opm6-6-shadowed

Introducing 1Password 6.6 for Mac

I’m happy to announce we just finished assembling a new version of 1Password! It’s working its way through the update engines around the world now and hopefully it’s ready for you by the time you finish reading this. 🙂

The biggest change in this release is a whole new setup experience. We’ll dive into that in a moment, but first I’d like to share a cool new feature for those of you lucky enough to have one of those sexy new MacBook Pros.

We’ve been experimenting with the new Touch Bar since the beginning and added Touch Bar support along with Touch ID back in November as soon as the new Macs were available.

Today we’re taking the next step tap and giving you the ability to customize your Strong Password Generator settings directly from your Touch Bar!

I always enjoy the feel of tapping actions on the Touch Bar but sliding your finger across it is even better! Trust me, you’ll have a hard time customizing your password length just once. 😀

There’s several other changes in this release as well, but let’s dive right into the big one now.

New Setup Flow

The biggest change is one that most of you probably won’t see until the next time you’re setting up a new Mac. Those new MacBook Pros with Touch ID really are pretty sweet so hopefully this isn’t too far in your future! 😉

Starting today we have a lovely new flow for the setup screens1. Like their little cousin on iOS did earlier, 1Password for Mac makes getting started much simpler.

Now when you launch 1Password on a new Mac you’ll be greeted with a lovely page asking you if you’ve used 1Password before:

opm6-6-setup-screen

Those of you who have already been rocking with 1Password can use your existing data, and everyone else who’s just getting started can begin their free trial.

Free Trials From Mac App Store

We’ve always wanted everyone to be able to try 1Password before needing to purchase. Our website version has supported free trials since the very beginning, but it wasn’t possible in the Mac App Store when we first published 1Password there way back in 2011.

Thankfully Apple gave us a wonderful present at their Worldwide Developers Conference last year that made this possible for Mac App Store users as well.

1Password now comes with a 30 day free trial in the Mac App Store. Those downloading 1Password for the first time will start their trial and be prompted to subscribe once their trial expires:

opm-6-6-subscribe

Your single subscription allows you to use 1Password on all your devices and always have access to the latest versions.

Those who previously purchased 1Password in the Mac App Store will continue to be able to use 1Password as before and are not required to subscribe to our 1Password membership. Although there are a lot of great reasons why you should…

Benefits of a 1Password Membership

introducingI’ve been a license holder since the beginning. In fact, I’m pretty sure I got the first license we ever made!

If you’re a longtime license holder of 1Password like I was, I’m sure you’re wondering what all the hullabaloo is over our new service. I’m glad you asked and I’m happy to unlock that mystery for you! 🙂

There are a lot of benefits to a 1Password Membership over a standalone license, but for me it boils down to convenience, security, and peace of mind.

convenience-updatesLet’s start with convenience. With a membership, all I do is log in on a new device and all my data is there. I can even organize my items in multiple vaults and they all appear instantly.

And the best part is my membership gives me access to the latest version of 1Password on all my devices so I don’t need to worry about managing any licenses. I’m really happy that I don’t need to say “1Password is sold on a per-person, per-platform basis, with paid upgrades for major new versions” anymore. 🙂

double-securityOn the security side of things, I absolutely love our new encryption design that leverages Galois/Counter Mode for efficient authenticated encryption and our ingenious Two Secret Key Derivation starring our unique Account Key.

I know I know, I’m a huge geek and love the details, but these and many other things all add up to better performance and a secure-er than ever way to protect your data. You can check out our security page for a nice high level review, along with a detailed White Paper for my fellow geeks reading this. 👋

As for peace of mind, this one is priceless. I simply sleep better at night.

sleep-at-night

With my 1Password membership, I know that all my data is backed up automatically for me, and every change is remembered so I can go back in time and restore my precious items whenever I need to. And with our Family account I can securely share passwords with Sara so she has access to everything she needs.

In short, I’m absolutely loving my 1Password membership. It’s the best way to use 1Password.

love-1password

Becoming a 1Password Member

If these benefits excite you and you want to join me, becoming a 1Password member is super easy.

You can jump on board and migrate all of your data over in just a few short steps. We have a quick guide on how to setup a new account and move over your data, along with a nice video showing how easy it is to do.

I know you’re busy so I’m happy to say you can finish the entire process in just a few minutes. Start by creating your new account here:

Start Your Free Trial Today

Often it feels like I’ve been using all these great new features for a lifetime, but looking back we introduced 1Password Teams only 15 months ago, 1Password Families almost exactly one year ago, and 1Password Memberships just 6 months ago.

