasn’t been written yet, but in the next few months an upgrade window will appear, giving you the opportunity to purchase your license for just $39.99.

So join the beta, give us your feedback, and save! Here’s how…

Join our beta family

Intrepid testers who enjoy being on the cutting edge can jump right in by downloading the beta today.

Download the 1Password 7 Beta for Windows

Please see our release notes for known issues and join us in our discussion forum to let us know what worked great and where we need to improve.

We wouldn’t be here without you so thanks again for all your help! 😘

1Password 7 for Windows (beta)

Dave Teare Founder of AgileBits

1Password X: Better, Smarter, Faster, and Japanese! マジで!

If you’re new to 1Password X, you’re in for a treat! 1Password X is a full featured version of 1Password that runs entirely within your web browser. It’s great if you’re using Linux or Chrome OS and has quickly become my favourite way to enjoy 1Password on the web.

Since launching in November we’ve been hard at work exploring what’s possible and polishing everything else. I’d love to share with you what’s new since 1Password X blasted off! 🚀

Our best password generator yet

One of the things that we wanted to explore in 1Password X was how could we make our beloved password generator even better. And we were willing to go back to the drawing board to make it happen.

We started by suggesting new passwords directly within websites:

Just click Use Suggested Password when signing up and you’ve secured this website. It’s incredibly easy and perfect for most sites.

Some websites, however, don’t accept long passwords. Or sometimes you need a memorable password or a numeric PIN code.

1Password X now has a fully customizable password generator and it’s our best one yet! When you need a custom password just open 1Password from the toolbar and bring up the password generator:

In addition to looking amazing, our new generator is more powerful and easier to use than ever. You can customize everything and choose between different kinds of passwords depending on your needs.

I’ve always enjoyed the simplicity of our password generator and didn’t want to lose that as we added more options. I’m incredibly thankful that our designers found a way to pack so much power into such a simple and beautiful window.

Smarter filling and saving

Using machine learning, we can now distinguish between registration forms and sign-in forms. This is incredibly cool as it allows us to anticipate what you need and suggest appropriate actions.

When you’re on a sign-in form, 1Password X will offer to fill it for you. If you’re on a registration form, it will suggest a strong, unique password for you to use. And if you need to change an existing password, 1Password X can help you there, too:

Along with these more visible improvements, we also greatly improved form filling all around (especially credit cards and identities) and added support for those running in Incognito mode.

Faster everything

Feel the need for speed? 1Password X is packed full of it! Unlocking 1Password is now over 30 times faster and loading your items is instantaneous.

I’m now able to unlock 1Password X on my 2014 MacBook Pro faster than I can type my Master Password. I have over 3000 items in 50+ vaults spanning two accounts and I have access to everything I need before I can say “oh my”. 🙂

In addition to blazing unlock speeds, you’re also able to view your item details and fill Logins faster than ever.

To achieve this incredible speed, 1Password X caches your encrypted data locally so it’s always available. That means you always have access to your data, even when you don’t have internet or are on spotty Wi-Fi.

And so much more

We’ve added over 120 new features and improvements to 1Password X since our inaugural 1.0 release. In addition to the highlights above, some more of our favourites include creating new items, customizable auto-lock settings, and full support for Japanese!

To get started, all you need to do is install 1Password X and sign in to your 1Password account.

Oh, and there’s one more thing

1Password X initially came out for Google Chrome and since then we’ve added support for Vivaldi, Ghost Browser, and coming very soon, Opera. But as much as I love Chrome and its Chromium-based relatives, it’s time for 1Password X to support more browsers.

Mozilla does an amazing job of keeping the web an open and inclusive space for everyone to enjoy, and we want to support that. So that’s what we’re going to do! 1Password X is coming to Firefox. 🎉 🙌

We have an internal build of 1Password X running on Firefox Nightly already and we’re almost ready to share it with adventurous testers. If that’s you, please give us your email and we’ll be in touch.

There are even more exciting things planned for 1Password X and I hope to share them with you soon. Your feedback is immensely valuable in helping us set priorities so please join us in our 1Password X forum and say hi.

Onward and upwards! 🚀 😘

Install 1Password X

Give the gift of 1Password

Ever since we launched 1Password memberships, people have been asking us how they can gift 1Password to their friends and loved ones. As you might expect, we see the most interest around the holidays, and this past holiday season was no different. I always thought it was a great idea, but we didn’t have a good answer – until now.

