Finding Pwned Passwords With 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

1Password command-line tool 0.2: Tim’s new toys

Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com.

Tim can script and automate with the best of them, and from the moment he got a preview of op, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just start playing with op 0.2 now. To find out more, read on.

Vault into the new year

Our first gift to Tim was more control over vault access. He can now use op to add users to vaults, remove users from vaults, and even delete vaults.

So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up.

Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project:

op create vault "Honey Badger"

But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault:

op add "Chris Meek" "Honey Badger"
op add "Betty Da" "Honey Badger"
op add "Matt Davey" "Honey Badger"

Tim can even create a script to take a list of email addresses and add everyone to the vault at once:

#!/bin/bash
# Usage: add-everyone.sh "Honey Badger" < emailaddresses.txt
while read p; do
    op add $p $1
done

After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault:

op remove "Matt Davey" "Honey Badger"

When everyone is done with the project, Tim can use op delete vault "Honey Badger" and move on to his next gift.

New year, new groups

The next gift we gave Tim was control over group membership. He can now use op to create and delete groups and choose who belongs to them.

When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands:

op remove "Wendy Appleseed" "Support"
op add "Wendy Appleseed" "Design"

Tim can also create and remove groups with op create group and op delete group if ever he needs to.

Resolve to level up your skills

The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the full documentation on our support site.

Level up with op 0.2!

Then pop in to the 1Password Support forum to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release.

We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.

Same as it ever was: There’s no reason to melt down

The Intel CPU flaw, that is being referred to as “meltdown”, is a big deal. It allows for a whole (new) category of malware to do things that it otherwise shouldn’t be able to do. This is not a good thing, and it remains a threat until operating systems are updated to no longer rely on some specific security features of the CPUs.

But just because it is an extraordinary bug doesn’t mean that it requires an extraordinary response from most people. (Operating system designers are not “most people.”) The same practices that you should already be doing are enough.

What you can do is what you may already be doing

Stay updated, be careful where you get your software

Malware that exploits meltdown may be particularly powerful, but it is still just malware. And so the practices that we’ve always recommended are the practices that will protect you now.

  1. Keep your system and software up to date
  2. Be careful about where you get your software.

Regarding point 1, it appears that the latest version of High Sierra already has defenses to guard against meltdown. If you are using macOS be sure that you are up to date. It also appears that Microsoft is in the process of releasing a security update for Windows.

For the second point, I recommend downloading software from app stores, such as the Mac App Store and the Microsoft Store. They can’t guarantee that no malware slips through, but they provide the easiest and most effective filter available.

Whatever you do, don’t respond to “scareware”. Scareware is typically sold through something that pops up fake alerts about your system being infected or compromised. These scary (and fraudulent) alerts then try to entice you into installing and running tools that will “clean” or “repair” your system. Unfortunately those tools do the exact opposite of what they claim to do.

Panicked people make poor security choices. And so this is why I am worried that fear about this issue might lead people to become more susceptible to scareware. Take a deep breath, don’t panic, and be calmly suspicious of scary alerts.

What we can do is what we have already been doing

1Password is designed so that even if an attacker can read every bit of data on our systems they cannot learn your secrets. We simply don’t have the capacity to decrypt your data, and that holds of anyone who compromises our systems. This has been essential to 1Password’s design from the very beginning, and it is why we don’t have to panic either.

Furthermore, it appears that AWS (our hosting provider) has already begun patching the servers. Keeping up with updates is one of the things we hire them to do.
1Password Encryption

Same as it ever was

I don’t want to downplay the extraordinariness of this bug. It is fascinating in many ways, and it does have broad impacts. But unless your job is to design and maintain operating systems, you should just follow normal practices of keeping your system up to date and not installing dodgy software.

There is a great deal of speculation and news coming thick and fast and it may well be that some of the details of what I have said here will need correction. But the core message should remain the same. Keep your systems and software up to date, and don’t install software from untrusted sources.