It’s amazing how quickly I came to rely on these benefits and how I was able to fall in love with 1Password all over again. I think you will, too.

Enjoy! ❤️ 🇨🇦


  1. Those with eagle eyes might be saying “again?” since 1Password 6.5 had a new setup experience for those who downloaded from our website. But we’ve iterated on the design and now everyone gets to join in on the fun, including those who install using the Mac App Store. 
Blog Header@2x

Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

As you may have read, this weekend was a little hectic for us and some of our app developer friends1. On Saturday we got word that users of 1Password for Mac were seeing the app fail to launch correctly. It took a few hours, but we diagnosed the problem and released an update that corrected the issue. This issue will only have affected users that downloaded 1Password for Mac directly from our website, so if you downloaded it from the Mac App Store you had a much more calm weekend than we did.

But alas, that story has already been told. Now it’s time for the nitty gritty technical details about all the forces that aligned against us that had us staring up a giant wall of crashing water like George Clooney and Mark Wahlberg.

Prologue: Not All Certificates Are Created Equal

There’s a lot of information to unpack in this post, but before I get started, I’d like to address an assumption I’m seeing far too many people making: that what happened to us was simply an issue of an expired certificate and that all we needed to do was create a new one, just like you do for SSL certificates.

That’s simply not true.

Developer certificates are much different than SSL certificates and serve a very different purpose. Unlike a simple SSL certificate, our developer certificate is used to sign 1Password and needs to be valid during build time. The expiry time of a certificate or provisioning profile should have no impact on whether or not macOS will allow an app to launch or not.
An analogy may be helpful here: if you think of the developer certificate as a carton of eggs, and 1Password as a cake, then it is important not to use expired eggs to make the cake. The fact that the eggs may expire a few days after making the cake should have no effect on the cake itself. After all, the cake is already made and delivered.

Jumping out of the galley and back into our developer world, an expired certificate typically doesn’t affect us until the next time we need to do a release, which would have been this week with our next betas. Certificates control our ability to sign new apps. They don’t affect existing released apps.

For example, we have some users still using 1Password 3 for Mac (hey there, if that’s you, you should really consider upgrading to a 1Password membership as soon as possible!). The first release of 1Password 3 was in 2009, around 8 years ago. Assuming a user is happy with 1Password 3, how long should they expect to be able to continue using the software they paid for? The only acceptable answer to that question is: as long as they feel like it.

Obviously there’s plenty of reasons for why a user would want to upgrade to newer versions, but the fact of the matter is that a user shouldn’t be reliant on us to keep providing updated builds of an unmaintained app just to keep it running. Unlike an SSL certificate, this isn’t something we can simply fix from our end. Fixing the issue we ran into this weekend is a matter of creating a new build of the app and having users update to the new version.

Taking a Tour of the Engine Room

iCloud Sync

To properly understand what happened, let’s take a step back and look at the different parts of this.

In Mac OS X 10.7 Apple introduced Gatekeeper. Gatekeeper is really quite awesome as it gives users control over what software is allowed to run on their system. The default is to allow software from verified and trusted developers: those apps that have been uploaded to the Mac App Store, or those signed with Developer ID certificates made available to the developer by Apple.

Gatekeeper ensures that apps that have been tampered with will refuse to run, and also provides Apple with a way to revoke certain certificates if a developer has been found to be doing harm (i.e. distributing Developer ID signed malware). These simple steps stop a wide variety of attack vectors and we think the world of Apple for having implemented this.

The next layer is the Provisioning Profile. Provisioning Profiles provide information about what the app can do, as well as who can run it. There are certain services on the Mac that require that the app include a Provisioning Profile. In our case, we needed to start using a Provisioning Profile when we added support for unlocking 1Password using Touch ID.

To be clear, Touch ID itself doesn’t necessitate the profile, but in order to unlock your vault we need to store a secret and we choose to store it the OS X keychain. The specific configuration we’re using for that requires declaring that we want access to a specific keychain access group, which needs to be declared in a provisioning profile. The provisioning profile is included in the app bundle and cannot be updated independently of the app.

Next up… XPC. We use XPC to communicate between the 1Password main app and 1Password mini – the little 1Password that runs in your menu bar – and it’s really quite awesome. 1Password mini acts as the brains of the whole operation, and the larger app is mostly just responsible for displaying information. The reason we love XPC so much is because it’s an inter process communication tool that actually provides us the building blocks we need to perform mutual authentication. What this means is that 1Password mini will refuse to communicate with the main app unless it can prove that it’s signed by us. The inverse is true as well.