$125 for only $99 🎉

With 1Password Gift Cards, you can help anyone stay safe online. Give them to others or redeem them for yourself. You can purchase them in amounts of $25, $50, or $125. And because everyone loves to save money, we put the $125 gift cards on sale for only $99!

Get a 1Password Gift Card

PayPal, Apple Pay, and more

Another request we’ve seen is the ability to pay for a 1Password membership without using a credit card. Gift cards make that easy.

You can purchase 1Password Gift Cards with PayPal, Apple Pay, and – because it’s 2018 – cryptocurrencies, like Bitcoin, Ethereum, and Litecoin. You can even use 1Password to manage your cryptocurrencies.

And for those of you who are like myself – a bit old-fashioned – credit cards are still an option as well. 😉

Gifts are for everyone

Giving the gift of 1Password is incredibly easy. When you purchase a gift card, you’ll receive an email with the gift code. Simply forward that email to your friend or loved one, and they can sign up for 1Password to redeem the gift card or apply it to the 1Password membership they already have.

And you don’t even have to limit gift cards to people you like. You can send one to someone you don’t like. Maybe it’ll be the beginning of a beautiful friendship. 😊

Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

How to use 1Password to manage cryptocurrency

In 2017, the cryptocurrency market skyrocketed to over $600 billion. It’s the digital gold rush, and everyone wants their share. The lure of riches is too much to ignore, but there are also enormous risks. We can’t teach you how to make the best investments, but we can help you manage your cryptocurrencies securely.

I’ve been trading crypto for a while now, and to be perfectly honest, none of it would be possible without 1Password. It helps me stay secure, and creating and managing all of my credentials – 46 and counting – is an absolute breeze.

My #1 rule: Set up 1Password before investing in crypto

Before you invest in crypto, you need to take your security seriously. The best way to do that is with 1Password. I’ve seen people invest without using a password manager at all, and I’m seriously terrified for them. They create weak passwords, which they store on a piece of paper or unencrypted on their device. Or, like a number of early bitcoin investors discovered, they no longer remember their credentials. So while they may have thousands of dollars stored in a digital wallet somewhere, it’s lost forever.

There have already been reports of people losing over $100,000 by accessing their accounts on public Wi-Fi, or signing in to a fake website. While 1Password can’t protect you from insecure networks (if it’s unavoidable, always use a VPN like Encrypt.me), we can protect you from phishing sites, weak and duplicate passwords, and a foggy memory.

How to use 1Password to store your crypto

So just how can you use 1Password to manage your crypto? It depends what you’re storing: account credentials, private keys, wallet seeds and backups, or crypto addresses. I’ll shed some light on how I use 1Password to manage them all.

Exchange accounts

Exchanges are where all the action takes place. After you’ve purchased some crypto, you can send it to an exchange and trade it for any other coin on offer. Unless you only trade the top 20, you’ll need to sign up for a few exchanges to buy the coins you want.

Crypto exchange Login itemWhen I sign up for an exchange like Bittrex, Binance, or Kucoin, I save it as a Login item, just as I would for a regular account. I enable 2-factor authentication using one-time passwords, and I strongly recommend you do the same before depositing money there.

When I want to sign in, 1Password fills my username and password, and copies my one-time password to the clipboard for easy retrieval. Plus, it won’t fill my details anywhere except the specified URL, keeping me well protected from both man-in-the-middle and phishing attacks.

Wallets

If the collapse of Mt Gox taught us anything, it’s that you should always take your coins off an exchange. To keep them safe, you’ll need to set up some wallets. Cryptocurrency wallets allow you to interact with the blockchain to store, send, and receive crypto. Because most coins have their own blockchain, you’ll likely need more than one.

Cryptocurrency software wallet Login itemThere are 3 main wallet types: software, hardware, and paper. Many people prefer hardware wallets like the Ledger Nano because they’re not connected to the internet. My only advice here? Don’t buy one second hand.

I’m worried I’d lose a hardware wallet, so I use a mix of paper and software wallets and store the details in 1Password. I set up my software wallets on an encrypted Virtual Machine with the password saved as a Login item. I create a Login item for each wallet (software and paper), and use the password generator to create a wallet seed or passphrase.

If my wallet address won’t change, I set it as the username. If I create multiple addresses, I add them to a new section called Addresses for easy retrieval. And if I need to save private keys, I add a new field to the Login item, label it Private Key and set it as a password so it’s always concealed.