The 1Password Slack app makes administrators happy

Our all new 1Password app for Slack automatically posts messages in Slack when important events happen on your team. It also includes some new functionality that makes it easy for administrators to stay coordinated.

Let me tell you a story about how Slack can be so much more powerful than email.

Going crazy

 Once upon a time, there were three administrators: Jeff, Dave, and Roustem. Dave needed more help developing 1Password X, so he hired a new team member. You won’t be surprised to know that part of that process includes inviting the new hire to our 1Password team.

Once the new team member accepts their invitation and joins the team, their membership needs to be confirmed. To make this easier, 1Password sends a helpful email to all the administrators.


Jeff checked his mail the soonest and quickly confirmed the new team member. Dave was busy working on 1Password X, so he didn’t even have a chance to see the email. A few hours later, Roustem took a break from coding and saw the email. When he went to confirm the new team member, he saw that there were no team members to confirm. Did something go wrong? Or had someone else already beat him to it?

Roustem knew there had to be a better way and almost started to code the solution himself. Then he realized he was in the middle of five other things, so he let me take a crack at it. :)

Staying sane

Slack had all the tools we needed to create an intuitive system to keep all the administrators on a team in sync. The Slack API is really simple to work with, and I was able to have a shiny new Slack app up and running in about a week.

There are two kinds of messages that can be posted in your Slack workspace, and you can choose to post them in a single channel or separate ones.

Alerts that require action

1Password Teams can now post alerts in Slack for things that need your attention, so you can take action right away. But the main problem we wanted to solve was having some way to let administrators know what didn’t need their attention anymore.

After an action is completed, the message is automatically updated to let everyone else know. You’ll immediately know when someone else has already completed the action.

Notifications that let you know what’s up

Every day stuff happens on your team that doesn’t necessarily require you to take action. But it’s handy to have it all in one place. Notifications are informational messages that allow you to keep tabs on important activity, so there are no surprises.

For example, seeing that everyone is signing in from locations that you expect can help ease an otherwise stressful day for an administrator.

Happy administrators

The 1Password Slack app is easy to set up. You can get started today in your account settings:

Use the 1Password Slack app

Roustem couldn’t be more pleased. We hope you are too. Let us know what you think in the comments.

If you’re curious about some of the technical aspects of how we securely authorize with Slack, check out our post on the Slack Platform Blog.

1Password living on the [Microsoft] Edge

I’ve long been curious about Microsoft Edge. It’s fast, light-weight, and much more secure than the Internet Explorer of my childhood. It had everything you look for in a browser … except 1Password support. Today that changes!

Thanks to the hard work of the Microsoft Edge and Windows Store teams, along with our own Windows team, I’m excited to announce that 1Password now has a lovely new home right on your Microsoft Edge toolbar. 🎉

Boldly go where no Login item has gone before

To bring your items with you to explore Microsoft Edge, first make sure you have 1Password 6.7 or later installed and set up. Then, head to the Windows Store and grab the 1Password extension. Open Microsoft Edge, enable the 1Password extension, and enjoy saving new Login items, opening and filling in Microsoft Edge from 1Password mini, filling addresses and credit card details, and easy access to the Strong Password Generator, just like you’ve come to know and love. If you’re still using an older version of 1Password, you can follow this handy guide to migrate your existing data to the latest version of 1Password to get ready to seek out new frontiers in Microsoft’s latest browser.

Hello dark mode, my old friend

As you’re working your own 1Password magic in Microsoft Edge, don’t forget to check out my favorite feature: its super-sleek dark mode. I love how it turns your 1Password extension icon into a lovely point of light on your toolbar and it’s perfect for late-night browsing.  Let the stars next to your favorites light up Microsoft Edge and help guide you to your most loved websites at the click of a Login item. Of course, if a different vision has been planted in your brain, the extension icon looks right at home in light mode too. 😉

To the Edge and beyond!

As stoked as we are about 1Password coming to Microsoft Edge, this is only the beginning and some finishing touches are coming in future releases. Support for keyboard shortcuts to fill logins and some tweaks to how mini lets you know you’re filling in Edge are included with the latest 1Password 6 for Windows beta. Additional improvements for filling on certain sites will also be addressed down the road.

