Shield Security header

When a Leak Isn’t a Leak

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.

AgileKeychain & OPVault Data Formats

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

In December 2012, we introduced a new format that encrypted much more of the metadata. OPVault, our newer and stronger data format, provided authenticated encryption as well as many other improvements for 1Password users.

This format worked well in situations where we didn’t need to worry about backwards compatibility, including iCloud and local storage on iOS and Mac. For Windows, Android, and Dropbox syncing, however, we needed to decide if we should migrate to the new format or provide compatibility with older versions of 1Password.

We decided to take a conservative approach and not automatically migrate everyone over to OPVault because many users depend upon older versions of 1Password and they wouldn’t be able to log into their accounts. We knew we could trust the security of the AgileKeychain to protect confidential user data so we didn’t want to rush into something that would disrupt people’s workflows.

Switching to OPVault

Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users. For users who would like to switch to OPVault sooner than this, here’s how you can get started immediately:

To avoid losing access to your data, be sure to back up your 1Password data beforehand, and only follow these instructions if you are NOT using any legacy versions of 1Password. If you have any questions or concerns, or would like to migrate but aren’t sure if your version of 1Password is affected, our knowledgebase, forums and support team are here to help.

1Password 5 for Mac logo

1Password 5.4 for Mac: The Convenience Edition

Picture this. You’re on your Mac, and this website is asking you to enter particular characters from your password. But your password is 50 characters of 1Password-generated gibberish; how are you supposed to find the 5th, 14th, and 32nd characters without losing your place? Wouldn’t it be amazing if 1Password could make it just a little bit easier for you?

Picture this. You’ve just found out about the great Multiple Vaults feature and excitedly set up a vault to share with your family. Awesome. But sometimes, secondary vault passwords need to be changed. Wouldn’t it be cool if 1Password made it easy for you to do that?

As of today, it can. And it does. You’ll find these and other new convenience and security features in 1Password 5.4 for Mac: The Convenience Edition, ready to download right now in the Mac App Store and from our website. Read on for the lovely details, then sally forth and download—for the low, low price of free, if you’ve already bought 1Password 5 for Mac.

Large type option now available for passwords

Easily enter specific characters from your password with the new Large Type feature. Selecting this option for your password will display it in big, friendly, colour-coded letters on your screen.

1Password 5.4 for Mac: Large Type

You already know that you can hover over a password in an item’s detail view to copy or reveal it. You’ll see the new large type option in that same menu, always within easy reach.

1Password 5.4 for Mac: Large Type menu option

This feature is also great if you need to enter your Apple ID password on the Apple TV across the room or give guests access to your home Wi-Fi network.

Change the password of a secondary vault

Since your 1…Password (that never gets old around here) unlocks your primary vault and your secondary vaults, it’s very easy to create a secondary vault and never think about its password again. Until now, changing that secondary vault password meant basically recreating the vault.

We’ve made things much more convenient for you in 5.4: you can now change the secondary vault password at will. While you’re at it, don’t forget that it’s a good idea to save this password in your primary vault; since you don’t use it all the time, it’s easy to forget! If you’ve already done that, fantastic! Don’t forget to update that item when you change the secondary vault’s password. =)

A view from the top

Did you know that 1Password for Mac offers multiple layouts? The default is a three-column view, but there’s also a “top” layout option. If you’re a fan of the classic Mail.app layout, you’ll like this one. You can try it out by selecting the View > Item List Layout > Top menu option. We’ve made some improvements to this view in 5.4, all based on your feedback. Thanks for your help!

A new layer of security

We all rely on 1Password to keep our secrets secure. In the 5.4 update for 1Password for Mac, our developers have made 1Password securer than ever by adding a new secret agent to safeguard the communication between 1Password and your web browser.

Safari 9 in Yosemite and El Capitan includes important security updates that address the XARA vulnerability, so please update to the latest Safari and to El Capitan as soon as possible. Our 1Password update works hand in hand with Apple’s OS X security updates to ensure that cross-process communication between 1Password and the web browser in OS X remains secure and properly authenticated.

