MyFitnessPal Shows How to Handle a Breach

We all witnessed something refreshing last week when MyFitnessPal announced their data breach. They were open and honest about what happened and they should be congratulated.

Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak.

MyFitnessPal provides a great case study on how to handle a data breach and protect customer information. Let’s start with the announcement itself.

The Announcement

First it needs to be said that it was awesome that there actually was an announcement and that it was published in a timely manner. This is a very good thing!

There was an in-app notification, direct emails, and a pinned Twitter post.

They also posted Frequently Asked Questions that were excellent and when I emailed their support team with some questions for this post, their automated reply included information about the breach and what they were doing to protect their customers.

MyFitnessPal was incredibly open and transparent about everything and at no point did they try to hide details from their users, myself included! That allowed me to update my password and get on with my life.

I wasn’t overly attached to qdd84b7UayEwM9J6dZV anyway so I didn’t mind changing it. And since I only used this password on myfitnesspal.com I didn’t need to update any other websites.

Strong unique passwords FTW! 🙂

Secure Handling of Passwords

Equally commendable was how MyFitnessPal stored passwords in their systems. Or more to the point, how they didn’t store passwords.

Many sites choose to store the plain text password, which is bad. The fact that Have I Been Pwned? now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is.

MyFitnessPal was much smarter than that as they never stored the actual password. Instead they stored a hash of the password, most of which were created using bcrypt. Our Chief Defender Against The Dark arts wrote at length about bcrypt and how it can be used to protect user passwords.

It’s possible to go even further than bcrypt and avoid sending passwords to the server by using Secure Remote Password. We use this in 1Password and are quite smitten with it.

Avoiding Other Sensitive Information

The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. From their FAQ:

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously.

MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation.

For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt.

P.S. A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. Thank you for the inspiration, Benjamin! ❤️

Hi Dave,

I know you get hundreds of emails but I can’t help but send this email. I received an email from MyFitnessPal today and of course the news-breaking headlines.

In reading the email, I simply smiled. Headed to my 1password vault and checked the password.

Sure enough, there was a 40 character, numbers + symbols password. I smiled smugly and thought of you.

Your amazing product keeps my data safe every single day. I have not one single duplicated password. Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ).

I have recommended so many people to your platform knowing that you have an amazing product and just as importantly, a fantastic support team.

Take care my friend and I send you a warm-hearted thanks from Darwin, Northern Territory, Australia!

Keep doing what you’re doing!
Benjamin Fox.

We really do have the best users in the world. 😘

Thank you for helping us to help others

With spring finally here, looking back towards the winter months can leave you feeling chilly! But never fear, we’re here to bring you some good news to warm your heart 🙂

Over the Christmas Season, we had our annual newsletter – this year we decided to ask you all to help us share the gift of food security with the community. With $50,000 as our goal, we were all super excited when the peppermint meter reached the top.

Since then our team has been visiting food banks throughout Ontario to drop off cheques totaling $50,000 to wonderful groups who have been helping people secure healthy meals. We’d love to take this chance to share with you some information about all of them.


One of our first stops was The Grace Cafe in St. Thomas, Ontario. This street mission is headed up by a wonderful woman named Ginny who makes sure every person coming in receives a warm meal with a side of smiles and friendship. Ginny was surprised and happily shocked when she learned of our donation – knowing how many people she can help with this made our day!

Next we visited the St. Thomas Elgin Food Bank, also known as The Caring Cupboard. Karen is the General Manager and she took us through their space, explaining how everything operated and talking about all the various networks that they work with to provide for people in the community – it was great to know how much our donation would help. 🙂

We moved on to the Brantford Food Bank after that, where one of our team members had recently moved. Due to unprecedented flooding in the area, the timing of the donation couldn’t have been better for the community, and Will was excited to help make an impact for those in his new home town. 🙂

The Markham Food Bank was next. Since 1984, this group has been helping to provide for members of the community. Shiner was super excited to drop off our donation, where he also got to meet one of the founders – Gladys Keeble, who is 92 years young and still an active member!