Cryptocurrency paper wallet Login itemOnce my wallet is encrypted, I save a backup and attach it to the Login item in 1Password. This way, if I ever lose my MacBook Pro, I can restore the wallets on another computer using my wallet backups and credentials.

To help me see how my coins are spread, I can use the notes section to keep a tally. I find this especially helpful for keeping track of coins in MyEtherWallet, a paper wallet that stores both Ethereum and ERC20 tokens.

Cryptocurrency addresses

Much like a bank account, if someone in my family wants to send me crypto, they’ll need to know my wallet address and the currency tied to it. 1Password covers that, too. I simply create a Bank Account item and name it after the currency. I use the name of the wallet for the bank, and insert my wallet address into the account number field. Then I just add it to our Shared vault so it’s there whenever they need it.Cryptocurrency address Bank Account item

Organise your crypto with tags

I have a lot of data in my vaults, and with my crypto items growing rapidly, I need a good way to organise them. Luckily, that’s a simple fix. All I need to do is tag them crypto and I can see everything at a glance.

Pay for your 1Password account with crypto

If you ever wanted to pay for your 1Password account with crypto, now you can. We’ve released 1Password Gift Cards as an alternative payment option, which you can purchase with Bitcoin, Ethereum, Litecoin, and Bitcoin Cash. When you get to the checkout, choose Coinbase as your payment method and complete your order in the cryptocurrency of your choice. Once your payment has cleared and you’ve received your gift card, you can redeem it by adding the code to your Billing page.

1Password.com gift cardGift card Ethereum payment portal

1Password is an essential tool for managing cryptocurrency – one that I’d be completely lost without. Thanks to the flexibility of custom fields, I can save my credentials in a format that makes sense for me, and retrieve them with ease. And I can sleep soundly knowing my data is protected by 1Password’s security model.

We’d love to add some new cryptocurrency templates in a future release, so please let us know in the comments what strategies you use to manage yours.

1Password is for families

Today we’re celebrating Family Day here in Ontario and throughout other parts of Canada. It’s a great way to remind ourselves of the people in our lives who are always here when we need them. Family can mean a lot of different things – my brother-in-law Mike calling to ask if I need help shovelling snow, my aunt sharing a new card game, or a friend who needs a ride to an appointment – in the end, family means “together”.

Sharing together


Most of the time, sharing lives together is as simple as sharing a meal, sharing how your day was, and – these days – sharing Wi-Fi passwords and Netflix accounts. 1Password Families can’t cook for you or get your kids to clean their rooms, but it’s great with online accounts. In fact, it’s great for sharing a lot more than passwords, too.

The Winter Olympics in Pyeongchang got me thinking about international travel, and I’m reminded of Jeff’s post about his son’s trip to Texas. He used 1Password Families to help his son prepare for his trip to the USA for an international gymnastics training camp. I’ll let him tell the story:

I created a Texas Trip vault [and] added our passports, contact info, and a credit card for emergencies (new headphones are not an emergency). In went the flights, insurance policies, consent forms, and all the rest. Finally, I added passwords for all the ways he could reach us, from Skype to FaceTime to Zoom; although, trying to get a 15-year-old to actually talk to his parents was another matter.

It was really quite reassuring to know that all of that information was there for him to easily access on either his Mac or his iPhone.

And that’s just one example. There are as many different ways to use 1Password Families as there are families. You get to choose who has access to shared information, and everyone gets their own personal vault for stuff that’s private. But no matter what you share with your family, you can be sure that your secrets are safe.

Recovering your peace of mind

One of my favourite taglines for 1Password is “Go ahead, forget your passwords”. Taking that plunge into a world of not knowing my passwords was scary, but now that I’m here, I can’t imagine going back. There’s only one password I need to remember now: my Master Password. But what happens if I forget that?! I’d normally start to feel my peace of mind slip away just thinking about that, but thanks to my family, I don’t have to worry.

Nobody at 1Password ever has access to your information. That means that if you forget your Master Password, we can’t help you recover your account. But if you have a 1Password Families membership, you can designate another family member who can help you recover your account. You get to have peace of mind because you’re in control.

Make the switch

If you have a 1Password account and have been considering inviting your family, there’s never been a better time. There are a ton of benefits to 1Password Families, some of which I mentioned above. A family account lets you:

  • Share vaults securely. Shared vaults show up on your family’s devices instantly.
  • Recover accounts. If someone in your family forgets their Master Password or can’t find their Secret Key, a family organizer can help recover their account.
  • Simplify payment. A single subscription covers a family of 5, with room to grow.