Storm Clouds Gather

clouds-gathering@2xAt around 3pm EST on February 18th we started getting reports of failures in 1Password for Mac. Folks were seeing an error appear that 1Password was unable to connect to 1Password mini.

Unable to start 1Password

This initial failure occurred due to the fact that the provisioning profile embedded in 1Password mini had an expiration date. Expiration dates seem to be required, and due to the fact that the expiration date elapsed, Gatekeeper decided that 1Password mini was no longer safe to run. We’ve filed a bug with Apple as we feel that this shouldn’t be the case (rdar://30631939 for those of you reading along inside the Mothership).

Only 1Password mini contains the Provisioning Profile as all Touch ID operations happen within that process. This meant that Gatekeeper was deciding that our main 1Password app could launch. Upon launching, 1Password performs its start up sequence which includes asking the system to launch 1Password mini if it’s not already running. When doing so, the system would log the following to the console:

com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): Binary is improperly signed.
com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): removing service since it exited with consistent failure reason When validating /Applications/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app/Contents/MacOS/2BUA8C4S2C.com.agilebits.onepassword4-helper:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
com.apple.xpc.launchd[1] (com.apple.ReportCrash[11041]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash

The 1Password main app detected the failure and provided an error panel telling the user that it couldn’t connect to mini.

Due to the expired Provisioning Profile, 1Password mini wouldn’t launch. And without mini running, 1Password itself was unable to startup successfully. Both mini and 1Password itself were signed with the same Developer ID certificate. Gatekeeper allowed 1Password to run, but due to the different rules for apps with provisioning profiles, it would not allow mini to run.

As far as we can tell, the only way to correct this problem is to provide a new build of the app with an updated provisioning profile with a new expiration date. Within a few hours we were able to publish a new version which did exactly this. As of 6.5.4, we had an app that users could download and run again.

The Eye Of The Storm

eye-of-the-storm@2xAfter this initial bout of terror, death defying feats, and mad scrambles we figured the technical portion of this exercise was finished and had begun transitioning into customer support mode; helping allay the fear, uncertainty, and doubt that this event had caused.

Little did we know at the time, we were only in the eye of the storm – the calm center before things would get rough again.

1Password for Mac includes an updater within the app so that users can easily upgrade to the latest versions as they become available. This updater validates downloads before performing the update to ensure that the updated app is in fact from AgileBits. One of the steps taken during validation is looking at the code signature of the downloaded app and ensuring that it satisfies the following security requirement:

anchor apple generic and identifier com.agilebits.onepassword4 and certificate leaf[subject.CN] = “Developer ID Application: Agilebits Inc.”

This check has worked really well for us. It’s simple and does the trick.

This check is also extremely specific about the common name2 it looks for. When we generated our updated provisioning profile we also needed to generate a new Developer ID certificate. We didn’t realize it at the time, but the common name of newly created certificates now include the team identifier in addition to the company name;  “Developer ID Application: AgileBits Inc. (2BUA8C4S2C)” vs. “Developer ID Application: AgileBits Inc.”. Close. Super close. But we weren’t looking for a “close” match.

The result of this new common name was that even though our app would now launch, the automatic updater would never run successfully because as far as it was concerned the update being provided wasn’t valid and therefore needed to be rejected. This is what users who could still run 6.5.3 and tried to update to 6.5.4 saw.

Once we discovered this problem we had no choice but to pull the 6.5.4 update and issue a 6.5.5 update that included a modified security requirement check. Sadly this didn’t address the fact that users running 6.5.3 and earlier are not able to automatically update to 6.5.5.

Moving Forward and Heading Home

heading-home@2xThis was painful for everyone. We lost sleep over the weekend, but worse than that… our users temporarily lost access to some of their most important information. This is unacceptable to us and we want to make sure this doesn’t happen again.

We’ve reached out to Apple for help and guidance on what we can do to avoid this happening again in the future. Our new provisioning profile doesn’t expire until 2022, but we’ll make sure that this is resolved far before then so that you need not worry about that happening.

If you’re a developer of a Developer ID signed app, we recommend that you check to see if your app includes a provisioning profile. Since that’s mostly handled automatically by Xcode, it’s likely that there are apps out there whose developers aren’t even aware of the inclusion of the provisioning profile. Check the expiration date, and ensure that you release an updated build with an updated provisioning profile well before the expiration date is hit so your users have time to update.

We’ve also filed an enhancement request with Apple asking that developers be notified via email of impending distribution certificate or provisioning profile expirations with explanations of repercussions. This was filed as rdar://30631968.

