1Password 7 for Windows is here!

1Password 7 for Windows: The Best Ever

Hot on the heels of last week’s 1Password 7 for Mac announcement, I’m pleased as punch to unveil the best version of 1Password for Windows ever: 1Password 7 for Windows is here! 🎉 👏

This is a massive release where quite literally everything has changed. Seriously, every bit and every pixel has been recreated from scratch using the latest and greatest technologies to make 1Password the best it can be.

From an incredible new design to having all your vaults in one place to a whole new architecture, 1Password 7 is the fastest, prettiest, and most powerful version of 1Password yet. In short, it’s simply the best. A bold claim but thankfully we can back it up. 😎

All new modern design

Our design team has been working their tails off reimagining every aspect of 1Password. We wanted to make it as powerful and beautiful as the Mac app while staying true to the Windows platform.

It all added up to a breathtaking new design that you’re going to love. And it all starts with the lock screen.

The steel doors look great and also symbolize the strong encryption that protects your data. And to would-be-attackers, our encryption design is far more secure than the strongest steel.

Once you unlock 1Password with your Master Password (or Windows Hello), you’ll be delighted by the stunning new layout protected behind those doors.

Beautiful! 😍

Everything has changed and not a single element of the design has been left untouched. Yet the heart and soul of 1Password remain, so you’re able to jump right in and find everything you need.

Your items have never looked better and with full support for time-based one-time passwords, logins really shine. They look so good that you’ll find yourself happily waiting for a new 2FA code simply so you can watch the countdown animation. 🙂

You can also zoom right in on the password using Large Type. This is perfect for those times you need to type it on another device or are asked for specific characters from your password.

Our new highlight feature while searching makes finding what you’re looking for super easy. And with the addition of search power-ups like title:, tag:, and file:, it’s never been easier to discover what you’re looking for.

And when you prefer to browse, the sidebar is great for navigating between your categories and tags. Along with support for nested tags you can take things to a whole new level by organizing your organization. 😉

Oh and the sidebar gets even better as your vaults live there, too.

All your vaults, all in one place

There’s more to the sidebar than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items.

Simply click on the sidebar header and your categories will slide away, revealing your collection of vaults. Vaults allow you to group your items depending on their purpose and who needs access to them.

Vaults are so nice that you’ll find yourself adding lots of them. Between my AgileBits business and Teare family accounts, I now have over 50 vaults. Being able to switch between vaults and accounts makes it super simple to stay focused on the task at hand.

Together with a 1Password Families or 1Password Business account, vaults can be used to securely share passwords with your family and colleagues. Simply sign in to 1Password.com and choose who you want to share with and 1Password will do the rest.

My favourite part of sharing passwords this way is the ability to control everyone’s permissions, including making passwords read-only. For those with edit access, changes they make will be seen by everyone else right away.

1Password mini is always by your side

The new awesome carries over into 1Password mini as well, yielding a more powerful and beautiful experience. When you’re on a website and need to login, 1Password mini makes it super easy.

Selecting a login will automatically fill your username and password for you. And if you have two-factor enabled, the one-time password will be automatically copied to your clipboard so you have everything you need right at your Ctrl-V fingertips.

1Password mini will also help you create new logins as well. When you sign up for a new service or log in for the first time, 1Password mini will jump in and offer to save it for you.

In addition to naming your new login and assigning tags, you can also choose which vault to save it to. This is great for keeping things organized as well as choosing who to share with.

And if a website has been breached, mini will alert you so you know that you need to update the password.

Oh and then there’s also Open and Fill which automatically opens websites and fills passwords for you. When combined with the search and organization features of 1Password mini, it’s perfect for bookmarking your favourite sites.

Designed for everybody

We wanted to create 1Password 7 for everybody and be as inclusive as possible. That started with allowing you to sync your vaults yourself as well as using 1Password accounts on 1Password.com, 1Password.ca, and 1Password.eu.

