document_256px

Apps ❤ 1Password: Productivity

You’ve seen Apps that ❤ 1Password to help you stay secure while socializing and keeping up with the news, but now it’s time to get to work.

We’re seeing a great number of iOS Productivity apps add 1Password support, and we are truly thankful! Turns out our iPhones and iPads can’t just be for cat GIFs and Yo-ing each other. Apparently we actually have to, like, do stuff with them.

Now you can do stuff with these apps more quickly and securely by logging in and creating accounts with 1Password and Touch ID!

1P4 Android bot

Avoiding the clipboard with 1Password and Lollipop

Copy & Paste clipboards (or “pasteboards” as they are called on Mac and iOS) can be dangerous places for secrets if you have malicious software running on your device. On most operating systems – mobile and desktop alike – most running applications can read from the system clipboard. When you copy a secret to the system clipboard, a malicious process may be able to read and steal that secret.

This, by the way, is not news, but it is good that it has made the news. It helps people be aware of clipboard usage, and it gives me the opportunity to talk a bit about what we have been doing over the years about this.

We have always worked to reduce how much people need to depend on system clipboards when using 1Password. The details differ from system to system, and each operating environment gives us different ways to help reduce clipboard use. On the Mac and Windows PCs we have the 1Password Browser Extensions communicate with 1Password so that web form filling can avoid the clipboard. 1Password for Windows also uses auto-type to reduce clipboard activity. 1Password 5 on iOS offers 1Browser and integration with other apps through App Extensions

1Password Android browserBut today I will reveal a few things that our 1Password for Android beta testers know.

Aside: Before I get to that discussion, I should point out (as I often do), that the single best defense against a malicious program running on your machine or device is to keep your systems up to date with all software and system updates. It is also important to be careful in what you install on your system. 1Password can offer some significant defenses against malware on your system, but you have to help keep your systems free of malware.

1Password 4 for Android already has a simple built-in browser. This allows you to go directly from your Login item in 1Password to the web page, filling the data without the clipboard. Our iOS users are already familiar with 1Browser, and this is shaping up on Android.

Lollipop provides clipboardless sweetness

Of course, web pages aren’t the only thing that people need to fill passwords into, and sometimes people may wish to use something other than the browser built in to 1Password. In the current Beta release of 1Password for Android, we used the latest security and accessibility features in Android 5 (Lollipop) to allow 1Password to fill into other apps without making use of the clipboard.

Starting with Lollipop, we have a way to fill password data into other apps without using the clipboard. Perhaps it would be best to just quote what Nik, our Happiness Engineer, had to say in the beta newsletter just a couple of weeks ago:

Wondering why app and browser filling requires OS 5.0? Me too! So I asked our developers. It turns out that the only way for us to do this in earlier versions of Android OS was to use copy/paste accessibility APIs, meaning that any clipboard manager or malicious app could listen to clipboard events and collect login credentials as they were filled.

In Lollipop, 1Password can fill your information directly, without using the clipboard. Therefore, it isn’t possible for a third party to obtain your passwords by snooping on what 1Password’s doing.

Prior to Lollipop, it would be possible to get this kind of app-filling, but it would have relied on the clipboard under the hood. Because using the clipboard involves known risks, we feel that we should make it clear when copy/paste is being used and minimize it’s use wherever possible. As a result, we decided to focus on a Lollipop-only implementation of our filling feature

If you have an Android device with Lollipop installed and would like a sneak peek, I invite you to sign up for our Android beta.

Clipboards may always be with us

As you can see, we are working to reduce dependency on system clipboards when using 1Password. This is an on-going process. Browser integration on the desktops was something we started with back when the very first versions of 1Password was released for the Mac nearly eight years ago. Later, we introduced our own browser into 1Password for iOS, and much more recently encouraged 1Password integration for other iOS 8 apps using App Extensions. Along the way, we introduced auto-type in 1Password for Windows and a web browser into 1Password for Android. As you’ve learned here, we have in-app filling in our Android Beta, making use of the latest features of Android 5.0, Lollipop.

But while we are progressively reducing the need for copy and paste to a system clipboard, we are a long way from eliminating the need to use these. This is why I must repeat my advice to keep your system free of malicious software.

What I would like to see is a clipboard that could only be read when the user explicitly chooses to paste. This is something that has been suggested a number of times before, but has not be implemented on the most popular operating systems. I suspect that there is a reason for that, but if you know, I eagerly await your insights in the comments.

 

news icon

Apps ❤ 1Password: News

It can be tough to stay in touch with all the news outlets, blogs, and just plain great stuff that’s important to you. Thanks to these iPhone and iPad apps that ❤ 1Password, you can log in securely and get to reading, scrolling, and favoriting faster than ever before.

