1Password living on the [Microsoft] Edge

I’ve long been curious about Microsoft Edge. It’s fast, light-weight, and much more secure than the Internet Explorer of my childhood. It had everything you look for in a browser … except 1Password support. Today that changes!

Thanks to the hard work of the Microsoft Edge and Windows Store teams, along with our own Windows team, I’m excited to announce that 1Password now has a lovely new home right on your Microsoft Edge toolbar. 🎉

Boldly go where no Login item has gone before

To bring your items with you to explore Microsoft Edge, first make sure you have 1Password 6.7 or later installed and set up. Then, head to the Windows Store and grab the 1Password extension. Open Microsoft Edge, enable the 1Password extension, and enjoy saving new Login items, opening and filling in Microsoft Edge from 1Password mini, filling addresses and credit card details, and easy access to the Strong Password Generator, just like you’ve come to know and love. If you’re still using an older version of 1Password, you can follow this handy guide to migrate your existing data to the latest version of 1Password to get ready to seek out new frontiers in Microsoft’s latest browser.

Hello dark mode, my old friend

As you’re working your own 1Password magic in Microsoft Edge, don’t forget to check out my favorite feature: its super-sleek dark mode. I love how it turns your 1Password extension icon into a lovely point of light on your toolbar and it’s perfect for late-night browsing.  Let the stars next to your favorites light up Microsoft Edge and help guide you to your most loved websites at the click of a Login item. Of course, if a different vision has been planted in your brain, the extension icon looks right at home in light mode too. 😉

To the Edge and beyond!

As stoked as we are about 1Password coming to Microsoft Edge, this is only the beginning and some finishing touches are coming in future releases. Support for keyboard shortcuts to fill logins and some tweaks to how mini lets you know you’re filling in Edge are included with the latest 1Password 6 for Windows beta. Additional improvements for filling on certain sites will also be addressed down the road.

Currently, the 1Password extension in Microsoft Edge requires 1Password 6.7 for Windows or later and a 1Password membership. We will be expanding Edge availability in future releases but if you’d like to enjoy using Edge sooner than later, now is a great time to give a 1Password membership a try. In addition to early access, there are many other benefits and it’s free for 30 days!

I hope you enjoy saving and filling in Microsoft Edge and, as always, we love seeing your feedback in our support forum. 😊

Up top, drag and drop – iOS 11 super powers for your iPad

Our favorite Tuesday of the year was just here — the latest update to iOS was released for you, me, and all our friends checking for updates. There’s a beautiful new Control Center, updated fonts across the board, a quick way to pay your friends for chocolate chip cookies with Apple Pay (coming later this year), and our personal favorite, drag and drop on iPad. We got really excited when Apple showed off drag and drop for iPad at WWDC in June, and now you get to enjoy it in 1Password on your iPad too!

Before you update

Since big iOS updates only happen once a year, I tend get pretty excited and jump to “I’m gonna install this right now!” But before updating, here are a few things I recommend doing before updating:

  • Back up your iOS device: As tempting as it is to grab the update right away, you likely spent a lot of time getting used to your iPhone or iPad just the way it is now. Just in case something happens during the update, it’s always good to have a backup ready. Learn how to back up your iOS device.
  • Sync 1Password: If you have a 1Password account and you’re signed in to it on your iOS device, you’re all set. If not, you can create an account and migrate your data to keep things synced and backed up. Learn more about keeping 1Password synced.
  • Know your Master Password: Before updating, make sure you have a copy of your Master Password written down. You can print your Emergency Kit and write it there. Your Master Password may be required after you update to iOS 11, so it’s always good to have it somewhere just in case. And yeah, I too might be printing my Emergency Kit again after I take a handwriting course.

With your iOS device backed up, 1Password synced, and your Master Password written somewhere safe, update to iOS 11 and you’re ready to get those cookies.

Drag and drop with 1Password on iPad

One of the coolest features in iOS 11 is drag and drop on iPad. Just like on a computer, we can finally drag and drop things by tapping and holding, then dragging text, photos, and more between apps on our iPads. We added support for this to 1Password, so you can drag a username and password to those fields in another app instead of copying and pasting them:

You can also add a contact to 1Password. Just open Contacts and 1Password side by side and drag the contact to 1Password. I finally added Batman to 1Password on my iPad with this, and I put it in a vault shared with my family so they can get in touch with him whenever they need something. Hope I have the right address though.