1Password also speaks your language and has been localized to Français, Deutsch, Italiano, 日本語, 한국어, Português, Pyсский, 简体中文, 繁體中文, and Español.

Being able to use 1Password in your language is great and it’s even better on High-DPI displays. 1Password 7 has full support for HiDPI in Windows 10 so it looks incredible on 4K monitors and other high density screens.

And for those of you who rely on assistive technologies, rest assured that 1Password 7 is fully accessible with out-of-the-box support for screen readers like Narrator.

Why hello there, Windows Hello

We also added support for Windows Hello so you can unlock 1Password using your fingerprint or simply your smile. This works great in the main app as well as in mini.

I love the “looking for you” animation with the eye looking back and forth, and can’t help but grin when I’m greeted with a smiling face along with the “Hello, dave!” message. 🙂

As for security, your data is protected by your Master Password as always. To keep things as secure as possible, the first time you unlock you will need to provide your Master Password and then Windows Hello will be able to unlock 1Password thereafter.

Strong foundations

1Password 7 is a completely new modern app built from the ground up to use the latest and greatest technologies available. This gave us a strong foundation and allowed us to push the envelope to make 1Password the best it could be.

In addition to fundamental enhancements like HiDPI and Unicode support, 1Password 7 comes with a whole new database layer that enabled us to make everything much, much, much faster.

And if you’re moving over to our new 1Password memberships, syncing your data is more secure than ever. With the addition of a Secret Key, Secure Remote Password, and Galois/Counter Mode, your data has never been safer. Oh, and to top things off, the speed and reliability is simply unparalleled.

All of these changes combine into the fastest, most secure, and best looking 1Password experience on Windows ever! Long story short: you’re in for an amazing treat! 🍪

How do I get it?

To start enjoying the best version of 1Password ever built, grab it here:

Download 1Password 7

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many PCs as you have. 1Password 7 for Mac is a separate purchase.

I hope you enjoy 1Password 7 as much as we enjoyed making it for you. We couldn’t have done it without your help. ❤

Please join us in our discussion forums or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘

Dave Teare Founder of AgileBits

1Password 7 for Mac: The Best Ever

Today is a momentous day! It’s time to take the wraps off something incredible that changes the world as we know it: 1Password 7 for Mac is here! 🎉🙌

There’s a ton of amazing features packed into this release and I couldn’t stop myself from writing a lot about them. If you’d like to start rocking right away, feel free to jump ahead and download 1Password 7 now. For everyone else, it’s my distinct pleasure to share with you the awesome that is 1Password 7.

Marvellous mini

1Password mini is how most of us use 1Password on a daily basis and for version 7 we wanted to make that experience the best it could be.

1Password mini has been completely reimagined and comes with so many features that we needed to give it its own window. When you bring up mini you’ll find it waiting for you with an incredibly powerful and beautiful new look.

While in your browser, mini will automatically suggest the items you’re most likely to need. Select the login you want to sign in with and 1Password will do the rest.

And mini doesn’t limit itself to just browsers. With our new app integration we’ll automatically suggest logins for the current app you’re using. Along with support for drag and drop, this is a real game changer.

You can also make edits, move items between vaults, and even add documents – all without ever leaving mini. Soon you’ll wonder how you ever lived without it. 🙂

Beautiful, bold design

The beauty you’ll find in mini continues throughout the rest of 1Password as well. It all starts with the newly designed lock screen and it looks incredible, especially with Touch ID.

As great as those vault doors look, they pale in comparison to what lies secured behind them.

The first thing that grabs you is the stunning new sidebar. It draws you in with its bold dark theme and delights you with its simplicity.

The new sidebar looks great without being overpowering and the high contrast between it and your content allows your eyes to focus on what’s most important: your items.

Detailing your items

Your items are able to join in on the fun as well with a new design and some lovely new touches. Each of your items now prominently show which vault they belong to and have their most important information highlighted.