Our last stop in our tour was the Ontario Association of Food Banks. Based in Toronto, this group helps to coordinate resources and help food funding throughout the province. It’s a huge project to undertake and they do a great job helping people in need, while also providing advocacy and leadership for the community at large.

Thank you all for your help over this Christmas to help us meet our goal! It was a wonderful feeling to make an impact on our community, and I’d like to encourage you to remember your local food banks when out grocery shopping – every dollar makes a huge impact for these groups!

Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

1Password command-line tool 0.2: Tim’s new toys

Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com.

Tim can script and automate with the best of them, and from the moment he got a preview of op, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just start playing with op 0.2 now. To find out more, read on.

Vault into the new year

Our first gift to Tim was more control over vault access. He can now use op to add users to vaults, remove users from vaults, and even delete vaults.

So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up.

Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project:

op create vault "Honey Badger"

But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault:

op add "Chris Meek" "Honey Badger"
op add "Betty Da" "Honey Badger"
op add "Matt Davey" "Honey Badger"

Tim can even create a script to take a list of email addresses and add everyone to the vault at once:

#!/bin/bash
# Usage: add-everyone.sh "Honey Badger" < emailaddresses.txt
while read p; do
    op add $p $1
done

After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault:

op remove "Matt Davey" "Honey Badger"

When everyone is done with the project, Tim can use op delete vault "Honey Badger" and move on to his next gift.

New year, new groups

The next gift we gave Tim was control over group membership. He can now use op to create and delete groups and choose who belongs to them.

When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands:

op remove "Wendy Appleseed" "Support"
op add "Wendy Appleseed" "Design"

Tim can also create and remove groups with op create group and op delete group if ever he needs to.

Resolve to level up your skills

The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the full documentation on our support site.

Level up with op 0.2!

Then pop in to the 1Password Support forum to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release.

We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.

Same as it ever was: There’s no reason to melt down

The Intel CPU flaw, that is being referred to as “meltdown”, is a big deal. It allows for a whole (new) category of malware to do things that it otherwise shouldn’t be able to do. This is not a good thing, and it remains a threat until operating systems are updated to no longer rely on some specific security features of the CPUs.

But just because it is an extraordinary bug doesn’t mean that it requires an extraordinary response from most people. (Operating system designers are not “most people.”) The same practices that you should already be doing are enough.

What you can do is what you may already be doing

Stay updated, be careful where you get your software

Malware that exploits meltdown may be particularly powerful, but it is still just malware. And so the practices that we’ve always recommended are the practices that will protect you now.

  1. Keep your system and software up to date
  2. Be careful about where you get your software.

Regarding point 1, it appears that the latest version of High Sierra already has defenses to guard against meltdown. If you are using macOS be sure that you are up to date. It also appears that Microsoft is in the process of releasing a security update for Windows.

For the second point, I recommend downloading software from app stores, such as the Mac App Store and the Microsoft Store. They can’t guarantee that no malware slips through, but they provide the easiest and most effective filter available.

Whatever you do, don’t respond to “scareware”. Scareware is typically sold through something that pops up fake alerts about your system being infected or compromised. These scary (and fraudulent) alerts then try to entice you into installing and running tools that will “clean” or “repair” your system. Unfortunately those tools do the exact opposite of what they claim to do.

Panicked people make poor security choices. And so this is why I am worried that fear about this issue might lead people to become more susceptible to scareware. Take a deep breath, don’t panic, and be calmly suspicious of scary alerts.

What we can do is what we have already been doing

1Password is designed so that even if an attacker can read every bit of data on our systems they cannot learn your secrets. We simply don’t have the capacity to decrypt your data, and that holds of anyone who compromises our systems. This has been essential to 1Password’s design from the very beginning, and it is why we don’t have to panic either.

Furthermore, it appears that AWS (our hosting provider) has already begun patching the servers. Keeping up with updates is one of the things we hire them to do.
1Password Encryption

Same as it ever was

I don’t want to downplay the extraordinariness of this bug. It is fascinating in many ways, and it does have broad impacts. But unless your job is to design and maintain operating systems, you should just follow normal practices of keeping your system up to date and not installing dodgy software.