From podcast clients to information curators, bookmarking services to news readers, these are all great ways to stay informed. With their new 1Password integration on iPhone and iPad, you can stay safe online with strong, unique passwords, yet log in quickly thanks to 1Password, Touch ID, and a single tap.

1PW4 expand notes field

1Password for Windows Tips: The Incredible Expanding Notes

All 1Password items have a notes field where you can add any extra details you want. Some people add street addresses to items that have physical locations, others add device serial numbers to their maker’s Login items for quick reference.

A nice trick in 1Password 4 for Windows is the Notes field can expand when you need more room. If you simply mouseover the Notes field’s bottom bar (the one that separates it from Tags), you can click and drag to make it larger and add whatever you need.

Watchtower icon 1024

Viewing Drupal from the 1Password Watchtower

1Password WatchtowerWhen a large number of websites are discovered to have been vulnerable, as is the case with websites running recent versions of Drupal, people need clear and unambiguous advice that you can act on. And so, our clear and unambiguous advice is:

If you have a username and password on a site which has been using Drupal for its content management, you should change that password. You will need to change that password everywhere you use it, not just on the potentially affected sites.

Our Watchtower service within 1Password for Mac and Windows will recommend password changes for a number of sites that we detect as using Drupal. Here you can see what that will look like.

Drupal Watchtower example

We should also make it clear that none of our systems are affected by the Drupal vulnerability. We don’t use Drupal.

Site administrators know best

We don’t know the status of any particular site other than it appears to be running Drupal. Therefore, if our advice conflicts with advice you received from the administrators of a site, follow their recommendations.

We don’t know when a site gets fixed

Some vulnerable Drupal systems may have been fixed on October 15. Others may still not be fixed yet. Our tests are only capable of determining whether a website is using Drupal (and even that test is imperfect).

Merely patching Drupal is not sufficient for sites that may have been compromised. That is because an attacker using the vulnerability may have left a “backdoor” in a site allowing them back in even after the original vulnerability has been fixed. This makes it yet more difficult to determine whether a site remains vulnerable.

We don’t know if a site has been compromised

Drupal icon 400pxJust because a site has been vulnerable doesn’t mean that it has been compromised. However, it appears that automated attacks have been systematically breaking into vulnerable sites and planting “back doors” that would allow the attacker a way back in at any time in the future. So we should assume that most Drupal sites which weren’t patched very quickly on October 15 have been compromised.

A password compromised anywhere must be changed everywhere

If you reuse the same password on more than one site, you will have some extra work cut out for you. Let me explain why.

Suppose that Molly (one of my dogs) has used the same password on Bark Book as she does on Sprayed By a Mink Anonymous, and let’s also suppose that Bark Book gets compromised by Mr Talk (the neighbor’s cat).  Molly will need to change her password on both the compromised site (BarkBook.com) and on the uncompromised site (SprayedByMinkAnon.org) . That is because Mr Talk can use what he has learned from Bark Book against all of the sites and services that he thinks that Molly may be using. I must also report that Mr Talk, along with everyone down wind, can easily guess that Molly may well be visiting SprayedByMinkAnon.org.

Molly should take this opportunity to work towards having a unique password for each and every service. 1Password will remember those for her. The closer she gets to having a unique password for each site, the less of a headache the next big incident will be.

1P iOS icon 1024

Apps ❤ 1Password: Social Networking

Our Apps ❤ 1Password page is growing by the week, so it’s about time we start highlighting these fantastic apps! Developers are adding support to their apps so you can quickly log in and, in more and more cases, even sign up for a new account with 1Password and Touch ID!

For our inaugural post I’d like to get social. It’s one of our most popular categories so far and has something from and for everyone, including Twitter clients, crowdfunding, and an app for meeting people to, you know, actually get social!

Check out the Social Networking Apps that ❤ 1Password category, and give them some love in the App Store!

1P5 1P mini me

1Password for Mac Tips: meet 1Password mini and its not-so-mini list of shortcuts

1P5 1P mini me

What might seem like one of the smallest new features in 1Password 5 for Mac is actually one of its biggest. We completely redesigned it so you can find what you need more easily, but we also gave it a huge dose of keyboard shortcuts so you can work faster and keep important items at your fingertips.