If you caught yourself yelling What Are Those?! when looking at the formatted notes field, you’re not alone. You can now give your notes richly formatted text using Markdown! 🎉

Along with the improved layout and typography, we’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely Courier Prime).

Alan Dague-Greene is the creative genius behind this font and it makes large type passwords look absolutely incredible.

Speaking of incredible, when you combine our new custom font with Markdown support, Secure Notes are now at an entirely new level of awesome.

Once you start using Markdown in your notes you’ll find yourself wanting to create a lot of them. And when you do, you can keep your notes and items organized using tags. You can even use nested tags if you want to be fancy.

Oh and if you need to copy fields between items or into another app, you can detach the item details view into its own separate window by clicking the button in the toolbar. This is incredibly useful although to be honest I often find myself clicking it for no other reason than to see the lovely animation. 🙂

Watching out for you

1Password 7 is doubling down on how it keeps you safe online. We have bundled together a suite of security tools that notify you of breaches, warn you of bad habits, and highlight vulnerable passwords. We call it Watchtower and it’s amazing.

Watchtower integrates with Troy Hunt’s haveibeenpwned.com service to see if any of your logins are vulnerable. 1Password securely checks your items against a collection of breached passwords (over 500 million and counting) and notifies you to change them.

And thanks to twofactorauth.org, Watchtower also knows which websites support two factor authentication and will alert you when it finds logins without 2FA enabled.

Watchtower will also alert you to logins that are using an insecure (HTTP) website address, weak passwords, and horror of horrors, reused passwords (seriously, don’t do that!). And finally it’ll even warn you if your credit cards or passports are expiring soon so you don’t miss out on your vacation. 😎

Organize & securely share your items

Let’s get back to that sidebar because there’s more there than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items.

Simply click on the sidebar header and your categories will slide away, revealing your collection of vaults. Vaults allow you to group your items depending on their purpose and who needs access to them.

You can drag and drop items between vaults and even between accounts. Or, drop your items on the New Vault button and a new vault will be created for you right then and there. It’s so simple it’s like magic.

Once you have your new vault created, sharing it with your team or family couldn’t be easier. Select who you want to have access to your vault and 1Password will do the rest.

Best of all, any updates to the items appear automatically for everyone. It’s easier to share securely with 1Password than being insecure without it. 💪

Strong foundations

Along with all these new features and improvements, a lot of heavy lifting took place to make 1Password 7 faster and secure-er than ever.

It all began by combining 1Password and 1Password mini into a single process. This made items faster to load, reduced memory usage, and decreased launch times. The overall performance boosts made us smile as soon as we saw them and we think they’ll make you smile, too.

Also new in 1Password 7, we’ve taken advantage of Apple’s Secure Enclave to protect your Master Password when Touch ID is enabled. This is incredibly cool because the keys used for encryption are protected by the hardware and not accessible to other programs or the operating system.

And if you’re moving over to our new 1Password memberships, syncing your data is more secure than ever. With the addition of a Secret Key, Secure Remote Password, and Galois/Counter Mode, your data has never been safer. And the speed and reliability is simply unparalleled.

And so much much much more!

I told you at the beginning that I was going to write a lot about 1Password 7 and I could keep going. But in the interest of getting you into 1Password 7 sooner, I’m curtailing the rest into this fancy bulleted list!

  • Collapse the sidebar entirely so your items get all the love
  • Quickly find items with our new Spotlight integration
  • Use Handoff to view iOS items right from your Dock
  • Easily see your currently selected vault and account
  • Marvel at the monogrammed icons for tags and logins
  • Edit your vaults directly from the sidebar
  • Enjoy the new password strength meter
  • Remove duplicate items on a per-vault basis
  • Jump to items and vaults with ease using Quick Open
  • Opt in to automatic updates so you can always enjoy the latest and greatest 1Password has to offer

How do I get it?

To start enjoying the best version of 1Password ever built, grab it here:

Download 1Password 7

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many Macs as you have. 1Password 7 for Windows will be released next week as a separate purchase.