To use drag and drop with 1Password on your iPad, update to iOS 11 and make sure 1Password is up to date. Then with 1Password and another app open side by side, drag a username, password, or other field from 1Password to a text field in the other app to fill it.

Cookie time

Well, my Watch, iPhone, and iPad are all updated so I’m off to test out these new heart rate features on a run. Our designer Matt also told me you can raise your wrist while listening to music on your iPhone and the Watch will automatically let you play/pause, skip, and adjust the volume, so I’m really excited to use that more often when I’m out and about, and hopefully I’ll run past a cookie shop too. See you soon. 👋

Why is this information sensitive? The deeper Equifax problem

As the world now knows Equifax, the credit rating company and master of our fates, suffered a data breach in May and June 2017, which revealed to criminals details of 143 million people. (I would have liked to say, “143 million customers“, but that is very far from the case. We have no control at all over Equifax and other credit rating companies collecting information about us. We are neither their customers nor users.)

The revealed data includes:

  • Social Security numbers
  • Dates of birth
  • Addresses
  • Driver’s license numbers (unspecified number of these)
  • Credit card numbers (209,000 of these)

There are many important things to ask about this incident, but what I am focusing on today is why has non-secret information become sensitive? None of those numbers were designed to be used as secrets (including social security numbers and credit card numbers), yet we live in a world in which we have to keep these secret. What is going on here?

Identity crisis

Names only provide a first pass at identifying individuals in some list or database. There are a lot of Jeffrey Goldbergs out there. (For example, I am not the journalist and now editor-in-chief at the Atlantic. But there are lots of others that I also am not.) Also people change their names. Some people change their name when they get married. (My wife, Lívia Markóczy, decided to keep her name because we figure it is easier to spell than “Goldberg”.) Others change their names for other reasons.

We have three “Jeffreys” at AgileBits, but fortunately we have distinct family names. Though sometimes I think that everyone who joins the company should just go by “Jeffrey” to avoid confusion.

Anyway, names alone are not enough to figure out who we are talking about once we get beyond a small group of people. So we use other things. Social security numbers worked well in the US for some time. They didn’t change over your lifetime (except in rare circumstances) and nearly everyone had one. Dates of birth also don’t change. So a combination of a name, a date of birth, and a social security number was a good way to create an identifier for nearly every individual in the US, with the understanding that a name might change.

Sometimes it is not a person that we need to uniquely and reliably identify. Sometimes it is something like a bank account or charge account. Cheques (remember writing those?) have the account number printed on them. They uniquely identify the particular account within a bank, and a routing number (in the US) identifies the bank. The routing number is also printed on each cheque.

Things like social security numbers and driver’s license numbers are designed as “identifiers” of people. They are ways to know which Jeffrey Goldberg is which. Occasionally getting email meant for the journalist is no big problem, but if he gets himself on the no-fly list, I want to be sure that I don’t get caught up in that net. Likewise, I don’t want my doctor or pharmacist mixing me up with some other Jeffrey Goldberg who isn’t allergic to the same stuff that I am. Nor does some other Jeffrey Goldberg want the record of speeding tickets I seem to acquire.

Things like bank or charge account numbers are used to uniquely and reliably identify the particular account. While I wouldn’t mind if my credit card charges were charged against someone else’s account, they would certainly mind, and so would the the relevant bank. (I’m going to just start using the word “bank” broadly to include credit card issuers, automobile loan issuers, and the like.)

A username on some system is also an identifier. It identifies to the service which particular user or account is being talked about. I am jpgoldberg on our discussion forums. That username is how the system knows what permissions I have and how to verify my password.

Identifiers are bad secrets

Something that is designed and used as an identifier is hard to keep secret. A service can hash a password, but it needs to know which account is being talked about before it can look up any information. In many database systems, identifiers are used as record locators. These need to be efficiently searchable for lookup.

Identifiers also need to be communicated before secret stuff can happen. Bank account numbers are printed on cheques for a reason. Now really clever cryptographic protocols – like the one behind Zero Cash – can allow for transactions which don’t reveal the account identifier of the parties, but for almost everything else, account identifiers are not secret.

