MyFitnessPal Shows How to Handle a Breach

We all witnessed something refreshing last week when MyFitnessPal announced their data breach. They were open and honest about what happened and they should be congratulated.

Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak.

MyFitnessPal provides a great case study on how to handle a data breach and protect customer information. Let’s start with the announcement itself.

The Announcement

First it needs to be said that it was awesome that there actually was an announcement and that it was published in a timely manner. This is a very good thing!

There was an in-app notification, direct emails, and a pinned Twitter post.

They also posted Frequently Asked Questions that were excellent and when I emailed their support team with some questions for this post, their automated reply included information about the breach and what they were doing to protect their customers.

MyFitnessPal was incredibly open and transparent about everything and at no point did they try to hide details from their users, myself included! That allowed me to update my password and get on with my life.

I wasn’t overly attached to qdd84b7UayEwM9J6dZV anyway so I didn’t mind changing it. And since I only used this password on myfitnesspal.com I didn’t need to update any other websites.

Strong unique passwords FTW! 🙂

Secure Handling of Passwords

Equally commendable was how MyFitnessPal stored passwords in their systems. Or more to the point, how they didn’t store passwords.

Many sites choose to store the plain text password, which is bad. The fact that Have I Been Pwned? now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is.

MyFitnessPal was much smarter than that as they never stored the actual password. Instead they stored a hash of the password, most of which were created using bcrypt. Our Chief Defender Against The Dark arts wrote at length about bcrypt and how it can be used to protect user passwords.

It’s possible to go even further than bcrypt and avoid sending passwords to the server by using Secure Remote Password. We use this in 1Password and are quite smitten with it.

Avoiding Other Sensitive Information

The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. From their FAQ:

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously.

MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation.

For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt.

P.S. A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. Thank you for the inspiration, Benjamin! ❤️

Hi Dave,

I know you get hundreds of emails but I can’t help but send this email. I received an email from MyFitnessPal today and of course the news-breaking headlines.

In reading the email, I simply smiled. Headed to my 1password vault and checked the password.

Sure enough, there was a 40 character, numbers + symbols password. I smiled smugly and thought of you.

Your amazing product keeps my data safe every single day. I have not one single duplicated password. Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ).

I have recommended so many people to your platform knowing that you have an amazing product and just as importantly, a fantastic support team.

Take care my friend and I send you a warm-hearted thanks from Darwin, Northern Territory, Australia!

Keep doing what you’re doing!
Benjamin Fox.

We really do have the best users in the world. 😘

Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

1Password revisits the Today Show

My mom is always the first to whip out a business card and tell people all about how 1Password can make their lives easier. So when the Today Show reached out to us, we got to share a proud mom moment – 1Password on TV!

It’s been a few months since then, but I was still star-struck when Carley and her team contacted us again asking for a demo. Happily, your buddy Khad is as cool as a cucumber, and he answered all their questions and helped them get set up.

1Password is recommended by the Today ShowWhile it appeared that Kathie Lee and Craig were having one of those days, Carley got their full attention as soon as she mentioned passwords. (Even Kathie Lee knows you should have a different password for every account!) Carley talked about our password generator, and how you can use it to make each password unique.

Craig brought up a concern about someone getting access to the data, but once again, Carley knew that 1Password uses encryption to keep your data safe. Hopefully Craig takes advantage of Watchtower to look for repeat passwords and get them changed ASAP!

A big shout out to Mobicip, Bouy Health, and Safetrek. It was great sharing the screen with you! And a huge thank you to Carley and her team. You’re helping us keep people safe, 1Password at a time. ☺️

Watchtower keeps you safe on cloudy days

Cloudflare is a large internet technology provider used by millions of websites around the world. Last week they announced a vulnerability that potentially affected all their clients.

In many ways this is a “no news” report for us as your 1Password data was safe during this entire time, and remains so today. 1Password was designed with multiple layers of encryption, and your data is encrypted before it ever leaves your computer. In short, we anticipated the day when HTTPS (SSL/TLS) might fail, so we weren’t worried when that day came.

Even though your data is safe in 1Password, and you don’t need to change your Master Password, it’s important to pay attention to the websites you visit. Some of them may have been using Cloudflare, and you may need to change their individual passwords.

Thankfully 1Password can help with that!