Currently, the 1Password extension in Microsoft Edge requires 1Password 6.7 for Windows or later and a 1Password membership. We will be expanding Edge availability in future releases but if you’d like to enjoy using Edge sooner than later, now is a great time to give a 1Password membership a try. In addition to early access, there are many other benefits and it’s free for 30 days!

I hope you enjoy saving and filling in Microsoft Edge and, as always, we love seeing your feedback in our support forum. 😊

Up top, drag and drop – iOS 11 super powers for your iPad

Our favorite Tuesday of the year was just here — the latest update to iOS was released for you, me, and all our friends checking for updates. There’s a beautiful new Control Center, updated fonts across the board, a quick way to pay your friends for chocolate chip cookies with Apple Pay (coming later this year), and our personal favorite, drag and drop on iPad. We got really excited when Apple showed off drag and drop for iPad at WWDC in June, and now you get to enjoy it in 1Password on your iPad too!

Before you update

Since big iOS updates only happen once a year, I tend get pretty excited and jump to “I’m gonna install this right now!” But before updating, here are a few things I recommend doing before updating:

  • Back up your iOS device: As tempting as it is to grab the update right away, you likely spent a lot of time getting used to your iPhone or iPad just the way it is now. Just in case something happens during the update, it’s always good to have a backup ready. Learn how to back up your iOS device.
  • Sync 1Password: If you have a 1Password account and you’re signed in to it on your iOS device, you’re all set. If not, you can create an account and migrate your data to keep things synced and backed up. Learn more about keeping 1Password synced.
  • Know your Master Password: Before updating, make sure you have a copy of your Master Password written down. You can print your Emergency Kit and write it there. Your Master Password may be required after you update to iOS 11, so it’s always good to have it somewhere just in case. And yeah, I too might be printing my Emergency Kit again after I take a handwriting course.

With your iOS device backed up, 1Password synced, and your Master Password written somewhere safe, update to iOS 11 and you’re ready to get those cookies.

Drag and drop with 1Password on iPad

One of the coolest features in iOS 11 is drag and drop on iPad. Just like on a computer, we can finally drag and drop things by tapping and holding, then dragging text, photos, and more between apps on our iPads. We added support for this to 1Password, so you can drag a username and password to those fields in another app instead of copying and pasting them:

You can also add a contact to 1Password. Just open Contacts and 1Password side by side and drag the contact to 1Password. I finally added Batman to 1Password on my iPad with this, and I put it in a vault shared with my family so they can get in touch with him whenever they need something. Hope I have the right address though.

To use drag and drop with 1Password on your iPad, update to iOS 11 and make sure 1Password is up to date. Then with 1Password and another app open side by side, drag a username, password, or other field from 1Password to a text field in the other app to fill it.

Cookie time

Well, my Watch, iPhone, and iPad are all updated so I’m off to test out these new heart rate features on a run. Our designer Matt also told me you can raise your wrist while listening to music on your iPhone and the Watch will automatically let you play/pause, skip, and adjust the volume, so I’m really excited to use that more often when I’m out and about, and hopefully I’ll run past a cookie shop too. See you soon. 👋

Why is this information sensitive? The deeper Equifax problem

As the world now knows Equifax, the credit rating company and master of our fates, suffered a data breach in May and June 2017, which revealed to criminals details of 143 million people. (I would have liked to say, “143 million customers“, but that is very far from the case. We have no control at all over Equifax and other credit rating companies collecting information about us. We are neither their customers nor users.)

The revealed data includes:

  • Social Security numbers
  • Dates of birth
  • Addresses
  • Driver’s license numbers (unspecified number of these)
  • Credit card numbers (209,000 of these)

There are many important things to ask about this incident, but what I am focusing on today is why has non-secret information become sensitive? None of those numbers were designed to be used as secrets (including social security numbers and credit card numbers), yet we live in a world in which we have to keep these secret. What is going on here?