Identifiers are hard to change. If you depend on the secrecy of some identifier for your security, then you are stuck with a problem when those secrets do get compromised. It is a pain to get a new credit card number, and it is far worse trying to get a new social security number. Getting a new date of birth might also be a teeny tiny problem.
The point here is that, given what identifiers are designed to do, they aren’t designed to be kept secret.

Authenticators

Authentication is the process of proving some identity. And this almost always involves proving that you have access to a secret that only you should have access to. When I use 1Password to fill in my username (jpgoldberg) and password to our discussion forums, I am proving to the system that I have access to the secret (the password) associated with that particular account.

The password is designed to be kept secret. The server running the discussion forum doesn’t need to search to find the password (unlike searching to do a lookup from my username), so it can get away with storing a salted hash of the password. Also, I can change the password without losing all of the stuff that lives under my account. (Changing my username would require more work.) Plus, my username is used to identify me to other people using the system, and so is made very public. My password, on the other hand, is not.

What banks did wrong

The mess we are in today is because financial institutions have been using knowledge of identifiers as authentication secrets. The fact that someone can defraud a credit card issuer by knowing my credit card number (an account number) and my name and address (matters of public record) is all because at one point, credit card issuers decided that knowledge of the credit card number (a non-secret account number) was good way to authenticate.

I have not researched the history in detail, but I believe that this started with credit card numbers when telephone shopping first became a thing (early 1970s, I believe). Prior to then, credit cards were always used when the account holder was physically present and could show the merchant an ID with a signature. The credit card number was used solely as designed up until that point: as a record locator.

The same thing is true of social security numbers. Social security numbers were not secret until banks started to use knowledge of them as authentication proofs when they introduced telephone banking. Before then, there was nothing secret about them.

And on it goes

Because high-value systems use knowledge of identifiers as authentication proofs we are in deep doo-doo. And it will take a long time to dig ourselves out. But we continue to dig ourselves deeper.

It is fine to be asked for non-secret identifying information to help someone or something figure out who they are talking about. I like it when my doctor asks for my date of birth to make sure that they are looking at and updating the right records. But when they won’t reveal certain information to me unless I give them my date of birth, then we have a problem. That is when they start using knowledge of an identifier as an authentication secret.

Over the past decade or so, various institutions have been told that they can’t hold on to social security numbers, and so can’t use them for identifiers. That is a pity, because those are the best identifiers we have in the US. But what is worse is that knowledge of the new identifiers is being used for authentication.

Right now, Baskin-Robbins knows my date of birth (so they can offer me some free ice-cream on my birthday). In ten years, will I have to keep my birth date a closely guarded secret so that I don’t become a victim of some financial or medical records crime? If we keep on making this mistake – using identifiers as authentication secrets – that is where we are headed.

Incentives matter more than technology

I do not want to dismiss the technological hurdles in fixing this problem, but I believe that there is a bigger (and harder) problem that will need to be fixed first: the incentives are in the wrong place.

When Fraudster Freddy gets a loan from Bank Bertha using the identity of Victim Victor, Bertha is (correctly) responsible for the direct financial loss. The problem is that there are costs beyond the immediate fraudulent loan that are borne by Victor. But Victor has no capacity or opportunity to prevent himself from being a victim. In economics jargon, Victor suffers a negative externality.

Bertha factors in the risk of the direct cost to her of issuing a loan to a fraudster. She looks at that risk when deciding how thoroughly to check that Freddy is who he says he is. Bertha could insist that new customers submit notarized documents, but if she insists on that and her competitors don’t, then she would lose business to those competitors.

But Bertha does not factor in the indirect costs to Victor. She has no dealings with Victor. Victor isn’t a potential customer. So if Victor has costly damage to his credit and reputation that requires a lot of effort to sort out, that is not Bertha’s problem (and it certainly isn’t Freddy’s problem.)

Only when Freddy and Bertha (the parties to the original deal) have to pay the cost of the damage done to Victor (Economics jargon: “internalizing the externalities”) will Bertha have the incentives to improve authentication. I don’t have an answer to how we get there from here, but that is the direction we need to head. In the meantime, if you find yourself a victim (whether you’re a Victor, a Jeffrey, or something else entirely), Kate published a post earlier this week with tips to protect yourself until we (hopefully) do get all of this figured out one day.