Because this is a brand new way for the various bits of 1Password to talk to each other, it currently requires the beta browser extension. We’d love your help in ensuring that we didn’t break anything. It’s easy: simply use 1Password in your web browser as you normally do, and let us know if something unexpected happens. If you’re interested in helping us out, please install the 1Password beta extension in your web browser and let us know how things are working in our forums. Thanks very much!

We thank Apple for giving us the tools we need to keep 1Password secure. We’ll have a blog post coming later today explaining the details of this important fix.

But wait, there’s more!

You can find the entire list of new features, improvements, and bug fixes in the release notes.

1Password 5.4 for Mac is available now as a free update if you already have a 1Password 5 for Mac license (or downloaded 1Password 5 from the Mac App Store). Choose the 1Password 5 > Check for Updates menu option, or grab the new version from our downloads page. If you are a Mac App Store customer, the update will download automatically or appear on the Updates tab in the App Store app, depending on your settings.

Got feedback? We’d love to hear from you. Add a comment here or in our discussion forums, or start a conversation with us on Twitter, ADN, or Facebook.

DevBits header

1Password App Extension API and time-based, one-time passwords

The App Extension API was released as a companion to 1Password 5 for iOS last year. Now that 1Password 6 is out, I’m sure some of you are curious to learn about what’s new in the API. To celebrate the App Extension API’s first anniversary, I’d like to tell you about one of its best-kept secrets: Time-based, One-time Passwords (TOTPs).

TOTP + 1Password extension = 🔐

Did you know that our App Extension API supports one-time passwords? In fact, it’s been there since version 1.5 of the API. If you haven’t already, I recommend that you upgrade to the latest version, 1.6.1. Not only can your users fill their usernames and passwords in your app with a few simple taps, their one-time passwords can be filled just as easily.

Best of all, it’s an absolute cinch to implement: simply check whether the one-time password exists in the login dictionary from findLoginsForURLString:

@IBAction func findLoginFrom1Password(sender:AnyObject) -> Void {
        OnePasswordExtension.sharedExtension().findLoginForURLString("https://www.acme.com", forViewController: self, sender: sender, completion: { (loginDictionary, error) -> Void in
            
            // Fill the username and password into the fields
            self.usernameTextField.text = loginDictionary?[AppExtensionUsernameKey] as? String
            self.passwordTextField.text = loginDictionary?[AppExtensionPasswordKey] as? String

            // Check if the user has a One-Time Password for the selected 1Password Login
            if let generatedOneTimePassword = loginDictionary?[AppExtensionTOTPKey] as? String {
                self.oneTimePasswordTextField.text = generatedOneTimePassword

                // Important: It is recommended that you submit the TOTP to your validation server as soon as you receive it, otherwise it may expire.
                self.submitRightNow()
            }
        })
    }

That’s all it takes to make your users’ lives much simpler.

1Password ❤ App Developers

If you have already added the 1Password app extension to your iOS app, thank you; you’re awesome! This new functionality gives you the ability to make security even more convenient for your users, and I can’t wait to see how you use it. Please don’t forget to submit your app to our Apps ❤ 1Password directory.

A newsletter just for you

You can also subscribe to our 1Password App Extension Developers newsletter. We’ll send you an occasional newsletter containing 1Password App Extension news, updates, and tricks, to help you realize the full potential of the 1Password Extension API in your iOS apps.

If you have any questions, you can comment on our GitHub project or email support+appex@agilebits.com. I look forward to talking to you!

1Password tips

Quick Tip: iOS 9 Spotlight search and 1Password

Some of the geekiest arguments I’ve ever heard have been over the way people organize apps on their iPhones and iPads. I keep my most heavily used apps on my main screen, then shove almost everything else into folders on my other screens.