Upgrading to a family account is as easy as inviting more people.
Simply sign in to your account on 1Password.com and click Invite People in the sidebar. 😀

Love for our 1Password Family

With that, I’d like to wrap this up with a special thank you to all of our extended 1Password family members. Without the lovely people I work with every day and all the amazing customers who have supported us over the years, 1Password wouldn’t be where it is today. Thank you! And I mean it when I say we have amazing customers. Dave and I were recently away and came back one day to our room and saw this on the door:

Thank you for making truly amazing software. I use 1Password everyday (when I'm not cruising) ❤️ @miwahall

Thank you for making truly amazing software. I use 1Password everyday (when I’m not cruising) ❤ @miwahall

It’s heartwarming to be making connections with people, and we’re so glad we’ve had the chance to be a part of your lives! ❤

Terraforming 1Password

A few days ago I posted this tweet:

The tweet generated quite a bit of interest from people running or managing their services, and I thought I would share some of the cool things we are working on.

This post will go into technical details and I apologize in advance if I explain things too quickly. I tried to make up for this by including some pretty pictures but most of them ended up being code snippets. 🙂

1Password and AWS

1Password is hosted by Amazon Web Services (AWS). We’ve been using AWS for several years now, and it is incredible how easy it was to scale our service from zero users three years ago to several million happy customers today.

AWS has many geographical regions. Each region consists of multiple independent data centres located closely together. We are currently using three regions:

  • N. Virginia, USA us-east-1
  • Montreal, Canada ca-central-1
  • Frankfurt, Germany eu-central-1

In each region we have four environments running 1Password:

  • production
  • staging
  • testing
  • development

If you are counting, that’s 12 environments across three regions, including three production environments: 1password.com, 1password.ca, and 1password.eu.

Every 1Password environment is more or less identical and includes these components:

  • Virtual Private Cloud
  • Amazon Aurora database cluster
  • Caching (Redis) clusters
  • Subnets
  • Routing tables
  • Security roles
  • IAM permissions
  • Auto-scaling groups
  • Elastic Compute Cloud (EC2) instances
  • Elastic Load Balancers (ELB)
  • Route53 DNS (both internal and external)
  • Amazon S3 buckets
  • CloudFront distributions
  • Key Management System (KMS)

Here is a simplified diagram:

env

As you can see, there are many components working together to provide 1Password service. One of the reasons it is so complex is the need for high availability. Most of the components are deployed as a cluster to make sure there are at least two of each: database, cache, server instance, and so on.

Furthermore, every AWS region has at least two data centres that are also known as Availability Zones (AZs) – you can see them in blue in the diagram above. Every AZ has its own independent power and network connections. For example, Canadian region ca-central-1 has two data centres: ca-central-1a and ca-central-1b.

If we deployed all 1Password components into just a single Availability Zone, then we would not be able to achieve high availability because a single problem in the data centre would take 1Password offline. This is why when 1Password services are deployed in a region, we make sure that every component has at least one backup in the neighbouring data centre. This helps to keep 1Password running even when there’s a problem in one of the data centres.

Infrastructure as Code

It would be very challenging and error-prone to manually deploy and maintain 12 environments, especially when you consider that each environment consists of at least 50 individual components.

This is why so many companies today switched from updating their infrastructure manually and embraced Infrastructure as Code. With Infrastructure as Code, the hardware becomes software and can take advantage of all software development best practices. When we apply these practices to infrastructure, every server, every database, every open network port can be written in code, committed to GitHub, peer-reviewed, and then deployed and updated as many times as necessary.

For AWS customers, two major languages could be used to describe and maintain the infrastructure:

CloudFormation is an excellent option for many AWS customers, and we successfully used it to deploy 1Password environments for over two years. At the same time we wanted to move to Terraform as our main infrastructure tool for several reasons:

  • Terraform has a more straightforward and powerful language (HCL) that makes it easier to write and review code.
  • Terraform has the concept of resource providers that allows us to manage resources outside of Amazon Web Services, including services like DataDog and PagerDuty, which we rely on internally.
  • Terraform is completely open source and that makes it easier to understand and troubleshoot.
  • We are already using Terraform for smaller web apps at AgileBits, and it makes sense to standardize on a single tool.