If you have questions about any of this, please don’t hesitate to ask us in the comments below.

Love,
The 1Password Mac Team
❤️

P.S. Happy 5th Birthday to Gatekeeper! 🎂 We were one of the first apps to sign with Developer ID certificates, use XPC, and leverage the entitlements required for Touch ID. It’s always exciting being on the cutting edge of technology but we wouldn’t have it any other way. 🙂


  1. The exact same perfect storm appears to caused our friends at Smile to hit the same rough seas that we had. You can see Adam Engst’s story in TidBITS for details on how this affected PDFPen. 
  2. The Common Name is the subject.CN part of the security requirement. As our Chief Defender of the Dark Arts often says of Common Names: they are often very uncommon. The name is inherited from older identify management systems. I don’t need to say much more as Jeff loves explaining things, so let’s all sit back and watch what he says in his comment that I’m sure he’ll be adding soon. 
Family Day Special

Secure Your Whole Family with Our Special Family Day Special!

Happy Family Day week, everyone!

photosEvery year around Valentine’s Day we celebrate Family Day here in Canada. It’s a wonderful chance to spend some extra time with our families and harvest maple syrup. 🍁

And with the turkey hangover from the holidays long gone, it’s a great time to cook up a lovely family feast. After all, it’s important to keep our weight up so we can stay warm during the cold winter 🙂

No family gathering would be complete without our customers so we wanted to do something special for you and your family. So from our family to yours, we’re having a special 1Password Families celebration!

Special Family Day Special!

double-the-famWe introduced 1Password Families exactly one year ago today and it’s been awesome to see all the families who have signed up.

With 1Password Families, everyone in your entire family gets the security and convenience of 1Password. This includes free upgrades and access to 1Password everywhere, including Mac, Windows, iOS, and Android. And you get all of this for only $5 a month for a family of 5.

I was trying to decide how to make this even more special for our Special Family Day Special and I thought of the perfect thing. While inviting my family over for dinner I realized that 5 people is not always enough.

To celebrate Family Day, everyone who signs up their family this week will get an additional 5 family members for free! You can start by signing up here:

Special Family Day Special

maple-ham

Oh, and by the way, we’re also throwing in twice the storage! If you like ham and maple syrup as much as I do, you’ll wish your jeans had as much storage space as your 1Password account! 😉

What is 1Password Families?

Quite simply, 1Password Families is the best way to protect your entire family. With your membership everyone in your family gets everything they need to stay safe online and preserve their privacy, including:

  • Their own vault for storing their personal items and passwords
  • All the 1Password apps, including Mac, Windows, iOS, and Android
  • Free upgrades to every new version
  • Item History for restoring accidentally deleted or changed items
  • 1 GB 2 GB of Secure Document storage

And since we take care of everything for you, every account has built-in data loss protection. There’s no need to worry about losing everything to accidental file deletion or leaving your laptop in the oven1.

securely-shareAs great as these benefits are, where 1Password Families really shines is how it allows you to work together as a family. Together your family can:

  • Invite additional family members quickly and easily
  • Create additional vaults to keep things organized
  • Share passwords & documents with each other securely
  • Manage exactly who can see and modify individual vault contents
  • Restore access for locked out family members using Account Recovery

These features allow you to be stronger together, just like any loving family.

As you can see, 1Password Families really is the best way to use 1Password with your entire family. And you don’t all need to live at the same household to enjoy these benefits. As great as having family over can be, it’s also nice to have your own space. 🙂

To get all these features and start protecting your entire family, sign up here:

Sign Up Now

Oh, and if you’re already using 1Password, you can easily move your existing items into your new 1Password Families account, so there’s no need to worry there.

Whether you celebrate Family Day or not, take care and have a wonderful week with your family. And don’t forget the maple syrup.

🇨🇦 ❤️


  1. True story. My friend thought the oven was a great place to hide their laptop. It was found after preheating the oven. 
1Password update for Mac featured image

1Password for Mac 6.5.5: Manual update required

tl;dr

As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 😀

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire 😉

Blog header 2

The Today Show ❤️ 1Password 🎉

badge (1)We are having a little party over here at 1Password today, as 2017 has started with an awesome endorsement from The Today Show’s digital lifestyle expert Mario Armstrong!

In a roundup of the coolest apps to have in 2017, Mario includes us as the first app mentioned. He talks about how he personally uses 1Password to secure his digital life, and goes on to recommend 1Password to TODAY viewers.