Face it, The iPhone X Looks Amazing

Wow, what an incredible Apple event today! As you may have guessed the entire team here at AgileBits cozied up to their computers, iPads, Apple TVs, and iPhones to watch as the good folks at Apple took to the stage in the newly minted Steve Jobs Theater and proceeded to bring the house down. A new Apple Watch, a brand new 4K Apple TV, a new iPhone 8, the iPhone X! The hits just kept coming.

As blown away as we were by today’s product announcements we were even more blown away by our inclusion in the festivities. To see Phil Schiller on stage showing 1Password on the new iPhone X was magical. In case you missed it, here’s a screen grab we captured for posterity:

We truly can’t wait to get these new phones in our hands and into the hands of our customers. 1Password will be there on November 3rd with the new iPhone X and full support for Face ID.

It’s obvious what our favorite part of today’s announcements was, how about you? Sound off in the comments below and let’s nerd out together about this super cool new future.

On Equifax, and what to do when passwords can’t protect you

Data breaches are, sadly, old hat these days. When Watchtower lets you know one of your passwords has been compromised, you sigh and mutter a few expletives, unlock 1Password, and start generating new ones. But what happens when the compromised information isn’t so easily changed, like your date of birth or social security number? That’s exactly what happened to me and 143 million of my fellow Americans just last week.

This is scary, in part because banks use this information to validate identities in the United States. Jeffrey Goldberg, our Chief Defender Against the Dark Arts, has written about this more in-depth, but in short, identifiers banks use for authentication (including SSNs) were not meant to be kept secret. This means the identifiers that were compromised are all criminals need to open accounts in our names, rack up bills, and leave us with the tab. There’s nothing to change this time around, but you can still protect yourself. Here are some steps you can take to do just that.

Keep it on ice

A security freeze is available to anyone — for a fee — and may be free for victims of identity theft. A credit freeze will prevent anyone from viewing your credit report and prevent any new accounts from being opened in your name until you lift the freeze (either permanently or temporarily). Here in Texas, fees are waived for victims of identity theft. Otherwise, it’s $10 to place the freeze on an account and $10 each time you lift it. These fees will vary by state, so be sure to check what fees apply in your state.

A fraud alert is less intrusive (and free), but it also provides less protection. With a fraud alert, businesses can still request and view your credit report, but must verify your identity before they issue new credit. This is usually done by contacting you directly, but some discretion is given to creditors to decide how they want to verify identities making a fraud alert less reliable than a security freeze. You can place a 90-day fraud alert for any reason and renew it when it expires. If you have already experienced identity theft and have filed a police report, you may be eligible for an extended fraud alert, which lasts seven years.

Constant vigilance

Whether or not you’ve been directly affected by this breach, monitoring your credit is important. Just like you monitor your online accounts for unauthorized access, you should always take advantage of resources available to you and keep an eye out for unrecognized activity on your credit report. All Americans are entitled to a free credit report from each credit reporting agency (CRA) every year. Many banks and credit card providers also offer free credit monitoring to their customers, which will alert you to any changes on your credit report. Although credit monitoring will not prevent identity theft or stop unauthorized accounts from being opened, these services will inform you of changes to your credit report allowing you to take appropriate action quickly.

Always be prepared

In essence, Experian, TransUnion and yes, Equifax, have control over our access to the standard-issue American Dream. Data held by these companies is used to determine if we qualify for a mortgage or a car loan. Employers and landlords may also perform credit checks to determine who to hire or rent to. CRAs are required to correct inaccurate information, but it’s up to us to monitor our credit reports for errors and take action to correct them. If you find an error on your credit report, Patrick McKenzie has some great advice in this Twitter thread:

He also published a blog post to help you set things right and, if you find yourself needing somewhere to store that paper trail Patrick helped you create, you can stash copies in 1Password for safe keeping. If everything looks fine now, don’t sit back. We know 1Password customers care deeply about data security and, though your credit report isn’t secret, it still contains important data and ensuring that data is accurate is how you protect it. Take the time to check it regularly and take action when needed, both in the wake of this breach and always.