If you want to impress friends and family and save even more time with 1Password, give these 1Password mini shortcuts1 a try:

  • Open 1Password mini: ⌥-⌘-\ (Option-Command-backslash by default)
  • Open 1Password mini’s preferences: ⌘-comma (Command-comma)
  • Select a category or item: ↑ ↓
  • Open item detail window: →
  • Close item detail window: ←
  • Copy selected field: ⏎ (Return key)
  • Copy the password value for the selected Login item: ⌘-⇧-C
  • Switch vaults: ⌘-1 through 9
  • Edit an item: ⌘-E (Command-E)
  • Save an item: ⌘-S (Command-S)
  • Anchor button (to open an item in its own window): ⌘-O (Command O as in the word “open”)
  • Reveal password field: Hold ⌥ (Option key)

Keep 1Password items on screen while you work

You can even pin 1Password items on-screen in order to reference or copy their details to other apps. Just click the Anchor button (or press ⌘-O) to open an item in a separate, free-floating window. The item detail window remains open until you click the red close button. Plus, you can anchor as many items as you like.

Naturally, there’s a bonus tip here: To close multiple anchored windows all at once, hold ⌥ when you close a window using the red button.

We hope you like these shortcuts, so let us know what you think of them and if we should add any more!

  1. Naturally, these all require that, in 1Password > Preferences > General, the setting to “Always keep 1Password mini running” is enabled.
1P icon 200

1Password 4.1 for Windows puts more control at your fingertips

1P icon 200I have to say, 1Password 4 for Windows has been our 1Passwordiest yet. You’ve given us a ton of great feedback, so we’re back with our first big, free update.

To put it simply, you get more control over some of 1Password’s little details that make a big difference. In v4.1, you can enable rich icons for an even prettier view of your items (View > Show Rich Icons) and lock 1Password when you close your browser (check File > Preferences (Ctrl+P) > Security).

For those who often have many Logins for a particular site, check File > Preferences (Ctrl+P) > Logins > Show X more items… to see more of them at a time.

We also made a ton of improvements across the board to everything from keyboard shortcuts to icon display, linking our fantastic new help guides, adding attachments to items and support for the Comodo Dragon browser, and much more. Check out our full v4.1 release notes for the quite the list of details.

The latest version of 1Password 4.1 for Windows is available now via our built-in automatic updater.

iCloud borderless icon

About iCloud changes in 1Password 5

iCloud borderless iconOne of the big changes in 1Password 5 for Mac and iOS is a brand new iCloud sync engine. This change is a huge, order-of-magnitude-improvement over what we had in 1Password 4, but it came at a cost. I would like to explain how we arrived at this decision.

Mac App Store and AgileBits Web Store

There are two versions of 1Password for Mac. One is available on the Mac App Store and the other is in our own AgileBits Store. For the most part, these two versions are identical. One major difference is that Mac App Store version of 1Password is sandboxed to satisfy the store requirements. Another big difference is the access to iCloud features. Starting with 1Password 5, only apps downloaded from iOS or Mac App Stores have access to iCloud.

Hey Siri, define “iCloud”

“iCloud” is a name that covers many different services and technologies. This umbrella name makes it difficult to talk about iCloud.

For Mac and iOS users, iCloud could mean:

  • Services that keep track of your iTunes Movies and Music purchases
  • Services that keep your application data and iPhone backups
  • iCloud.com
  • And more: apple.com/icloud

For developers, iCloud could mean:

  • a low-level API that is used to read and write files to the local iCloud container folders
  • a document-based API that is used to store documents for apps like TextEdit or Preview
  • an API for apps using Core Data framework
  • new CloudKit API
  • More information is here: developer.apple.com/icloud/index.html

1Password 4 was using the low-level API tied to the local iCloud container folder. It is similar for both Mac App Store and iOS apps. Because the local container folder was available to all apps on Mac, our Web Store version of 1Password could also use iCloud for syncing.

History

Here is a short history of iCloud and 1Password:

  • 2011: iCloud introduced in iOS 5
  • 2012: iOS includes many fixes and new APIs in iCloud. 1Password 4 for iOS 6 (finally!) adds support for iCloud
  • 2013: 1Password 4 for Mac is out with iCloud support
  • 2014: iCloud gets completely re-implemented and reintroduced as CloudKit and iCloud Drive.
  • One-time migration of user data is performed when upgrading to iOS 8 and OS X Yosemite. 1Password 5 for Mac and iOS now use CloudKit

1Password 4 and iCloud

From the developer’s perspective, the original iCloud was pure magic. To sync with iCloud, the “only” thing that the app had to do was to save its files into a special folder and the operating system took care of the rest. The files were magically transferred between all computers and devices.

When the magic worked it was great. When it didn’t, it could be frustrating because there was no way to tell why.