There is a great deal of speculation and news coming thick and fast and it may well be that some of the details of what I have said here will need correction. But the core message should remain the same. Keep your systems and software up to date, and don’t install software from untrusted sources.

The 1Password Slack app makes administrators happy

Our all new 1Password app for Slack automatically posts messages in Slack when important events happen on your team. It also includes some new functionality that makes it easy for administrators to stay coordinated.

Let me tell you a story about how Slack can be so much more powerful than email.

Going crazy

 Once upon a time, there were three administrators: Jeff, Dave, and Roustem. Dave needed more help developing 1Password X, so he hired a new team member. You won’t be surprised to know that part of that process includes inviting the new hire to our 1Password team.

Once the new team member accepts their invitation and joins the team, their membership needs to be confirmed. To make this easier, 1Password sends a helpful email to all the administrators.


Jeff checked his mail the soonest and quickly confirmed the new team member. Dave was busy working on 1Password X, so he didn’t even have a chance to see the email. A few hours later, Roustem took a break from coding and saw the email. When he went to confirm the new team member, he saw that there were no team members to confirm. Did something go wrong? Or had someone else already beat him to it?

Roustem knew there had to be a better way and almost started to code the solution himself. Then he realized he was in the middle of five other things, so he let me take a crack at it. :)

Staying sane

Slack had all the tools we needed to create an intuitive system to keep all the administrators on a team in sync. The Slack API is really simple to work with, and I was able to have a shiny new Slack app up and running in about a week.

There are two kinds of messages that can be posted in your Slack workspace, and you can choose to post them in a single channel or separate ones.

Alerts that require action

1Password Teams can now post alerts in Slack for things that need your attention, so you can take action right away. But the main problem we wanted to solve was having some way to let administrators know what didn’t need their attention anymore.

After an action is completed, the message is automatically updated to let everyone else know. You’ll immediately know when someone else has already completed the action.

Notifications that let you know what’s up

Every day stuff happens on your team that doesn’t necessarily require you to take action. But it’s handy to have it all in one place. Notifications are informational messages that allow you to keep tabs on important activity, so there are no surprises.

For example, seeing that everyone is signing in from locations that you expect can help ease an otherwise stressful day for an administrator.

Happy administrators

The 1Password Slack app is easy to set up. You can get started today in your account settings:

Use the 1Password Slack app

Roustem couldn’t be more pleased. We hope you are too. Let us know what you think in the comments.

If you’re curious about some of the technical aspects of how we securely authorize with Slack, check out our post on the Slack Platform Blog.

1Password living on the [Microsoft] Edge

I’ve long been curious about Microsoft Edge. It’s fast, light-weight, and much more secure than the Internet Explorer of my childhood. It had everything you look for in a browser … except 1Password support. Today that changes!

Thanks to the hard work of the Microsoft Edge and Windows Store teams, along with our own Windows team, I’m excited to announce that 1Password now has a lovely new home right on your Microsoft Edge toolbar. 🎉

Boldly go where no Login item has gone before

To bring your items with you to explore Microsoft Edge, first make sure you have 1Password 6.7 or later installed and set up. Then, head to the Windows Store and grab the 1Password extension. Open Microsoft Edge, enable the 1Password extension, and enjoy saving new Login items, opening and filling in Microsoft Edge from 1Password mini, filling addresses and credit card details, and easy access to the Strong Password Generator, just like you’ve come to know and love. If you’re still using an older version of 1Password, you can follow this handy guide to migrate your existing data to the latest version of 1Password to get ready to seek out new frontiers in Microsoft’s latest browser.

Hello dark mode, my old friend

As you’re working your own 1Password magic in Microsoft Edge, don’t forget to check out my favorite feature: its super-sleek dark mode. I love how it turns your 1Password extension icon into a lovely point of light on your toolbar and it’s perfect for late-night browsing.  Let the stars next to your favorites light up Microsoft Edge and help guide you to your most loved websites at the click of a Login item. Of course, if a different vision has been planted in your brain, the extension icon looks right at home in light mode too. 😉

To the Edge and beyond!