The reason I can do this is because of the wonders of Spotlight search. It’s easy for me to search for and launch the app I want to use, so I don’t have to spend my mental energy trying to remember where I’ve put things.

Apple opened up Spotlight to third-party developers like us in iOS 9. My searches are now supercharged! I’ve gotta say, I love being able to find my 1Password items right from my iPhone’s home screen. I enabled Spotlight search in 1Password by going to Settings > General > Enable Spotlight Search. Now I can just pull down, type in part of the item’s title, then tap on its name in the search results. 1Password opens right to that item.

iOS 9 Spotlight search

You might have questions about the new Spotlight search and how it works with 1Password, so I put together some answers for you. If your question isn’t addressed, please let me know; I’ll be sure to update it in response to your feedback.

I’m also curious: what are your favorite iOS 9 features? Let me know in the comments!

1Password tips

Quick Tip: 1Password 6 and Slide Over

Slide Over Happy Chris

It’s been just over a week since I received my delightfully thin and light iPad mini 4. I got the orange Smart Cover, and it looks fantastic. The primary reason I decided to upgrade my iPad mini this year was to take full advantage of everything iOS 9 has to offer.

iOS 9 has a metric ton of new features, but by far my favorite is Slide Over. Combining 1Password with Slide Over is a game changer for saving time and using every bit of power 1Password has to offer.

Logging into third-party apps doesn’t get any easier than using the 1Password Extension, which is supported by many apps. However, there is the occasional app that doesn’t (yet) support the extension, and this is where Slide Over shines.

Slide Over is a new iOS 9 feature for the iPad1 that lets you swipe from the right edge of the display to bring up another app on top of the one you are currently using. Multitasking has never been faster or easier.

Let’s say I’m using my banking app, which sadly hasn’t added the 1Password extension. In iOS 8, my workflow would have looked like this: close the banking app, launch 1Password, copy the password, switch back to the banking app, and then paste.

With the combined power of iOS 9, Slide Over, and 1Password 6, I can simplify the process.

Swipe left to right in your item list to reveal the Copy Password option

Swipe left to right in your item list to reveal the Copy Password option

While in my banking app, I can swipe in from the right, unlock 1Password, slide from left to right on the bank’s Login item in the list to copy the password, and slide 1Password away. It’s that simple.

If you have an iPad that supports Slide Over, give it a shot the next time you find yourself in an app without 1Password support. And then be sure to write a nice note to the developer of that app and ask them to integrate the 1Password app extension for iOS.

We always love hearing from you. Start a conversation with us on our Support Forums, Twitter, or Facebook.


1 Supported on iPad mini 2, 3, and 4; iPad Air and Air 2; iPad Pro

Security

Everything you need to know about 1Password and XcodeGhost

Over the past few days, security researchers from Palo Alto Networks discovered that 39 apps infected with malware found their way into the Apple App Store in China. Since the news broke, the malicious apps have been pulled from the App Store— and we’ve had a few questions about what this might mean for 1Password and password managers in general. To put your mind (and your passwords!) at ease, we’re answering some of the most common questions and concerns that iOS users have had about malware, compromised apps, and the security of 1Password.

So wait… what happened? How did this get in the App Store?

It’s kind of a long story, but we’ll make it short. In software development, there are many, many tools that can be used to build an app, and iOS developers rely on a compiler called Xcode as part of that process. A compromised version of that compiler made its way to the web in China, and was downloaded from an untrusted source. In this case, all apps built using the malicious compiler, XcodeGhost, were modified to sneak malicious code into the App Store. Though Apple works to review and screen apps for malware before they reach the App Store, in this case Apple confirmed that the attackers were able to make it through the review process without raising any red flags.

What does this malware do?

In general, most malware is designed to capture personal information and/or user credentials, and send them back home to the attacker who compromised your device. While XcodeGhost does not directly affect the 1Password application, it indirectly affects those who use the application through your device’s clipboard. In a post outlining the malware’s capabilities, senior malware researcher Claud Xaio noted that this particular strain could:

  • Prompt a fake alert dialog to phish user credentials
  • Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps
  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

Additionally, according to one developer’s report, XcodeGhost has already launched phishing attacks to prompt a dialog asking victims to input their iCloud passwords.