If you’d like to learn more about protecting yourself from identity theft, both state and federal agencies offer free resources and services to American consumers:

Federal Trade Commission
State Attorney General’s Office
The Consumer Financial Protection Bureau

Announcing the 1Password command-line tool public beta

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing op

1Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

> op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'
“genuine-adopt-pencil-coaster”

Creating new items and vaults:

> op create item login $(cat aws.json | op encode) --title="AWS"
{“uuid”:”5hinhvejl7wtmbeorfts7ho3di”,”vaultUuid”:”i5imjpvdivbsxo56m2ap2n66gy”}

> op create vault devops
{“uuid”:”ny5khay7t3lmhrp4pjsxl4w34q”}

Working with documents:

> op create document ./devops.pdf --vault=devops --tags=architecture
{“uuid”:”i3rsiwjfh7aryvbu5odr4uleki”,”vaultUuid”:”ny5khay7t3lmhrp4pjsxl4w34q”}

If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

> op suspend john@acmecorp.com

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶

1Password 6.6 for Android: Crunchy outer cookie, velvety smooth filling

While the solar eclipse was happening last Monday, another dramatic event involving a dark, disc-shaped object was also taking place in New York. Google announced the release of the next version of Android and revealed that it is named after the best-selling cookie in the world. Like its namesake, Android Oreo is equal parts crunchy and sweet. On the crunchy side, it delivers enhanced performance, better battery life, and stronger protection for your device. On the sweet side, it provides yummy new features like adaptive icons, notification categories, and of course, Autofill.

Much like Android Oreo, 1Password 6.6 is also made up of layers that are both crunchy and sweet. I hope you’ll forgive me for indulging my inner kid though, as I twist this cookie open and go straight for the deliciously sweet filling.

Mmm… sweet, sweet filling

When Google announced, earlier this year, that the next version of Android would include built-in support for Autofill, we almost lost our collective minds. In fact, I was so excited that I jumped straight into the developer preview and whipped together a prototype to share with you. Since that initial frenzy of excitement, we’ve been hard at work refining and polishing up the implementation in order to deliver the sugary-sweet filling experience that you deserve. With 1Password 6.6, I’m extremely proud to finally get to introduce you to Autofill with 1Password.

Using Autofill with 1Password, you can now save and fill your usernames and passwords in apps.

Saving a login with Android Autofill from AgileBits on Vimeo.

Saving a new Login is as simple as typing your credentials into an app and tapping the sign in button. When 1Password detects that you’ve entered a username and password, you will be asked if you want to save those details. From there, you can unlock 1Password if necessary and adjust the title or destination vault for your new Login item before saving it.

Filling existing Login items is a delectable experience too.

Retrieving a login with Android Autofill from AgileBits on Vimeo.

If 1Password is locked and it detects sign-in fields in an app, it will prompt you to “Autofill with 1Password”. Once you unlock 1Password, you’ll see a list of matching items and have the option of viewing possible matches if they exist. If 1Password is already unlocked, then matching items are displayed immediately below the active text field in the app. Tapping on one of the items will fill the username and password values for that item into the appropriate fields.

If you’ve also sweetened your device with Android Oreo and you’re looking to try that silky smooth filling for yourself, jump on over to our support site for more details about using 1Password to fill and save in apps.

More cookie to enjoy

Once you’re done with the filling in an Oreo, there are still those satisfyingly crunchy cookie wafers to savour. Similarly, we’ve also got a couple more Android Oreo goodies in this update for you to enjoy.

Android Oreo provides more fine-grained control over notifications by dividing them into categories and allowing you to adjust the settings for each category to your liking. You can adjust the sounds and visual indicators for a category or even turn off notifications for that category entirely. To extend this configurability to notifications from 1Password, we’ve separated them into three categories: sync status, sync failure, and 1Password account activity.

Adaptive icons in Android Oreo make it easier for app icons to look their best on any home screen. We thought that was a pretty tasty improvement, so we’ve updated the 1Password icon accordingly. Regardless of whether the launcher on your device favours icons as circles, squircles, rounded squares, or squares, the 1Password icon will adapt to match.