I hope you enjoy 1Password 7 as much as we enjoyed making it for you! We couldn’t have done it without your help. ❤

Please join us in our discussion forums or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘

Dave Teare Founder of AgileBits

1Password at Google I/O

Just over a week ago, I was incredibly lucky to attend Google’s annual developer conference at the Shoreline Amphitheatre in Mountain View. I always look forward to this event because it showcases the latest and greatest technologies coming to Google’s platforms. And to make things even better, I was joined by Gene, Peri, Shiner and Michael – our largest group at I/O yet!

Google I/O 2018

After grabbing coffee and snacks, we took our seats and eagerly waited for the keynote to begin. Sundar Pichai opened the conference by revisiting the most pressing issue of last year: the hamburger and beer emoji fiasco! With the cheese now in the right place, he continued with the keynote and introduced one of the main themes of the conference: leveraging machine learning to solve both simple and complex problems in our daily lives.

The improvements to the Google Assistant such as “continued conversations” and the new voices are fantastic. I do worry that I may fall back asleep if John Legend’s soothing voice reads my daily briefing each morning! The Duplex demo was just incredible and I am amazed at how the Assistant was able to understand and deliver natural language conversations over the phone. I’ve shown the video to all of my family members… maybe even scared them a bit. But don’t worry mom, I promise it will be the real me calling. 😉

Android P (Popsicle?)

It wouldn’t be Google I/O without a strong focus on the next version of Android. Immediately after they announced the Android P beta, I installed it on my Pixel 2 XL and revelled in the beautiful controls, typography, and roundedness of its design. Android P is all about intelligently analyzing and adapting to our usage patterns. This is being used to drive powerful features such as the new Digital Wellbeing. I’m looking forward to using it to remind me to disconnect and focus on the real world sometimes.

Developing on a Pixelbook

One pleasant surprise that got Michael very excited was the announcement that Android Studio is coming to Chrome OS. He quickly got it running on his Pixelbook and then challenged me to a race to see who could build 1Password faster. We were both shocked to find that his Pixelbook came in only 7 seconds behind my MacBook Pro. That’s pretty impressive!

1Password on Chrome OS

As exciting as it is to build 1Password on a Pixelbook, it’s even more thrilling to run an optimized version of it on Chrome OS. We built 1Password 6.8 for Android with an emphasis on the desktop experience, and we’re incredibly proud to have been featured by Google during I/O as an example of doing this well.

One of my favourite desktop features added in 1Password 6.8 is using the arrow keys and the keyboard shortcuts to get around. I also find it extremely convenient using drag and drop to move text between Android apps. Now I can drag my credentials to sign into the Twitter app!

Give 1Password a try on your Chromebook and let us know what you think.

Until next year!

We all had a fun and productive week at Google I/O. It was my first time listening to Justice and Phantogram at the concert, and my god, do I love them! I have “Fall in Love” playing on repeat right now. 🕺

Google I/O sparked some great ideas that we’re eager to explore in 1Password on both Android and Chrome OS. Which of the showcased technologies are you excited to see in 1Password? Let me know in the comments below!

Introducing Watchtower 2.0: The turret becomes a castle

Introducing the all new Watchtower – it is absolutely gorgeous, and appears to be rather timely!

Twitter asked their 330 million users to change their password yesterday due to a security snafu, putting privacy and security at the forefront of everyone’s mind once again.

1Password includes Watchtower, with its suite of security tools, making it the easiest and most comprehensive way for you to check the security of all your passwords.

Watchtower report

With a click of a button, Watchtower audits your passwords against a wide range of security vulnerabilities giving you an easy to read report with simple steps on how to fix any issues it finds.

Let’s take a look at some of the defences.

On the lookout for breaches

Watchtower will automatically notify you if there’s been a security breach for a website you use. A bright red bar that’s pretty darn hard to miss will display across the top of the item, prompting you to change the password for that site.