As stoked as we are about 1Password coming to Microsoft Edge, this is only the beginning and some finishing touches are coming in future releases. Support for keyboard shortcuts to fill logins and some tweaks to how mini lets you know you’re filling in Edge are included with the latest 1Password 6 for Windows beta. Additional improvements for filling on certain sites will also be addressed down the road.

Currently, the 1Password extension in Microsoft Edge requires 1Password 6.7 for Windows or later and a 1Password membership. We will be expanding Edge availability in future releases but if you’d like to enjoy using Edge sooner than later, now is a great time to give a 1Password membership a try. In addition to early access, there are many other benefits and it’s free for 30 days!

I hope you enjoy saving and filling in Microsoft Edge and, as always, we love seeing your feedback in our support forum. 😊

Up top, drag and drop – iOS 11 super powers for your iPad

Our favorite Tuesday of the year was just here — the latest update to iOS was released for you, me, and all our friends checking for updates. There’s a beautiful new Control Center, updated fonts across the board, a quick way to pay your friends for chocolate chip cookies with Apple Pay (coming later this year), and our personal favorite, drag and drop on iPad. We got really excited when Apple showed off drag and drop for iPad at WWDC in June, and now you get to enjoy it in 1Password on your iPad too!

Before you update

Since big iOS updates only happen once a year, I tend get pretty excited and jump to “I’m gonna install this right now!” But before updating, here are a few things I recommend doing before updating:

  • Back up your iOS device: As tempting as it is to grab the update right away, you likely spent a lot of time getting used to your iPhone or iPad just the way it is now. Just in case something happens during the update, it’s always good to have a backup ready. Learn how to back up your iOS device.
  • Sync 1Password: If you have a 1Password account and you’re signed in to it on your iOS device, you’re all set. If not, you can create an account and migrate your data to keep things synced and backed up. Learn more about keeping 1Password synced.
  • Know your Master Password: Before updating, make sure you have a copy of your Master Password written down. You can print your Emergency Kit and write it there. Your Master Password may be required after you update to iOS 11, so it’s always good to have it somewhere just in case. And yeah, I too might be printing my Emergency Kit again after I take a handwriting course.

With your iOS device backed up, 1Password synced, and your Master Password written somewhere safe, update to iOS 11 and you’re ready to get those cookies.

Drag and drop with 1Password on iPad

One of the coolest features in iOS 11 is drag and drop on iPad. Just like on a computer, we can finally drag and drop things by tapping and holding, then dragging text, photos, and more between apps on our iPads. We added support for this to 1Password, so you can drag a username and password to those fields in another app instead of copying and pasting them:

You can also add a contact to 1Password. Just open Contacts and 1Password side by side and drag the contact to 1Password. I finally added Batman to 1Password on my iPad with this, and I put it in a vault shared with my family so they can get in touch with him whenever they need something. Hope I have the right address though.

To use drag and drop with 1Password on your iPad, update to iOS 11 and make sure 1Password is up to date. Then with 1Password and another app open side by side, drag a username, password, or other field from 1Password to a text field in the other app to fill it.

Cookie time

Well, my Watch, iPhone, and iPad are all updated so I’m off to test out these new heart rate features on a run. Our designer Matt also told me you can raise your wrist while listening to music on your iPhone and the Watch will automatically let you play/pause, skip, and adjust the volume, so I’m really excited to use that more often when I’m out and about, and hopefully I’ll run past a cookie shop too. See you soon. 👋

Why is this information sensitive? The deeper Equifax problem

As the world now knows Equifax, the credit rating company and master of our fates, suffered a data breach in May and June 2017, which revealed to criminals details of 143 million people. (I would have liked to say, “143 million customers“, but that is very far from the case. We have no control at all over Equifax and other credit rating companies collecting information about us. We are neither their customers nor users.)

The revealed data includes:

  • Social Security numbers
  • Dates of birth
  • Addresses
  • Driver’s license numbers (unspecified number of these)
  • Credit card numbers (209,000 of these)

There are many important things to ask about this incident, but what I am focusing on today is why has non-secret information become sensitive? None of those numbers were designed to be used as secrets (including social security numbers and credit card numbers), yet we live in a world in which we have to keep these secret. What is going on here?