Identity crisis

Names only provide a first pass at identifying individuals in some list or database. There are a lot of Jeffrey Goldbergs out there. (For example, I am not the journalist and now editor-in-chief at the Atlantic. But there are lots of others that I also am not.) Also people change their names. Some people change their name when they get married. (My wife, Lívia Markóczy, decided to keep her name because we figure it is easier to spell than “Goldberg”.) Others change their names for other reasons.

We have three “Jeffreys” at AgileBits, but fortunately we have distinct family names. Though sometimes I think that everyone who joins the company should just go by “Jeffrey” to avoid confusion.

Anyway, names alone are not enough to figure out who we are talking about once we get beyond a small group of people. So we use other things. Social security numbers worked well in the US for some time. They didn’t change over your lifetime (except in rare circumstances) and nearly everyone had one. Dates of birth also don’t change. So a combination of a name, a date of birth, and a social security number was a good way to create an identifier for nearly every individual in the US, with the understanding that a name might change.

Sometimes it is not a person that we need to uniquely and reliably identify. Sometimes it is something like a bank account or charge account. Cheques (remember writing those?) have the account number printed on them. They uniquely identify the particular account within a bank, and a routing number (in the US) identifies the bank. The routing number is also printed on each cheque.

Things like social security numbers and driver’s license numbers are designed as “identifiers” of people. They are ways to know which Jeffrey Goldberg is which. Occasionally getting email meant for the journalist is no big problem, but if he gets himself on the no-fly list, I want to be sure that I don’t get caught up in that net. Likewise, I don’t want my doctor or pharmacist mixing me up with some other Jeffrey Goldberg who isn’t allergic to the same stuff that I am. Nor does some other Jeffrey Goldberg want the record of speeding tickets I seem to acquire.

Things like bank or charge account numbers are used to uniquely and reliably identify the particular account. While I wouldn’t mind if my credit card charges were charged against someone else’s account, they would certainly mind, and so would the the relevant bank. (I’m going to just start using the word “bank” broadly to include credit card issuers, automobile loan issuers, and the like.)

A username on some system is also an identifier. It identifies to the service which particular user or account is being talked about. I am jpgoldberg on our discussion forums. That username is how the system knows what permissions I have and how to verify my password.

Identifiers are bad secrets

Something that is designed and used as an identifier is hard to keep secret. A service can hash a password, but it needs to know which account is being talked about before it can look up any information. In many database systems, identifiers are used as record locators. These need to be efficiently searchable for lookup.

Identifiers also need to be communicated before secret stuff can happen. Bank account numbers are printed on cheques for a reason. Now really clever cryptographic protocols – like the one behind Zero Cash – can allow for transactions which don’t reveal the account identifier of the parties, but for almost everything else, account identifiers are not secret.

Identifiers are hard to change. If you depend on the secrecy of some identifier for your security, then you are stuck with a problem when those secrets do get compromised. It is a pain to get a new credit card number, and it is far worse trying to get a new social security number. Getting a new date of birth might also be a teeny tiny problem.
The point here is that, given what identifiers are designed to do, they aren’t designed to be kept secret.

Authenticators

Authentication is the process of proving some identity. And this almost always involves proving that you have access to a secret that only you should have access to. When I use 1Password to fill in my username (jpgoldberg) and password to our discussion forums, I am proving to the system that I have access to the secret (the password) associated with that particular account.

The password is designed to be kept secret. The server running the discussion forum doesn’t need to search to find the password (unlike searching to do a lookup from my username), so it can get away with storing a salted hash of the password. Also, I can change the password without losing all of the stuff that lives under my account. (Changing my username would require more work.) Plus, my username is used to identify me to other people using the system, and so is made very public. My password, on the other hand, is not.

What banks did wrong

The mess we are in today is because financial institutions have been using knowledge of identifiers as authentication secrets. The fact that someone can defraud a credit card issuer by knowing my credit card number (an account number) and my name and address (matters of public record) is all because at one point, credit card issuers decided that knowledge of the credit card number (a non-secret account number) was good way to authenticate.