Should I be worried? Does this affect me?

There are a few very specific factors that determine whether your device is at risk, but overall, this vulnerability is a rare occurrence for the App Store.

  • At present, this issue mostly affects devices using the Chinese App Store, though researchers have found compromised apps in the Canadian App Store as well.
  • The malware is only in applications built using a compromised code compiler. A list of affected apps can be found on the Palo Alto Networks blog, but security researchers believe that as many as 344 apps may be vulnerable to the attack.

Will 1Password protect my data if an app on my iPhone or iPad has been infected by XcodeGhost?

We have designed 1Password with your privacy in mind at all times. We use strong, reliable encryption and take many, many measures to make our application breach-resistant. Combined, the many layers of security we’ve implemented work together to secure your passwords and protect your most sensitive data— but if your device has been compromised, there’s almost nothing that 1Password can do to defend it. As previously stated in a post on malware by Jeffrey Goldberg, our Chief Defender Against the Dark Arts:

I have said it before, and I’ll say it again: 1Password […] cannot provide complete protection against a compromised operating system. There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

Eek! My phone is infected with this— what should I do?!

First (and most importantly): don’t panic! There are a few simple things you can do to to return things to normal. If you’re positive that you’re using an app that was affected, here’s what you can do immediately to protect your data:

  1. Delete the compromised app(s) from your phone. If you are uncertain about whether an app has been compromised, it’s okay to delete it out of an abundance of caution.
  2. Change any passwords that you think may have been compromised through your device’s clipboard. Any passwords that you may have accessed through the 1Password extension are safe from this strain of malware, and do not need to be changed.
  3. Avoid redownloading or reinstalling any of the compromised apps until they have been updated. When an update has been released, be sure to download it from a trusted source once the developer has officially confirmed that a new, secure version is ready for you to use. If you’re uncertain of this, you can visit the developer’s site or check with their support team for help.

The XcodeGhost vulnerability doesn’t directly affect 1Password— we have not used the malicious version of Xcode, and the malware it injects into applications was not designed to directly compromise or target our application. Though the malware in compromised apps on any platform has the potential to put any user’s credentials at risk, especially when it can access a device’s clipboard, all technology users benefit from the work security researchers do to find vulnerabilities like this.

If you’ve made it this far down the post and still have questions or concerns, please leave a comment here or start a conversation with us in our discussion forums. You can also reach out to us on Facebook and Twitter.

1Password for iOS header

1Password 6 for iOS: The Extreme Makeover Edition is here!

We all have a ton of passwords and important information to keep track of, and 1Password is the best place to keep it all safe and sound. Whether it’s your passwords, passport number, or credit card information, 1Password makes it convenient for you to stay secure, because we love you. 💙

Over the years, as our data has moved from our desks to our pockets to our wrists, we’ve built (and rebuilt) 1Password to have the strongest defenses and the easiest usability. With iOS 9 we’ve created some amazing new additions and we’re finally ready for the big reveal.

Meet 1Password 6 for iOS.

1Password 6 Hero

A lovely shade of #1A8CFF

One of the first things we noticed when starting this project was that 1Password was looking a little, well, monochrome. Our designers spent hours holding up paint chips under different lights and finally settled on #1A8CFF to make everything pop. We affectionately call it Bits Blue. We’ve also pushed around the pixels of the category icons to make them more delightful, and beautified 1Browser. Don’t worry, everything you know and love is still in a familiar spot; it just looks shiny, new, and wonderful.

Rolling around new passwords

A password’s greatest strengths are its length and its randomness. But let’s be honest, sometimes you need to type in a password by hand and typing ErymQd3svcqM3BPYKWh is hard.