Use Watchtower to find passwords you need to change

Watchtower tells you about password breaches and other security problems on the websites you have saved in 1Password. It’s included on Mac and iOS with every 1Password subscription, and we’ve already added sites that were affected by the issue last week.

It’s easy to get started! Check Watchtower to see if any of the sites you have saved in 1Password are vulnerable. If so, change your passwords for those sites. 1Password can generate strong passwords for you.

? Get started with Watchtower

To keep ahead of future problems:

  • Avoid reusing passwords. Always use unique, randomly generated passwords for each website.
  • Turn on item counts. Choose View menu > Show Item Counts, and you’ll be able to see at a glance if Watchtower is reporting any vulnerabilities.

We continually update Watchtower as security breaches are reported, so you can change your passwords right away. We do this without ever knowing what websites you have saved in 1Password. 1Password downloads Watchtower information to check your websites on your devices. Learn more about how Watchtower protects your privacy.

More Watchtower, still no watching

1Password WatchtowerThere are some great new features in the 1Password for iOS 6.2 update that hit the App Store last week. One of them is that we’ve added Watchtower (a feature that has been available on Mac and Windows for some time now) to 1Password for iOS.

Watchtower warns you if a site or service has been compromised in a way that would make it a good idea for you to change your password for that site. Watchtower in 1Password looks at the most recent time a password change was recommended for a site and it looks at the time that your password for an item was last modified. If, like Molly (one of my dogs), you haven’t updated your Adobe password since the 2014 breach, you might see something like this:

Watchtower warning in 1Password on iPhone

Molly hasn’t changed her Adobe password since the breach a couple of years back

Preserving your privacy

I want to talk about a far less visible feature of Watchtower: We’ve added Watchtower support in a way that still preserves your privacy. We don’t want to know what sites and services you have in your 1Password vaults, so when 1Password checks to see if one of your Logins is listed in Watchtower, it does not make a query to our servers asking about it.

Enable Watchtower in iOS

Turning on Watchtower in iOS. “Your website information is never transmitted to the 1Password Watchtower service.”

Querying Watchtower without querying you

Our Watchtower people are continually watching reports of site breaches and updating our database of such sites regularly. This is how 1Password knows that a password change is recommended for some site.

The “obvious” way for 1Password on your computer (and now iOS device) to alert you, would be to go through your 1Password items and ask our database on some server about the status of those items. The problem with this “obvious” way of doing things is that it means that any server your copy of 1Password queries would then be able to know your IP address and what sites you have in your 1Password data.

If 1Password on some device were to ask our server, “Do you have Watchtower information about ISecretlyHateStarWars.org?” then our server will know that someone at your Internet address may have a very nasty secret. You certainly wouldn’t like us to know such things about you, and we don’t want to know such things either.

The road less travelled

So we don’t do things the obvious way. Instead, we send the same stripped down version of our Watchtower database to everyone who turns on the feature. You have a local copy of the Watchtower data on your device, and 1Password just checks against that copy of the local data. All we can know (if we chose to log such information) is which IP addresses have enabled Watchtower. We are never in a position to know what sites you have in your 1Password data.

Baked-in privacy

It may take a bit of extra work from us to design Watchtower in a way that preserves your privacy, but we think it is worth it.

Your privacy must be protected by more than mere policy (a set of rules we make on how we behave with respect to data about you); instead, we aim to bake privacy protection into the very structure of what we build. We design 1Password in a way that would make it hard for us to violate your privacy.

You can read more about this approach to privacy in our support article, Private by Design.

Viewing Drupal from the 1Password Watchtower

1Password WatchtowerWhen a large number of websites are discovered to have been vulnerable, as is the case with websites running recent versions of Drupal, people need clear and unambiguous advice that you can act on. And so, our clear and unambiguous advice is:

If you have a username and password on a site which has been using Drupal for its content management, you should change that password. You will need to change that password everywhere you use it, not just on the potentially affected sites.

Our Watchtower service within 1Password for Mac and Windows will recommend password changes for a number of sites that we detect as using Drupal. Here you can see what that will look like.

Drupal Watchtower example

We should also make it clear that none of our systems are affected by the Drupal vulnerability. We don’t use Drupal.

Site administrators know best

We don’t know the status of any particular site other than it appears to be running Drupal. Therefore, if our advice conflicts with advice you received from the administrators of a site, follow their recommendations.