Identity crisis

Names only provide a first pass at identifying individuals in some list or database. There are a lot of Jeffrey Goldbergs out there. (For example, I am not the journalist and now editor-in-chief at the Atlantic. But there are lots of others that I also am not.) Also people change their names. Some people change their name when they get married. (My wife, Lívia Markóczy, decided to keep her name because we figure it is easier to spell than “Goldberg”.) Others change their names for other reasons.

We have three “Jeffreys” at AgileBits, but fortunately we have distinct family names. Though sometimes I think that everyone who joins the company should just go by “Jeffrey” to avoid confusion.

Anyway, names alone are not enough to figure out who we are talking about once we get beyond a small group of people. So we use other things. Social security numbers worked well in the US for some time. They didn’t change over your lifetime (except in rare circumstances) and nearly everyone had one. Dates of birth also don’t change. So a combination of a name, a date of birth, and a social security number was a good way to create an identifier for nearly every individual in the US, with the understanding that a name might change.

Sometimes it is not a person that we need to uniquely and reliably identify. Sometimes it is something like a bank account or charge account. Cheques (remember writing those?) have the account number printed on them. They uniquely identify the particular account within a bank, and a routing number (in the US) identifies the bank. The routing number is also printed on each cheque.

Things like social security numbers and driver’s license numbers are designed as “identifiers” of people. They are ways to know which Jeffrey Goldberg is which. Occasionally getting email meant for the journalist is no big problem, but if he gets himself on the no-fly list, I want to be sure that I don’t get caught up in that net. Likewise, I don’t want my doctor or pharmacist mixing me up with some other Jeffrey Goldberg who isn’t allergic to the same stuff that I am. Nor does some other Jeffrey Goldberg want the record of speeding tickets I seem to acquire.

Things like bank or charge account numbers are used to uniquely and reliably identify the particular account. While I wouldn’t mind if my credit card charges were charged against someone else’s account, they would certainly mind, and so would the the relevant bank. (I’m going to just start using the word “bank” broadly to include credit card issuers, automobile loan issuers, and the like.)

A username on some system is also an identifier. It identifies to the service which particular user or account is being talked about. I am jpgoldberg on our discussion forums. That username is how the system knows what permissions I have and how to verify my password.

Identifiers are bad secrets

Something that is designed and used as an identifier is hard to keep secret. A service can hash a password, but it needs to know which account is being talked about before it can look up any information. In many database systems, identifiers are used as record locators. These need to be efficiently searchable for lookup.

Identifiers also need to be communicated before secret stuff can happen. Bank account numbers are printed on cheques for a reason. Now really clever cryptographic protocols – like the one behind Zero Cash – can allow for transactions which don’t reveal the account identifier of the parties, but for almost everything else, account identifiers are not secret.

Identifiers are hard to change. If you depend on the secrecy of some identifier for your security, then you are stuck with a problem when those secrets do get compromised. It is a pain to get a new credit card number, and it is far worse trying to get a new social security number. Getting a new date of birth might also be a teeny tiny problem.
The point here is that, given what identifiers are designed to do, they aren’t designed to be kept secret.

Authenticators

Authentication is the process of proving some identity. And this almost always involves proving that you have access to a secret that only you should have access to. When I use 1Password to fill in my username (jpgoldberg) and password to our discussion forums, I am proving to the system that I have access to the secret (the password) associated with that particular account.

The password is designed to be kept secret. The server running the discussion forum doesn’t need to search to find the password (unlike searching to do a lookup from my username), so it can get away with storing a salted hash of the password. Also, I can change the password without losing all of the stuff that lives under my account. (Changing my username would require more work.) Plus, my username is used to identify me to other people using the system, and so is made very public. My password, on the other hand, is not.

What banks did wrong

The mess we are in today is because financial institutions have been using knowledge of identifiers as authentication secrets. The fact that someone can defraud a credit card issuer by knowing my credit card number (an account number) and my name and address (matters of public record) is all because at one point, credit card issuers decided that knowledge of the credit card number (a non-secret account number) was good way to authenticate.