With our new Wordlist Password Generator, you can create long passwords out of randomly chosen real words: cellist-dander-signify-esteem-elver is easy to read, easy to type, and super secure. The new generator is inspired by Arnold Reinhold’s Diceware. We think it’s an amazing concept and aligns perfectly with our goal of making it simple and convenient for you to secure your digital life.

Pro tip: Diceware passwords make terrific answers to security questions! To have 1Password remember them for you, add a custom section with a custom password field to the Login item (Pro Features required for custom fields).

Installing a Spotlight

Spotlight search has always been a handy tool in iOS, helping you find things very quickly on your iOS device: a friend’s phone number, directions to a restaurant, or that important email that is somewhere in your inbox.

Spotlight is supercharged in iOS 9, and we’re taking advantage of it. New in 1Password 6 for iOS, Spotlight can search your 1Password data from the iOS home screen and take you straight to the desired item! It’s never been faster to find an item, and 1Password doesn’t even need to be open to do it.

To start using Spotlight with 1Password, enable the feature in 1Password > Settings > General.

Landscaping improvements

1Password has always been a portrait of amazingly convenient security, but its landscape mode has been limited to the larger screen of the iPad. We’ve made some significant improvements to landscape view support on iPad, iPhone 6 Plus, and iPhone 6s Plus.

On supported iPad models, 1Password will take advantage of the new Slide Over and Split View features in iOS 9, automatically scaling to the view size you set. On iPhone 6 Plus and 6s Plus, 1Password will now use that extra space to stretch out in landscape mode, displaying your categories and items in a column alongside the detail view.

1Password 6 Landscape Hero

A more watchful security companion

You’ve been telling us how convenient it is to look up Logins, Credit Cards, Secure Notes, and Passwords on your Apple Watch, but you’ve also told us you wanted more. By popular demand, 1Password for Apple Watch now supports more category types.

Say hello to Passports, Wireless Routers, Driver’s Licenses, Social Security Numbers, and Bank Accounts right on your wrist! To add items from these categories, open the item in the iPhone app and tap Add to Apple Watch.

We’ve also added a convenient way to manually lock 1Password for Apple Watch: simply Force Touch the screen and tap the Lock button.

How much does this extreme makeover cost?

Given the fantastic new features and improvements, you might be thinking 1Password 6 is a paid upgrade, which makes what I’m about to tell you even more incredible. Basic features are still free for everyone, and if you’ve already purchased the Pro features in 1Password 5, you still have them in 1Password 6 for no additional cost. 1Password 6 is available on the App Store.

If you find 1Password useful, please take a couple of moments to leave a rating and review on the App Store. It makes a huge difference to us. Thank you very much! Remember that we can’t reply to App Store reviews, so please post requests for technical support on our forums, or email support@agilebits.com.

We always love hearing from you. Start a conversation with us on our Support Forums, Twitter, or Facebook.

News-0001-Jessy

Jessysaurus Rex joins the AgileBits team!

An adventure 65 million years in the making

A couple of weeks ago, we introduced you to the wonder women of AgileBits, who make this company and 1Password what they are today. We’re happy to announce that a new member has joined that illustrious team. If you follow the world of online security, you may already be familiar with her (or at the very least with one of her security sign bunnies hopping around Twitter!).

JessysaurusRex - Jessy Irwin

Her name is Jessy Irwin, and she is an influential voice in the world of information security. She also happens to love dinosaurs. A published writer and presenter, Jessy champions online privacy and security and spends much of her time educating people about the need for strong, unique passwords; secure software development; and operational security (opsec). She works to raise security awareness among students and educators, and helps the average Internet citizen learn what they can do to keep themselves, their data, and their online identities secure. She’s an obvious choice and a natural fit for our team, and we’re so glad that she’s here. @1Password and Jessy have been each other’s Twitter boo for a long time, a courtship that culminated in a grand proposal. (Spoiler alert: She said yes!)

Thanks for the Storify and kind words, Matthew!