The Today Show is the longest running breakfast show in the world and has over 4.3 million viewers a week, so we are really happy that so many people had the chance to find out about 1Password and can begin securing their digital lives!

Mario’s favourite features!

“The 1Password you need to remember”

With 1Password you only ever need to remember… one password.

All your other passwords and important information are protected behind your Master Password, which only you know.

“1Password remembers everything for you”

Don’t forget your passwords. Or your bank account routing number. Or the alarm code for your house. 1Password safely keeps track of them all.

Store everything from online accounts to social security numbers.

“Heavy encryption right here”

Every time you use 1Password, your data is encrypted before a single byte ever leaves your devices. Your encryption keys are protected by your Master Password, so only you have the keys to unlock your secrets.

But wait, there’s more!

Mario mentioned some of his favourite features, but here’s the other things he didn’t have time to mention when he was recommending 1Password on The Today Show:

  • All the apps on all your devices. Whether you use 1Password on Mac, Windows, iOS or Android, we have you covered. Your data is comes everywhere with you, on whichever device you are using.
  • Store everything. 1Password isn’t just for passwords. Use it to securely store your credit cards, passports, important documents – anything at all!
  • Secure the future! 1Password isn’t just about your existing passwords. Our strong password generator means that every new password needed can be super secure, and super easy to access.
  • Restore previous versions of items. If you accidentally changed or deleted an item, you can restore it on 1Password.com..
  • The most secure password manager available. There has never been a more secure way for you to store and access your passwords. Learn more about how 1Password protects your data.
  • Your data is yours. With 1Password, you are always in control. You can always view and export your data at any time.
  • Options for Individuals, Families and Teams. Easily share passwords with your family or team members, create vaults for your mum, dad, kids, gran – even the dog!

Mario wants you to be secure!

Mario uses 1Password to secure his digital life, and so can you! Find the version of 1Password that suits you best and sign up for a 30-day trial at 1Password.com

 

Featured image: Founders' Desk, Dave

Our Security, Our Rights

Every day it feels like our rights to privacy and security are under attack, and indeed, if you’re keeping up with the news, this is a lot more than just a feeling.

Governments and law enforcement agencies around the world are pushing hard for new powers to keep tabs on their citizens. They argue they require the ability to track your activities and access your private information in order to protect you. And they’re willing to weaken encryption for everyone to do so.

We’ve already seen this happen in the UK with their newly passed laws that grant the government unprecedented surveillance powers, and as James Vincent so eloquently states there, the new laws establish a dangerous new norm where surveillance is seen as the baseline for a peaceful society.

Laws like these in the UK are likely to spread to other countries if citizens don’t take a stand. Indeed these laws could end up appearing tame by future standards if we’re not vigilant.

As tempting as it is to give the government more powers to nab the bad people before crimes have even been committed, history has proven time and again that these broader powers are most often used against law-abiding citizens rather than criminals themselves.

It’s possible laws like these will find their way into Canada as well so I’m asking for your help to send a clear message to our ministers before the ball starts rolling in that direction.

Since September Public Safety Canada has been holding a Consultation on National Security to prompt discussion and debate on future policy changes. Feedback is accepted from all Canadians as well as international readers, so everyone is welcome to contribute.

The set of questions and discussion points is quite broad but the one that’s most important to 1Password users is Investigative Capabilities in a Digital World, particularly this question:

How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?

Or said another way, how can the government institute a backdoor into encryption software that only they can exploit? It sounds simple but in fact it’s simply not possible. As we discussed previously on this blog, back doors are bad for security architecture, and when back doors go bad: mind your Ps and Qs covers an example of a backdoor that went awry along with the math that made it possible.

Please complete the survey and let the Canadian government know you’re not willing to weaken your security or give up your privacy. The opportunity to provide feedback ends on Thursday, December 15th.

I know it’s tempting to give up some freedoms to allow someone else protect you, but whenever I feel that way I remind myself of what Benjamin Franklin would say:

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

Please forgive a Canadian for quoting one of America’s founding fathers, but Ben summed things up so well that I couldn’t resist. 🙂

Thanks for caring about privacy and security as much as we do ❤️

blog_header

Having fun with Touch ID and the Touch Bar in 1Password

Yesterday was the special Apple event and all activity at AgileBits stopped as our entire team watched the live stream to see what goodies would be coming our way. For me, the most exciting news by far was the announcement of the new MacBook Pro with its amazing Touch Bar and Touch ID.

I remember how excited I was at the Apple developers conference when they first added Touch ID to iOS 8. I rushed back to the hotel, Xcode beta in hand, and added Touch ID to 1Password that very night. The joy of seeing 1Password unlock with just a tap was overwhelming.