I have not researched the history in detail, but I believe that this started with credit card numbers when telephone shopping first became a thing (early 1970s, I believe). Prior to then, credit cards were always used when the account holder was physically present and could show the merchant an ID with a signature. The credit card number was used solely as designed up until that point: as a record locator.

The same thing is true of social security numbers. Social security numbers were not secret until banks started to use knowledge of them as authentication proofs when they introduced telephone banking. Before then, there was nothing secret about them.

And on it goes

Because high-value systems use knowledge of identifiers as authentication proofs we are in deep doo-doo. And it will take a long time to dig ourselves out. But we continue to dig ourselves deeper.

It is fine to be asked for non-secret identifying information to help someone or something figure out who they are talking about. I like it when my doctor asks for my date of birth to make sure that they are looking at and updating the right records. But when they won’t reveal certain information to me unless I give them my date of birth, then we have a problem. That is when they start using knowledge of an identifier as an authentication secret.

Over the past decade or so, various institutions have been told that they can’t hold on to social security numbers, and so can’t use them for identifiers. That is a pity, because those are the best identifiers we have in the US. But what is worse is that knowledge of the new identifiers is being used for authentication.

Right now, Baskin-Robbins knows my date of birth (so they can offer me some free ice-cream on my birthday). In ten years, will I have to keep my birth date a closely guarded secret so that I don’t become a victim of some financial or medical records crime? If we keep on making this mistake – using identifiers as authentication secrets – that is where we are headed.

Incentives matter more than technology

I do not want to dismiss the technological hurdles in fixing this problem, but I believe that there is a bigger (and harder) problem that will need to be fixed first: the incentives are in the wrong place.

When Fraudster Freddy gets a loan from Bank Bertha using the identity of Victim Victor, Bertha is (correctly) responsible for the direct financial loss. The problem is that there are costs beyond the immediate fraudulent loan that are borne by Victor. But Victor has no capacity or opportunity to prevent himself from being a victim. In economics jargon, Victor suffers a negative externality.

Bertha factors in the risk of the direct cost to her of issuing a loan to a fraudster. She looks at that risk when deciding how thoroughly to check that Freddy is who he says he is. Bertha could insist that new customers submit notarized documents, but if she insists on that and her competitors don’t, then she would lose business to those competitors.

But Bertha does not factor in the indirect costs to Victor. She has no dealings with Victor. Victor isn’t a potential customer. So if Victor has costly damage to his credit and reputation that requires a lot of effort to sort out, that is not Bertha’s problem (and it certainly isn’t Freddy’s problem.)

Only when Freddy and Bertha (the parties to the original deal) have to pay the cost of the damage done to Victor (Economics jargon: “internalizing the externalities”) will Bertha have the incentives to improve authentication. I don’t have an answer to how we get there from here, but that is the direction we need to head. In the meantime, if you find yourself a victim (whether you’re a Victor, a Jeffrey, or something else entirely), Kate published a post earlier this week with tips to protect yourself until we (hopefully) do get all of this figured out one day.

Face it, The iPhone X Looks Amazing

Wow, what an incredible Apple event today! As you may have guessed the entire team here at AgileBits cozied up to their computers, iPads, Apple TVs, and iPhones to watch as the good folks at Apple took to the stage in the newly minted Steve Jobs Theater and proceeded to bring the house down. A new Apple Watch, a brand new 4K Apple TV, a new iPhone 8, the iPhone X! The hits just kept coming.

As blown away as we were by today’s product announcements we were even more blown away by our inclusion in the festivities. To see Phil Schiller on stage showing 1Password on the new iPhone X was magical. In case you missed it, here’s a screen grab we captured for posterity:

We truly can’t wait to get these new phones in our hands and into the hands of our customers. 1Password will be there on November 3rd with the new iPhone X and full support for Face ID.

It’s obvious what our favorite part of today’s announcements was, how about you? Sound off in the comments below and let’s nerd out together about this super cool new future.