This week, Jessy was a guest on Threatpost’s Digital Underground podcast. She and host Dennis Fisher had a great discussion about passwords, student privacy, how Jessy got her start in the world of information security, and her new role at AgileBits. You can subscribe to the Threatpost podcast on iTunes or listen to Jessy’s episode on the Threatpost website.

If you’re interested in learning more about online security, I highly recommend following @1Password and Jessy on Twitter. Jessy frequently shares her thoughts on the latest tech developments (such as Wednesday’s Apple event) and how they might impact your security, as well as great articles and blog post written by some of the smartest hackers and security researchers in the world. I enjoy following her on Twitter and having her do the work of curating all those interesting articles for me.

1Password tips

Quick Tip: Move a locally synced vault

Pop quiz, hotshot. You’ve chosen to sync your vault to local storage using 1Password 4 for Android. Now you’ve got a new device and you need to migrate that data onto it. What do you do? What do you do?

Not to worry. Migrating your vault to another device isn’t as daunting as it may appear at first glance. You’ll just need access to a desktop computer and a USB cable.

Move the vault from the old device

1P4 Android bot

The first thing you’ll need to do is connect your Android phone or tablet to your desktop with a USB cable. Then, open the device to view its files and folders on your computer.

Note: If you’re using a Mac, make sure you have installed the Android File Transfer tool.

Using Finder or Windows Explorer, navigate through your device’s local storage until you find the .agilekeychain folder that is your 1Password vault. Copy the entire folder to the desired location on your computer.

Migrate to a new device

To get that vault onto a new Android device, connect the new Android to the computer with the USB cable. Then, copy the entire folder to your new device’s local storage.

Once the folder is on the new device, configure 1Password for Android to sync with local storage, as usual.

Migrating to Dropbox

If you’ve decided to switch to Dropbox for easier syncing between devices, you can do that easily. Make sure that Dropbox is installed on your Mac or Windows PC.

Once you’ve got Dropbox installed, open the Dropbox folder on your device and copy the .agilekeychain folder to it. You can use 1PasswordAnywhere to confirm that your vault transferred to Dropbox properly.

That’s it! If you’re syncing to local storage with 1Password 4 on Android, it’s a good idea to back up your vault to another device this way every now and then, just in case something bad should happen. That’s just perfectly normal paranoia. Everyone in the universe has that. :shifty_eyes:

The AgileBits team wearing their finest tin foil hats

The AgileBits team wearing their finest tin foil hats

Questions? We’d love to hear from you. Leave a comment here or join us in the forums. If you’d like to join our beta family and be the first to try new features, you’re most welcome to sign up for our beta newsletter.

Here’s to you, Mr. Sheridan!

One of the challenges we face as a tech company is making our software accessible to everyone. It’s sometimes hard to gauge, because we’re so close to it. Doing research to answer customers’ questions makes it even more difficult to take a step back and make sure we’re not getting tooooo nerdy.

Nosillacast

That’s why I was so excited when I heard from my friend Allison Sheridan this morning. Allison hosts the fantastic NosillaCast, a technology podcast with an ever so slight (ahem) Macintosh bias. She’s previously documented her own experience of switching to 1Password, but yesterday she spoke to Ken Sheridan, her octogenarian father-in-law.

1Password for Mac logo

In this lovely interview, we learn how Mr. Sheridan was managing his passwords before Steve (his son and Allison’s husband) helped him set up 1Password. My favourite part is that we also learn how 1Password has made his digital life so much easier and more secure. This enables him to more frequently do things like check his financial accounts, which he used to do only occasionally because it was such a hassle.

We want everyone to have a great experience with our software, and Mr. Sheridan makes me feel like we’re on the right track. Have you shared 1Password with friends, kids, or parents, possibly less geeky than you? We’d love to hear your experience. Leave a comment below or stop by our discussion forums.

Thanks for introducing your family to ours, Allison. Mr. Sheridan, we’re so happy to welcome you.