We don’t know when a site gets fixed

Some vulnerable Drupal systems may have been fixed on October 15. Others may still not be fixed yet. Our tests are only capable of determining whether a website is using Drupal (and even that test is imperfect).

Merely patching Drupal is not sufficient for sites that may have been compromised. That is because an attacker using the vulnerability may have left a “backdoor” in a site allowing them back in even after the original vulnerability has been fixed. This makes it yet more difficult to determine whether a site remains vulnerable.

We don’t know if a site has been compromised

Drupal icon 400pxJust because a site has been vulnerable doesn’t mean that it has been compromised. However, it appears that automated attacks have been systematically breaking into vulnerable sites and planting “back doors” that would allow the attacker a way back in at any time in the future. So we should assume that most Drupal sites which weren’t patched very quickly on October 15 have been compromised.

A password compromised anywhere must be changed everywhere

If you reuse the same password on more than one site, you will have some extra work cut out for you. Let me explain why.

Suppose that Molly (one of my dogs) has used the same password on Bark Book as she does on Sprayed By a Mink Anonymous, and let’s also suppose that Bark Book gets compromised by Mr Talk (the neighbor’s cat).  Molly will need to change her password on both the compromised site (BarkBook.com) and on the uncompromised site (SprayedByMinkAnon.org) . That is because Mr Talk can use what he has learned from Bark Book against all of the sites and services that he thinks that Molly may be using. I must also report that Mr Talk, along with everyone down wind, can easily guess that Molly may well be visiting SprayedByMinkAnon.org.

Molly should take this opportunity to work towards having a unique password for each and every service. 1Password will remember those for her. The closer she gets to having a unique password for each site, the less of a headache the next big incident will be.

Heads up: Your best defense against the Russian hacker data breach is still strong, unique passwords

The bad news: Russian hackers claim to have gotten their hands on a sizeable collection of login credentials and emails.

The semi-good news: the story might not add up. According to The Verge, most, if not all, the credentials may simply have been collected from previous breaches we already knew about, including Adobe, LinkedIn, and others.

The good news: strong, unique passwords for all your sites are still your best defense. If shady individuals nab one or even more of your accounts, 1Password’s unique passwords prevent them from using that information to break into all your accounts.

Unfortunately, we live in a world where data breaches are going to happen. As my colleague Jeff Goldberg likes to remind us: security is a process, not a destination.

Strong Password Generator hero

The best way to defend against breaches large and small is the same as it ever was: use 1Password’s Strong Password Generator on Mac, Windows, and iOS to create strong, unique passwords for all your accounts with a single click.

1Password’s Security Audit feature is also a great way to stay on top of your security. It shows you duplicate and weak passwords, and our built-in 1Password Watchtower service warns you to change your passwords for any of your Login’s sites that have recently been breached.

As usual, the headlines sound big, but the solution is simple. Use 1Password’s Strong Password Generator for the best defense against data breaches. As this matter is examined further, we’ll let you know more about breach sources or any other pertinent details.

1Password 4 for Windows is here

1P4 Windows hero banner 600px

After months of beta testing, a small lake’s worth of coffee, and a possibly illegal number of pizzas, 1Password 4 for Windows is here.

The goods

This is a huge release for us, as it brings many of our latest features to Windows and a cleaner, more intuitive interface. Windows users can enjoy Favorites, Multiple Vaults, Wi-Fi Sync, and Security Audit, as well as our new, free 1Password Watchtower service that warns you when a Login’s site has been compromised and helps you decide when it’s safe to update your passwords.

All together, this release includes 374 new features, improvements, and fixes spread over 85 betas. You can comb through the full beta release notes, learn more in our documentation, or check out our feature overview down below the gallery.

1P4 Win new extensionAll-new browser extension

Perhaps best of all, our legendary browser extension is now on Windows. You can drill down to view vault items, search your vault, access your Favorites, change extension settings, and, of course, it’s still just a single click to open a new site, fill your credentials, and login.

The extension looks and behaves the same in Firefox, Chrome, Safari, and Opera, and it’s even a great experience in Internet Explorer! It now resembles its Mac brother while still being all Windows.