Compared to the JSON or YAML files used by CloudFormation, Terraform HCL is both a more powerful and a more readable language. Here is a small example of a snippet that defines a subnet for the application servers. As you can see, the Terraform code is a quarter of the size, more readable, and easier to understand.

CloudFormation

"B5AppSubnet1": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
        "CidrBlock": { "Fn::Select" : ["0", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
        "AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]},
        "VpcId": { "Ref": "Vpc" },
        "Tags": [
            { "Key" : "Application", "Value" : "B5" },
            { "Key" : "env", "Value": { "Ref" : "Env" } },
            { "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet1"]] } }
        ]
    }
},

"B5AppSubnet2": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
        "CidrBlock": { "Fn::Select" : ["1", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
        "AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : "" } ]},
        "VpcId": { "Ref": "Vpc" },
        "Tags": [
            { "Key" : "Application", "Value" : "B5" },
            { "Key" : "env", "Value": { "Ref" : "Env" } },
            { "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet2"]] } }
        ]
    }
},

"B5AppSubnet3": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
        "CidrBlock": { "Fn::Select" : ["2", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
        "AvailabilityZone": { "Fn::Select" : [ "2", { "Fn::GetAZs" : "" } ]},
        "VpcId": { "Ref": "Vpc" },
        "Tags": [
            { "Key" : "Application", "Value" : "B5" },
            { "Key" : "env", "Value": { "Ref" : "Env" } },
            { "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet3"]] } }
        ]
    }
},

Terraform

resource "aws_subnet" "b5app" {
  count             = "${length(var.subnet_cidr["b5app"])}"
  vpc_id            = "${aws_vpc.b5.id}"
  cidr_block        = "${element(var.subnet_cidr["b5app"],count.index)}"
  availability_zone = "${var.az[count.index]}"

  tags {
    Application = "B5"
    env         = "${var.env}"
    type        = "${var.type}"
    Name        = "${var.env}-b5-b5app-subnet-${count.index}"
  }
}

Terraform has another gem of a feature that we rely on: terraform plan. It allows us to visualize the changes that will happen to the environment without performing them.

For example, here is what would happen if we change the server instance size from t2.medium to t2.large.

Terraform Plan Output

#
# Terraform code changes
#
# variable "instance_type" {
#    type        = "string"
# -  default     = "t2.medium"
# +  default     = "t2.large"
#  }


$ terraform plan 
Refreshing Terraform state in-memory prior to plan...

...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ module.b5site.aws_autoscaling_group.asg (new resource required)
      id:                                 "B5Site-prd-lc20180123194347404900000001-asg" =>  (forces new resource)
      arn:                                "arn:aws:autoscaling:us-east-1:921352000000:autoScalingGroup:32b38032-56c6-40bf-8c57-409e9e4a264a:autoScalingGroupName/B5Site-prd-lc20180123194347404900000001-asg" => 
      default_cooldown:                   "300" => 
      desired_capacity:                   "2" => "2"
      force_delete:                       "false" => "false"
      health_check_grace_period:          "300" => "300"
      health_check_type:                  "ELB" => "ELB"
      launch_configuration:               "B5Site-prd-lc20180123194347404900000001" => "${aws_launch_configuration.lc.name}"
      load_balancers.#:                   "0" => 
      max_size:                           "3" => "3"
      metrics_granularity:                "1Minute" => "1Minute"
      min_size:                           "2" => "2"
      name:                               "B5Site-prd-lc20180123194347404900000001-asg" => "${aws_launch_configuration.lc.name}-asg" (forces new resource)
      protect_from_scale_in:              "false" => "false"
      tag.#:                              "4" => "4"
      tag.1402295282.key:                 "Application" => "Application"
      tag.1402295282.propagate_at_launch: "true" => "true"
      tag.1402295282.value:               "B5Site" => "B5Site"
      tag.1776938011.key:                 "env" => "env"
      tag.1776938011.propagate_at_launch: "true" => "true"
      tag.1776938011.value:               "prd" => "prd"
      tag.3218409424.key:                 "type" => "type"
      tag.3218409424.propagate_at_launch: "true" => "true"
      tag.3218409424.value:               "production" => "production"
      tag.4034324257.key:                 "Name" => "Name"
      tag.4034324257.propagate_at_launch: "true" => "true"
      tag.4034324257.value:               "prd-B5Site" => "prd-B5Site"
      target_group_arns.#:                "2" => "2"
      target_group_arns.2352758522:       "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e" => "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e"
      target_group_arns.3576894107:       "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4" => "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4"
      vpc_zone_identifier.#:              "2" => "2"
      vpc_zone_identifier.2325591805:     "subnet-d87c3dbc" => "subnet-d87c3dbc"
      vpc_zone_identifier.3439339683:     "subnet-bfe16590" => "subnet-bfe16590"
      wait_for_capacity_timeout:          "10m" => "10m"