Over time, after dealing with the problems we “learned” and made defensive changes in the app. For example, after initially syncing to iCloud, 1Password would show a message that the data will be available on other devices “in a few minutes”, even though we had no way to tell when it would actually happen. If you were setting up a new device and downloading a lot of data, it would take hours for your 1Password data to appear.

1Password was not the only app affected by iCloud issues:

There is no doubt that these issues triggered a major change in iCloud and the introduction of iCloud Drive and CloudKit. Unfortunately, it seems that iCloud Drive might have inherited some of the issues.

CloudKit

In 2014, Apple announced CloudKit, available exclusively to apps in iOS 8 and OS X Yosemite. It is a simple and elegant network API that allows apps to store data remotely on Apple servers. The biggest difference from iCloud is that there is no magic. Instead of writing the files locally and then waiting for them to magically appear on other devices, the app simply makes a request to update its data on the server. It does require developers to write more code, but the end result is a hundred times better.

CloudKit is very fast, efficient, and makes it easy to detect and troubleshoot errors. CloudKit is predictable. 1Password now knows if the item was successfully updated on the server and is available to other devices. If the operation fails, the app now gets a detailed error message explaining why it happened, be it a network error, a downed server, no space available, or the user was rate-limited.

We don’t have to guess when something goes wrong anymore, and we no longer have to tell our users to perform a set of magic steps hoping that some of them would trigger iCloud to work. CloudKit solved the problems we had with the old iCloud.

Other advantages of CloudKit include:

  • CloudKit stores data as records instead of files. It allows apps to perform partial record fetches and updates that make syncing more efficient and do not force dowloading or uploading an entire file.
  • Remote CloudKit database supports queries that allow 1Password perform syncing faster compared to scanning a directory of files.
  • CloudKit supports “server change tokens”. They are used by 1Password to quickly test for changes made on other devices.
  • 1Password on both Mac and iOS uses CloudKit Remote Push Notifications to perform syncing almost instantly when a change made on a remote device or Mac.
  • CloudKit provides a special record asset type (CKAsset) that is used to sync large attachments.

All these features made a huge difference. We tested CloudKit integration in early betas of 1Password 5 and we immediately became very excited about it. After using CloudKit in the beta for several weeks, we decided it is the best way for 1Password to support iCloud sync.

Conclusion

I hope this explains why we made a decision to switch to CloudKit. The performance and reliability of CloudKit, combined with issues of the old iCloud sync, made it impossible for us to not use CloudKit in 1Password 5.

1P5 Mac icon

1Password 5 for Mac is here

What’s a major OS X release without a major 1Password update? I don’t know, but we would rather not find out. That’s why you can now get 1Password 5 for Mac in the Mac App Store and our web store!

First-class Yosemite citizen

It was only a year ago that we released 1Password 4, and 1Password 5 for Mac ensures we’re ready for the next major chapter of OS X. We completely redesigned 1Password to be a first-class OS X Yosemite citizen—in fact, it requires Yosemite now—right down to compatibility with its new Dark Mode; if you enable it, be sure to check out 1Password mini in the menu bar!

1Password mini also got its own major upgrade. Besides Dark Mode, we redesigned it to be faster and more intuitive so you can fly through menus, anchor an item in its own window with a shortcut, and more. Plus, if you trigger 1Password mini with the system-wide shortcut (⌘-⌥-\ by default), it now conveniently appears in the center of your display.

Go for an iCloud Drive

If you want to use iCloud to sync with 1Password 5 for iOS, I am thrilled to say Apple’s next-gen sync is now available in 1Password 5 for Mac. iCloud sync also now requires the Mac App Store version.

The new iCloud sync is a really big deal. It’s faster and just plain better in every way, and you simply need to upgrade to iCloud Drive on all your Apple devices to sync 1Password 5 (note: we do not store your data in iCloud Drive. We use CloudKit, its underlying technology, for sync). That means you’ll need to iOS 8 and OS X Yosemite all the things. For more details and a guide to making the transition, please check out our iCloud FAQ support document.

Wi-Fi Sync your attachments

Using Wi-Fi Sync to keep your data close to home? As long as you’re using the new 1Password 5 for Mac and iOS, I am delighted to say your attachments will now sync as well.

Upgrades and sales, oh my!

We’re so excited about 1Password 5 for Mac that we want all our v4 customers to have it for free! But what about people who have yet to buy a 1Password License of Awesomeness? No, we don’t actually call it that. But we should.

We want to help you out too, so we’re throwing a 30-percent-off launch sale! That means you can get secure and save a ton of time online for just $35!

How long does the sale run? We don’t know yet. Does it matter? Nope! Grab your 1Password License of Awesomeness now (see? it sounds great), start creating strong, unique passwords for all your accounts, and up your security.