Other delectable treats

With the delicious improvements above, you’d be forgiven for thinking that only cookie-themed treats are available in 1Password 6.6. I’m happy to clear up any such misconception by mentioning a couple of improvements that don’t depend on Android Oreo.

In this update, we’ve added support for downloading and viewing Documents from your 1Password.com account. Once downloaded, an encrypted copy of your Document will be stored on device and made available for viewing whenever you need it.

We’ve also laid the groundwork for some filling that isn’t part of a cookie sandwich. We’ve been working with Google on a protocol that enables direct communication between apps and password managers. We’ve added support for the protocol in this update and we’ll be reaching out to developers about integrating support into their apps in an upcoming blog post.

If you’d like to read about the many additional improvements and fixes in this update that don’t quite fit with the dessert-themed puns, feel free to jump on over to the release notes. I hope you enjoy all of the treats that we packed into this release!

1Password 6.7 for Windows: a feature buffet

1Password 6.7 for Windows was meant to be a smaller update, but just like you always walk up to the buffet line with the best of intentions, we reached the end of the line with this update and ended up with three plates full of pastries. We have prepared a regular smorgasbord of 58 new features, improvements and fixes for you in this release. So grab a few extra plates and check out the latest Windows goodies. 🙂 Read more

Why We Love 1Password Memberships

TL;DR: We love 1Password. We love you. We believe 1Password memberships are the best and will shout it from the mountaintops, but standalone vaults aren’t being removed.

Recently a customer wrote in to praise us for handling a sticky situation with a quick and decisive response. They signed off their post with “from a happy customer”.

Jeff, our resident Chief Defender Against the Dark Arts, replied and signed his message with “from a happy 1Password maker”.

This was really cute and I loved the play on words. It also got me thinking though: we really are happy 1Password makers.

From a happy 1Password maker

Jeff’s phrase is similar to a statement that I tell our team often and expound upon during interviews: we all need to be working at our dream jobs. So I really shouldn’t be surprised by Jeff’s signature. But it stuck with me as I adored its simplicity.

Quick and to the point. And at the same time, a revelation. I absolutely loved it.

1Password is what it is today because we all love working here and have fun helping our customers. We are completely self-funded, independent, have turned down all offers from venture capitalists, and our board of directors consists entirely of people who work on 1Password and help customers directly each and every day.

As a result we’re able to provide true security and never compromise on protecting the privacy of our customers. We don’t have to and never will sell your information or spam you with ads.

The bottom line is we have a complete focus on 1Password and since we’re working on stuff we love, we’re excited and have the desire to constantly improve and make 1Password the best it can be. We’re happy to be able to do this.

Happy 1Password memberships

How is happiness related to 1Password memberships? Simple. We created 1Password memberships to make 1Password the best it can be. And a direct result of 1Password memberships is happier 1Password makers and customers alike.

I am so much happier now that 1Password has the power of memberships to help me help our customers. With memberships, there are several things that I no longer need to do, and as a direct result I have more time to improve 1Password and help more customers.

With 1Password memberships we have a wonderful set of things we no longer need to do. I call it my No More list and here are just the highlights:


No More telling people who had syncing misconfigured (or didn’t realize that syncing needed to be manually configured) that I’m sorry they lost their data when they reset their phone. With 1Password memberships, all your data is synced automatically when you sign in, so there’s nothing to set up or worry about configuring wrong.

No More telling people that I’m sorry that when they deleted some files from their hard drive they didn’t recognize they inadvertently deleted all their 1Password data. With 1Password memberships, everyone enjoys data loss protection that ensures this can never happen.

No More explaining that we don’t have any control or visibility into third-party sync solutions and are therefore limited when troubleshooting problems. With 1Password memberships, we are in complete control of both sides of the connection so we’re able to optimize things, quickly troubleshoot, and improve immediately when a problem is found. All this results in a rock solid solution that results in an entire category of issues no longer affecting our customers.

No More explaining why purchasing 1Password on one platform doesn’t automatically unlock it on all other platforms. Not only is it really hard for customers to understand that 1Password is “licensed per person, per platform, with paid upgrades”, but it’s an incredible mouthful for us to even say. With 1Password memberships, you simply subscribe once and you get access to 1Password everywhere.