-/+ module.b5site.aws_launch_configuration.lc (new resource required)
      id:                                 "B5Site-prd-lc20180123194347404900000001" =>  (forces new resource)
      associate_public_ip_address:        "false" => "false"
      ebs_block_device.#:                 "0" => 
      ebs_optimized:                      "false" => 
      enable_monitoring:                  "true" => "true"
      iam_instance_profile:               "prd-B5Site-instance-profile" => "prd-B5Site-instance-profile"
      image_id:                           "ami-263d0b5c" => "ami-263d0b5c"
      instance_type:                      "t2.medium" => "t2.large" (forces new resource)
      key_name:                           "" => 
      name:                               "B5Site-prd-lc20180123194347404900000001" => 
      name_prefix:                        "B5Site-prd-lc" => "B5Site-prd-lc"
      root_block_device.#:                "0" => 
      security_groups.#:                  "1" => "1"
      security_groups.4230886263:         "sg-aca045d8" => "sg-aca045d8"
      user_data:                          "ff8281e17b9f63774c952f0cde4e77bdba35426d" => "ff8281e17b9f63774c952f0cde4e77bdba35426d"


Plan: 2 to add, 0 to change, 2 to destroy.

Overall, Terraform is a pleasure to work with, and that makes a huge difference in our daily lives. DevOps people like to enjoy their lives too. 🙌

Migration from CloudFormation to Terraform

It is possible to simply import the existing AWS infrastructure directly into Terraform, but there are certain downsides to it. We found that naming conventions are quite different and that would make it more challenging to maintain our environments in the future. Also, a simple import would not allow us to use the new Terraform features. For example, instead of hard-coding the identifiers of Amazon Machine Images used for deployment we started using aws_ami to find the most recent image dynamically:

aws_ami

data "aws_ami" "bastion_ami" {
  most_recent = true
  
  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
  filter {
    name   = "name"
    values = ["bastion-*"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
  name_regex = "bastion-.*"
  owners     = [92135000000]
}

It took us a couple of weeks to write the code from scratch. After we had the same infrastructure described in Terraform, we recreated all non-production environments where downtime wasn’t an issue. This also allowed us to create a complete checklist of all the steps required to migrate the production environment.

Finally, on January 21, 2018, we completely recreated 1Password.com. We had to bring the service offline during the migration. Most of our customers were not affected by the downtime because the 1Password apps are designed to function even when the servers are down or when an Internet connection is not available. Unfortunately, our customers who needed to access the web interface during that time were unable to do so, and we apologize for the interruption. Most of the 2 hours and 39 minutes of downtime were related to data migration. The 1Password.com database is just under 1TB in size (not including documents and attachments), and it took almost two hours to complete the snapshot and restore operations.

We are excited to finally have all our development, test, staging, and production environments managed with Terraform. There are many new features and improvements we have planned for 1Password, and it will be fun to review new infrastructure pull requests on GitHub!

I remember when we were starting out we hosted our very first server with 1&1. It would have taken weeks to rebuild the very simple environment there. The world has come a long way since we first launched 1Passwd 13 years ago. I am looking forward to what the next 13 years will bring! 😃

Questions

A few questions and suggestions about the migration came up on Twitter:

By “recreating” you mean building out a whole new VPC with Terraform? Couldn’t you build it then switch existing DNS over for much less down time?1

This is pretty much what we ended up doing. Most of the work was performed before the downtime. Then we updated the DNS records to point to the new VPC.

Couldn’t you’ve imported all online resources? Just wondering.2

That is certainly possible, and it would have allowed us to avoid downtime. Unfortunately, it also requires manual mapping of all existing resources. Because of that, it’s hard to test, and the chance of a human error is high – and we know humans are pretty bad at this. As a wise person on Twitter said: “If you can’t rebuild it, you can’t rebuild it“.

If you have any questions, let us know in the comments, or ask me (@roustem) and Tim (@stumyp), our Beardless Keeper of Keys and Grounds, on Twitter.