Well, here I am again with that exact same feeling 🙂

Now that the new MacBook Pro’s have Touch ID we can bring that same great feeling you are used to on iPhone to your Mac, and it looks pretty darn cool too. Take a look for yourself and see!

As stunning as it looks in the Xcode simulator on my soon-to-be-obsolete late 2013, 15” 2.3 GHz Retina MacBook Pro, I can’t wait until my new Mac arrives so I can use it for real.

Oh, and then there’s the new Touch Bar. Wow! I was really excited seeing Phil demo this. The Touch Bar introduces a brand new world to the Mac and with it comes some wonderful opportunities to make 1Password even better. Dan, our designer extraordinaire, has begun to explore what the Touch Bar can bring to 1Password and I’d like to share some early designs.

Touch Bar for 1Password

What Dan has come up with is really exciting and I can’t wait to play with it. I think that switching between my work and home vaults with just a tap is going to be the most awesome, albeit sliding my finger across the Touch Bar to generate a strong password comes in a close second.

The possibilities with the Touch Bar are limitless and I am excited to hear how you see yourself using the new Touch Bar with 1Password.

Please share your thoughts in the comments below ❤️

duo-banner

Send in the crowds (to hunt for bugs)

We unequivocally encourage security researchers to poke around 1Password. It is an extremely important part of the process that helps us deliver and maintain a more secure product to everyone. Finding and reporting potential security vulnerabilities is what we should all expect from bug hunters around the world; the hunters and yourself should expect that we address those vulnerabilities promptly.

We have always welcomed security reports that arrive at security@agilebits.com, and over most of the past year we offered a more formal, invitation-only bug bounty program through Bugcrowd. We are pleased to now take that program public: https://bugcrowd.com/agilebits.

op-bugcrowd

Before I get into what the program offers, I’d like to remind you that there is always room to improve the security of any complicated system, 1Password included. As clever as we may think we are, there will be security issues that we miss and different perspectives help reveal them. Software updates that address security issues are part of a healthy product. This, by the way, is why it is important to always keep your systems and software up to date. Even in the complete (and unlikely) absence of software bugs, threats change over time, and defenses should try to stay ahead of the game.

Some words about Bounty

A bug bounty program offers payouts for different sorts of bugs. The first bug bounty that I recall seeing was Donald Knuth’s for the the TeX typesetting system, though I have since learned that he does this for most of his books and programs. It started out with $2.56 (256 US cents) for the first year, and doubled each year after that, reaching a final limit of $327.68.

Check from Donald Knuth made out to Richard Kinch.

A bounty check from Donald Knuth made out to Richard Kinch

Of course given Donald Knuth’s well-deserved fame and reputation, few people cashed the checks they received. Instead, they framed them.

Anyway, enough about me revealing my age. Let’s talk about today’s bug bounty program. There is a community of people who earn a portion of their income from bounties. (Whether or not it is enough for them to sail off to Tahiti or Pitcairn is not something I know.) Over the years they have developed skills and tools and scripts for examining systems. We want them to apply those skills and efforts testing the security of 1Password. Opening up this bug bounty program brings those people and their skills into the process of making 1Password more secure.

Our bounty

Unlike the example of Donald Knuth’s bug bounty, we are only offering payouts for security issues. Of course all bug reports are welcome, we just aren’t promising bounties for them. And because we are promising to pay for bugs, we’ve had to establish a bunch of rules about what counts. These rules help us draw the attention of researchers to the 1Password.com service, and they help us exclude payouts of things that are already known and documented. We don’t want those rules to discourage anyone from bug hunting; they are there to help focus attention on what should be the most fruitful for everyone.

1Password Security white paper cover

Your homework

We think that finding bugs in 1Password will be challenging — 1Password.com is not your typical web service. Our authentication system, for example, is highly unusual and specifically designed so we are never in a position to learn any of our customers’ secrets. Because we use end-to-end encryption, getting hold of user secrets may require breaking not just authentication but also cryptography. Of course, we’re inviting researchers to try out attacks that we haven’t considered to prove us wrong. I expect that successful bug hunters will need to do their homework, all the same.

Now, all that bragging about how challenging I think it’ll be to find serious issues with 1Password isn’t an attempt to stop people from trying — get out there and try! You can get bounty for it, and a thank-you as well. We’re excited to hear a resounding “challenge accepted!” from the research community.