No More needing to hold back on features for creating a “big splash” for major upgrades. These require purchasing a license upgrade and so it’s important that we save up features (often for a year or more) so we can woo customers to open up their wallets. With 1Password memberships, we can give people new features as soon as they are available so they can enjoy them right away. See Travel Mode and 1Password for Slackers for examples of this.

I wish I could also say No More for explaining to people who have forgotten their Master Password that 1Password uses true security and they therefore need to start over. But with 1Password memberships I can at least share the good news that families and teams can use Account Recovery to restore their own access.

And with the time we save from not needing to do these things, we’ll be able to improve 1Password itself to make it easier for customers to remember their Master Passwords. So perhaps someday soon this will indeed end up on my No More list.

Nudging people towards 1Password memberships


Now of course not everyone is on 1Password memberships yet, so we do indeed still work through these issues every day. So it’s not truly a No More list. At least not yet. Still, the number of people on memberships continues to grow every day, so we’re quickly seeing more and more of these bright spots as we move throughout our day.

All these bright spots add up to an even happier set of 1Password makers. And that’s as important for you as it is for us, because the happier a 1Password maker is, the better they’ll be able to widen the smiles of 1Password customers everywhere. Nothing great was ever created without passion, and this is just as true for designing and developing software as it is for customer support. I’m really excited about this and hope that someday 100% of our customers will embrace 1Password memberships.

Now the thing is, I know it’s not realistic to expect everyone to be able to be able to join one of our memberships at this time. As great as 1Password memberships are, I know that our excitement for them can cause some people to become worried. After all, many have corporate policies or regional restrictions that prevent them from using a hosted solution like ours, and so they’re understandably concerned and want to know that there’s a future for them with 1Password.

These worries are compounded by the fact that 1Password 6 for Windows was designed from the ground up to support 1Password Teams customers only (and then later expanded to include family and individual plans), and we are unsure how this adventure will play out on the Windows side of the world, so we haven’t made any public announcements about when support for standalone vaults will be added, if ever. Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.

This isn’t going to happen. First, it would be evil to take away something you’ve already paid for. And evil doesn’t make for a Happy 1Password Customer, which is the cornerstone for a Happy 1Password Maker. It’s simply not who we are.

For those who purchased 1Password 6 for Mac already, you’re perfectly fine the way you are and can continue rocking 1Password the way you have been. There’s no requirement to change anything as we will not be removing features or forcing you to subscribe. In fact we’re still selling licenses of 1Password 6 for Mac for those that really need them (you can find them today on the setup screen under More Options).

And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today.

We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults. But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can 🙂

Love Dave,
A Happy 1Password Maker ❤️ 🇨🇦

P. S. Please don’t think our excitement for memberships has anything to do with money. We’re completely self-funded so we don’t have any investors forcing us to make changes by looking solely at our bottom line. We were doing just fine selling individual licenses and AgileBits was already steadily growing before 1Password Teams was even introduced. We created 1Password Memberships because we had a vision for how 1Password could be even better and we followed our dreams. The result has been stupendously awesome and better than our wildest dreams! Today, over 95% of our revenues are coming from subscribers, which is truly mind blowing. Many investment strategists would say it makes sense to simply drop support for everything else and focus on the money. That’s not how we do things around here. We focus on people, love, and happiness. It’s the way we do things and I wouldn’t have it any other way.

P. P. S. You can create a 1Password membership and move all your existing data over today in just a few minutes. Learn more here. Like I said, I’m going to continue to non-apologetically nudge you over whenever I can 😉

Net neutrality: Keeping the Internet safe and accessible for all

Lo, everyone! Back on October 29, 1969, that two-letter greeting was the first message sent over ARPANET, the predecessor to the World Wide Web. Today, on July 12, 2017, people from around the globe are coming together for a day of action to fight for net neutrality. The principle of net neutrality states that all Internet traffic should be treated equally, but those who control the transmission of that data have been fighting for the right to place their preferred data in the fast lane and leave data they don’t like in a traffic jam. We here at AgileBits care quite a lot about data, and while we’re glad your sensitive data is safely locked away, we think the data we want to share on the Internet should remain accessible to everyone. Read more