On Equifax, and what to do when passwords can’t protect you

Data breaches are, sadly, old hat these days. When Watchtower lets you know one of your passwords has been compromised, you sigh and mutter a few expletives, unlock 1Password, and start generating new ones. But what happens when the compromised information isn’t so easily changed, like your date of birth or social security number? That’s exactly what happened to me and 143 million of my fellow Americans just last week.

This is scary, in part because banks use this information to validate identities in the United States. Jeffrey Goldberg, our Chief Defender Against the Dark Arts, has written about this more in-depth, but in short, identifiers banks use for authentication (including SSNs) were not meant to be kept secret. This means the identifiers that were compromised are all criminals need to open accounts in our names, rack up bills, and leave us with the tab. There’s nothing to change this time around, but you can still protect yourself. Here are some steps you can take to do just that.

Keep it on ice

A security freeze is available to anyone — for a fee — and may be free for victims of identity theft. A credit freeze will prevent anyone from viewing your credit report and prevent any new accounts from being opened in your name until you lift the freeze (either permanently or temporarily). Here in Texas, fees are waived for victims of identity theft. Otherwise, it’s $10 to place the freeze on an account and $10 each time you lift it. These fees will vary by state, so be sure to check what fees apply in your state.

A fraud alert is less intrusive (and free), but it also provides less protection. With a fraud alert, businesses can still request and view your credit report, but must verify your identity before they issue new credit. This is usually done by contacting you directly, but some discretion is given to creditors to decide how they want to verify identities making a fraud alert less reliable than a security freeze. You can place a 90-day fraud alert for any reason and renew it when it expires. If you have already experienced identity theft and have filed a police report, you may be eligible for an extended fraud alert, which lasts seven years.

Constant vigilance

Whether or not you’ve been directly affected by this breach, monitoring your credit is important. Just like you monitor your online accounts for unauthorized access, you should always take advantage of resources available to you and keep an eye out for unrecognized activity on your credit report. All Americans are entitled to a free credit report from each credit reporting agency (CRA) every year. Many banks and credit card providers also offer free credit monitoring to their customers, which will alert you to any changes on your credit report. Although credit monitoring will not prevent identity theft or stop unauthorized accounts from being opened, these services will inform you of changes to your credit report allowing you to take appropriate action quickly.

Always be prepared

In essence, Experian, TransUnion and yes, Equifax, have control over our access to the standard-issue American Dream. Data held by these companies is used to determine if we qualify for a mortgage or a car loan. Employers and landlords may also perform credit checks to determine who to hire or rent to. CRAs are required to correct inaccurate information, but it’s up to us to monitor our credit reports for errors and take action to correct them. If you find an error on your credit report, Patrick McKenzie has some great advice in this Twitter thread:

He also published a blog post to help you set things right and, if you find yourself needing somewhere to store that paper trail Patrick helped you create, you can stash copies in 1Password for safe keeping. If everything looks fine now, don’t sit back. We know 1Password customers care deeply about data security and, though your credit report isn’t secret, it still contains important data and ensuring that data is accurate is how you protect it. Take the time to check it regularly and take action when needed, both in the wake of this breach and always.

If you’d like to learn more about protecting yourself from identity theft, both state and federal agencies offer free resources and services to American consumers:

Federal Trade Commission
State Attorney General’s Office
The Consumer Financial Protection Bureau

Announcing the 1Password command-line tool public beta

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing op

1Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

$ op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'

"genuine-adopt-pencil-coaster"

Creating new items and vaults:

$ op create item login $(cat aws.json | op encode) --title="AWS"

{"uuid":"5hinhvejl7wtmbeorfts7ho3di","vaultUuid":"i5imjpvdivbsxo56m2ap2n66gy"}
$ op create vault devops

{"uuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

Working with documents:

$ op create document ./devops.pdf --vault=devops --tags=architecture

{"uuid":"i3rsiwjfh7aryvbu5odr4uleki","vaultUuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

op suspend john@acmecorp.com

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