The prices

You can get 1Password 4 for Windows now in the AgileBits Store. It requires Windows 7 or 8, and here’s how pricing breaks down:

  • If you bought 1Password for Windows anytime in 2014 or even 2013, v4 is free! Your current license will just work
  • Upgrade price for all other customers is $24.99
  • Single user regular price is $49.99
  • Family 5-pack is $69.99
  • Multi-seat business licenses are also available

What’s new in 1Password 4 for Windows

Our latest features

  • Watchtower – if a Login’s website has had a security breach, our new, free Watchtower service alerts you to whether it’s safe to change your password
  • Favorites – give your VIP items the VIP treatment so they’re just a click away
  • Security Audit – new categories that point out Weak Passwords & Duplicate Passwords to help you stay on top of your security
  • Tags – a flexible way to organize and find items with one or more keywords
  • Sharing – Send an obfuscated copy of a Login or any other item to someone you trust via email
  • New toolbar – a simplified, powerful, and beautiful new toolbar puts all the important features at your fingertips, including search!
  • Demo Vault – show off 1Password without showing off your personal information
  • Multiple URLs per Login item – sometimes one just isn’t enough
  • Custom fields – store all the information you need in each item

Sync

  • Wi-Fi Sync for mobile – you can now sync with an iPhone or iPad on your network, no cloud required
  • Vault awareness – during setup, 1Password detects all vaults in your Dropbox

All-new browser extension

  • One extension, many browsers – our extension now looks and behaves the same way in all browsers 1Password supports
  • Analog to Mac – our extension features, design, and overall awesomeness are now nearly identical across Mac and PC
  • Multiple Vaults – switch vaults right from the extension
  • Detect password change – when you change an existing Login’s password, the extension will verify that you want to update the existing Login
  • Auto-Type in all web browsers
  • Unlock on Secure Desktop
  • Tray icon is now more informative about 1Password’s status

Take Control of 1Password ebook updated for our new Watchtower service

Take Control 1P 1-2By now you’ve probably heard of 1Password Watchtower, our new service that warns and informs you when websites of your Logins have been compromised. Watchtower has been a huge hit with our Mac customers and is coming soon to Windows, and now you can learn more about it in the latest update to Take Control of 1Password, the comprehensive ebook by Joe Kissell.

This latest free update to the book—version 1.2.1 for those keeping track at home—adds a new section in “Perform a Password Security Audit” that explains what 1Password Watchtower is and does, and how to make it part of your security regimen. Honestly, that whole section is perfect to review and re-review for both current and new book owners alike, as it walks through some of 1Password’s most useful and effective tools under Security Audit.

Take Control of 1Password v1.2.1 is now available. Current owners can sign into their Take Control Ebooks account to grab the latest edition, or you can pick up your copy for just $10.

Our 1Password Watchtower service is now looking out for you, right in 1Password for Mac

1Password WatchtowerEarlier this month, we introduced our new Watchtower service on the web. In its initial version, Watchtower checks whether a website is (or ever was) vulnerable to the internet’s nasty Heartbleed security bug, then tells you whether it’s safe to update your password.

Now we’ve taken the next major step and made it much easier to stay secure online, as Watchtower can now check all your Logins at once, right inside 1Password for Mac.

1Password 4.4 for Mac is now available to website and Mac App Store customers, and it has Watchtower built right in. Watchtower is a free service, and once you enable it (either under Security Audit or Preferences), Watchtower will alert you if a website is found to be at risk.

Like Captain Picard sounding the call to battle stations, 1Password will display a red alert at the top of any affected Logins (see this post’s gallery for examples). Click the alert to learn more about what’s going on and when it is necessary and safe to update your password.

Watchtower in Security Audit

Watchtower in Security Audit

Watchtower is a new component of 1Password’s popular Security Audit feature, which shows you items with weak passwords, duplicate passwords, and other handy info to help you decide which Logins to update.

Now built into 1Password, Watchtower lists all vulnerable Logins in a single place and even sorts them by status, such as “Avoid”—for sites that have not yet patched their vulnerability—and “Change Password” for sites that have updated and it is now safe (and prudent) to change your passwords.

How it works

The Watchtower service is off by default. Once users enable it, 1Password will check daily for new website vulnerability information. Your website information is never transmitted to us. 1Password simply downloads this information and checks it locally against your Logins.

Now available

1Password 4.4 for Mac is now available as a free update to existing website and Mac App Store customers, and we have plans to add it to 1Password for Windows. Our new Watchtower service is a major step for 1Password and making you more secure on the web. We’d love for you to give it a try and let us know what you think on Twitter, Facebook, and in our forums!