How we help researchers

If there are security bugs, we want to know about them so we can fix them. (I know I keep repeating that point, but not everyone reading this is familiar with why we might invite people to look for security bugs.) We want to help researchers find bugs, because they’re helping us, and everyone who uses 1Password.

To help researchers understand and navigate 1Password (and reduce the amount of time they may need to reverse engineer protocols) we have set up a special 1Password Team that contains a bunch of goodies: internal documentation on our APIs, some specific challenges, and UUIDs and locations of items involved in some of the challenges. So researchers, please come and leave your mark on our Graffiti Wall. (No, not in this web page or the image below, the wall inside the aforementioned team account.)

Secure Note: "The Researchers vault grants read-only access to researchers. If you figure out how to get around read-only access, please put your name in here ..."

With a natural degree of trepidation, I look forward to what might appear there.

The kindness of strangers

A bug bounty program brings in a new group of researchers. And that’s why we’re launching it. We encourage independent research as well. We’re just as open to reports of security issues outside of the bug bounty program as we have always been.

So without further ado, let’s send in the crowds!

mas-home-feature

Hello, macOS Sierra!

Once a year, we are graced with the release of a new operating system for our Macs. It’s an exciting time for users as much as developers. This year, there were quite a few changes to Apple’s desktop OS, and the most noticeable one at first glance is the name: It’s now macOS. I’ve been using Macs since I convinced my parents to help me get one for college in 2008, and nothing has been the same. I’ll miss OS X, but I’m excited to spend at least 8 years with macOS.

The first release under this new name is a step in the right direction. I always love attention to detail, and the web team at Apple put a lot into the new macOS page. There’s really nothing like a bit of transform3d with a mountain range I grew up in.

Copy something and paste it on another device

I asked the team what their favorite features in macOS Sierra were, and Universal Clipboard was at the top of their list. Over the years, apps that provide a clipboard across multiple devices have come and gone. It’s great to see Apple implement their own solution right in the OS. With Sierra and iOS 10, copying something on your Mac will also add it to your iPad and iPhone’s clipboards so you can paste it on those devices, and vice versa.

universal_clipboard_large_2x

This can be handy for bits of information, and also for passwords. If you copy a password from 1Password on your Mac, it will be available to paste on your iPhone almost immediately, which makes signing in to the App Store or iTunes spontaneously using your strong password even faster. Now the password can be pasted on your iPhone without opening 1Password on your iPhone.

Since Universal Clipboard requires both devices to use the same iCloud account, security of the clipboard contents comes to mind. Andrew Cunningham and Lee Hutchinson over at Ars Technica wrote an in-depth review of macOS Sierra and its new features and they explain, “Though both of your devices need to be signed in to the same iCloud account to trust each other, your data never appears to touch Apple’s servers—like Handoff, all communication is local.” It doesn’t require an active internet connection to work, but it does require that both Wi-Fi and Bluetooth are enabled on each device.

Pretty great, eh? Learn how to copy and paste between devices with Universal Clipboard.

Unlock your Mac with Apple Watch

watch-unlock

If you have an Apple Watch, you’re probably wearing it while you read this. Your iPhone can unlock your Watch, but what if your Watch could unlock your Mac? In macOS Sierra, it can. I spend a bit of time in cafes with my MacBook, and because I’m wearing a Watch I follow its orders and stand when I’m told. Since my MacBook is on battery power, it falls asleep and locks. Now my Watch can unlock my Mac automatically when I’m near it and wake it up. Who knew time-of-flight positioning was a byword for magic?

And many other things

If you use Siri often, you’ll be happy to see it on your Mac as well. There’s now a Siri icon in the menu bar and Dock, and clicking it activates the unique personal assistant. It can find files, help you spell things, find out the weather, help manage your calendar, and all sorts of other things.

Apple has a dedicated page to all the new features in macOS Sierra, and as I mentioned earlier, it’s awesome: http://www.apple.com/macos/sierra/

1Password + macOS Sierra = happyDance

app-store-sierra

Oh yeah, 1Password loves the new update too. Near the same time macOS Sierra was released, we also published an update to 1Password for Mac, and it’s fully compatible — if you notice any peculiar behavior, let us know.

It’s been a busy summer for me so I didn’t get a chance to try out the betas over the past few months. Yesterday was my first day with macOS Sierra and I’m excited to explore a bit and find some of the hidden features all the reviews I read missed!

If you haven’t upgraded already, now’s a great time! After upgrading be sure to check out the New to Mac welcome pages Apple created. Whether you’re new to Mac or have used it for a while, I think you’ll appreciate the spectacular introduction to its core features. And best of all, 1Password makes a cameo appearance in the App Store section! We’re very honored to be included here as well as selected by Apple in their Our Favorite Mac Apps section of the App Store.