I have not researched the history in detail, but I believe that this started with credit card numbers when telephone shopping first became a thing (early 1970s, I believe). Prior to then, credit cards were always used when the account holder was physically present and could show the merchant an ID with a signature. The credit card number was used solely as designed up until that point: as a record locator.

The same thing is true of social security numbers. Social security numbers were not secret until banks started to use knowledge of them as authentication proofs when they introduced telephone banking. Before then, there was nothing secret about them.

And on it goes

Because high-value systems use knowledge of identifiers as authentication proofs we are in deep doo-doo. And it will take a long time to dig ourselves out. But we continue to dig ourselves deeper.

It is fine to be asked for non-secret identifying information to help someone or something figure out who they are talking about. I like it when my doctor asks for my date of birth to make sure that they are looking at and updating the right records. But when they won’t reveal certain information to me unless I give them my date of birth, then we have a problem. That is when they start using knowledge of an identifier as an authentication secret.

Over the past decade or so, various institutions have been told that they can’t hold on to social security numbers, and so can’t use them for identifiers. That is a pity, because those are the best identifiers we have in the US. But what is worse is that knowledge of the new identifiers is being used for authentication.

Right now, Baskin-Robbins knows my date of birth (so they can offer me some free ice-cream on my birthday). In ten years, will I have to keep my birth date a closely guarded secret so that I don’t become a victim of some financial or medical records crime? If we keep on making this mistake – using identifiers as authentication secrets – that is where we are headed.

Incentives matter more than technology

I do not want to dismiss the technological hurdles in fixing this problem, but I believe that there is a bigger (and harder) problem that will need to be fixed first: the incentives are in the wrong place.

When Fraudster Freddy gets a loan from Bank Bertha using the identity of Victim Victor, Bertha is (correctly) responsible for the direct financial loss. The problem is that there are costs beyond the immediate fraudulent loan that are borne by Victor. But Victor has no capacity or opportunity to prevent himself from being a victim. In economics jargon, Victor suffers a negative externality.

Bertha factors in the risk of the direct cost to her of issuing a loan to a fraudster. She looks at that risk when deciding how thoroughly to check that Freddy is who he says he is. Bertha could insist that new customers submit notarized documents, but if she insists on that and her competitors don’t, then she would lose business to those competitors.

But Bertha does not factor in the indirect costs to Victor. She has no dealings with Victor. Victor isn’t a potential customer. So if Victor has costly damage to his credit and reputation that requires a lot of effort to sort out, that is not Bertha’s problem (and it certainly isn’t Freddy’s problem.)

Only when Freddy and Bertha (the parties to the original deal) have to pay the cost of the damage done to Victor (Economics jargon: “internalizing the externalities”) will Bertha have the incentives to improve authentication. I don’t have an answer to how we get there from here, but that is the direction we need to head. In the meantime, if you find yourself a victim (whether you’re a Victor, a Jeffrey, or something else entirely), Kate published a post earlier this week with tips to protect yourself until we (hopefully) do get all of this figured out one day.

Face it, The iPhone X Looks Amazing

Wow, what an incredible Apple event today! As you may have guessed the entire team here at AgileBits cozied up to their computers, iPads, Apple TVs, and iPhones to watch as the good folks at Apple took to the stage in the newly minted Steve Jobs Theater and proceeded to bring the house down. A new Apple Watch, a brand new 4K Apple TV, a new iPhone 8, the iPhone X! The hits just kept coming.

As blown away as we were by today’s product announcements we were even more blown away by our inclusion in the festivities. To see Phil Schiller on stage showing 1Password on the new iPhone X was magical. In case you missed it, here’s a screen grab we captured for posterity:

We truly can’t wait to get these new phones in our hands and into the hands of our customers. 1Password will be there on November 3rd with the new iPhone X and full support for Face ID.

It’s obvious what our favorite part of today’s announcements was, how about you? Sound off in the comments below and let’s nerd out together about this super cool new future.