I hope you all enjoy the new macOS! Let us know what your favorite features are in the comments. :)

1Password new hosted service featured image

Introducing our new 1Password subscription service — get 6 months free!

Today is a very exciting day in the world of passwords! We have not one, not two, but three(!) incredible things to announce:

  1. An awesome new state-of-the-art hosted service to protect you and your data
  2. The most affordable way to purchase 1Password on all your devices
  3. A launch special that’s so amazing it’s kinda scary

Read on to see why this is the best time to try 1Password and start protecting yourself online. 🎉

A new, revolutionary hosted service

hosted-service

Earlier this year, we released two amazing new services: 1Password Families and 1Password Teams. Both rely on our new hosted platform to bring awesome new features that weren’t possible when 1Password was just a standalone app.

The response has been amazing and many of you asked for a special plan so you could also enjoy these benefits. We now have the perfect answer: our new service made for individuals!

Our new individual hosted service comes with everything you expect from 1Password, along with these new features:

  • Built-in automatic sync across all devices
  • Data loss protection
  • Web access to your data on 1Password.com
  • Item History for restoring deleted or changed items
  • Secure Document storage
  • Brand new multi-factor security model

Using our new service provides the simplest and most feature-packed way to use 1Password. And with our new purchase option, it’s easier than ever to get started.

Our new super-affordable plan

To get the benefits of our new hosted service, you simply need to subscribe to our new plan on 1Password.com.

In addition to all the new features, the biggest benefit of a 1Password subscription is that you get all the 1Password apps for every platform, along with Pro Features, free updates, and free upgrades to every new version of 1Password.

One of the things people love most about our Families and Teams plans is not needing to worry about licenses or paid upgrades. And with our new plan for individuals, everyone can get in on the fun.

At just $2.99 a month, it’s the simplest and most affordable way to start using 1Password. See our pricing page for full details.

Oh, and our subscription service will never lock you in! You can cancel at any time and if your subscription ever lapses, you will still be able to view and export all your data.

An amazing (and scary!) launch special

1Password Accounts launch special

It’s no fun having a launch without having a special launch special so we went looking for one and we found a doozy!

Sign up today and receive your first 6 months free! No ifs, ands, or buts (or ads!). There’s no fine print and no strings attached. You don’t even need to add your credit card to get this amazing deal!

To get in on this incredible deal, all you need to do is sign up for an individual 1Password account before September 21st, 2016.

Sign up for your 1Password account now

Given how excited we are, you might be wondering why this is a little bit scary for us as well. The thing is, we’re a 100% customer-funded company and have refused to accept any venture capital money. As such it’s scary to give away our one and only product.

But we’re more excited than scared as we really want everyone to try out our new service and see how awesome it is. So sign up now, before Fall falls 😉

Security and Privacy

Secure Foundation

We built 1Password from the start on a foundation of Security and Privacy, and our new 1Password accounts have once again taken things to the next level.

First and foremost, our end-to-end encryption security model ensures all your information is encrypted before it ever leaves your device. The encryption keys are only accessible to you so we are never able to decrypt any of your data.

Your Master Password (which only you know) is a key player in this encryption, but 1Password accounts also come with a new concept called the Account Key to make our encryption even stronger.

The Account Key is a randomly generated 128-bit key that is used in combination with your Master Password to encrypt your data using tamper-proof, authenticated 256 bit AES encryption.

Only you have your Account Key and like your Master Password it never leaves your devices. Along with your Master Password this ensures that no one but you will be able to access your 1Password data.

See our security page for details and all the things we did beyond just enabling TLS/SSL (we did that, too, by the way 😉).

Great for new and long-time users alike

1Password Accounts - great for new and long-time users alike

If you know anyone who’s not practicing safe passwords, now is a great time to introduce them to 1Password!

Simply link your friends to the signup page and gently remind them how important it is to use strong, unique passwords for every site:

Sign up now and get 6 months free

If you are a long-time user but don’t own 1Password for all your devices, haven’t upgraded to the newest version, or if you want to take advantage of the new features in our hosted service, now’s the perfect time to sign up.

After signing up you’ll be able to easily migrate your existing data over to your new 1Password account. We have a great guide along with a video that walks you through the process.

This launch special is too good to leave running for long so I needed to pick a cutoff date. Be sure to sign up before September 21st to get this awesome deal!

I hope you and your friends love our new 1Password hosted service as much as we loved making it for you. 😘