Login showing a breach

Please excuse me while I hop away for a sec and go change that Twitter password. 😀

A vanguard for pwned passwords

Watchtower can check your passwords to see if any have been exposed in a breach. Integrating with Troy Hunt’s haveibeenpwned.com service, your passwords are checked against over 500 million exposed passwords, highlighting any that are found.

Watchtower showing vulnerable passwords

To keep your passwords private, Troy found a brilliant way to check if passwords have been leaked without ever sending your password to his service.

Strong, unique passwords are your greatest defence

Using strong, unique passwords for every website is your surest way to keep safe. When a website is breached and your password compromised, that password can be used to sign in to other websites that use the same one. If you’ve reused that password elsewhere, you’re putting all those sites at risk.

Watchtower not only shows you which of your passwords should be stronger, it also alerts you when you’re using the same passwords for more than one website.

Graph of password strengths

Now would be a great time to use Watchtower to see if you reused your Twitter password for your bank account 😱

A second line of defence

Enabling two-factor authentication (2FA) on websites is a great way to keep your accounts there safe. Watchtower will now let you know about websites you have saved in 1Password that support 2FA, but don’t have it enabled.

Alert showing missing 2FA

This gives you the chance to enable 2FA for those sites. When you enable 2FA, make sure to keep the one-time password in 1Password.

Don’t get caught off guard

Watchtower not only looks out for your passwords, but for you as well. It will now warn you if one of your credit cards, driver’s licenses, or passports are expiring soon, making sure you aren’t scrambling to make last-minute arrangements.

Alert showing expiring passport

Here in Canada you can’t travel internationally if your passport expires within 6 months, so this can be a real life saver if you have that long-planned vacation coming up soon.

Try today with your 1Password membership

Watchtower is available today, so it’s time to give it a try now!

Sign in to your 1Password.com account, select a vault, and click Watchtower in the sidebar to create your report. If you don’t have a 1Password membership, start a free 30-day trial to get started.

Oh, and don’t forget to change your Twitter password :)

MyFitnessPal Shows How to Handle a Breach

We all witnessed something refreshing last week when MyFitnessPal announced their data breach. They were open and honest about what happened and they should be congratulated.

Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak.

MyFitnessPal provides a great case study on how to handle a data breach and protect customer information. Let’s start with the announcement itself.

The Announcement

First it needs to be said that it was awesome that there actually was an announcement and that it was published in a timely manner. This is a very good thing!

There was an in-app notification, direct emails, and a pinned Twitter post.

They also posted Frequently Asked Questions that were excellent and when I emailed their support team with some questions for this post, their automated reply included information about the breach and what they were doing to protect their customers.

MyFitnessPal was incredibly open and transparent about everything and at no point did they try to hide details from their users, myself included! That allowed me to update my password and get on with my life.

I wasn’t overly attached to qdd84b7UayEwM9J6dZV anyway so I didn’t mind changing it. And since I only used this password on myfitnesspal.com I didn’t need to update any other websites.

Strong unique passwords FTW! 🙂

Secure Handling of Passwords

Equally commendable was how MyFitnessPal stored passwords in their systems. Or more to the point, how they didn’t store passwords.

Many sites choose to store the plain text password, which is bad. The fact that Have I Been Pwned? now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is.

MyFitnessPal was much smarter than that as they never stored the actual password. Instead they stored a hash of the password, most of which were created using bcrypt. Our Chief Defender Against The Dark arts wrote at length about bcrypt and how it can be used to protect user passwords.

It’s possible to go even further than bcrypt and avoid sending passwords to the server by using Secure Remote Password. We use this in 1Password and are quite smitten with it.

Avoiding Other Sensitive Information

The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. From their FAQ:

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously.

MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation.

For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt.

P.S. A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. Thank you for the inspiration, Benjamin! ❤️

Hi Dave,

I know you get hundreds of emails but I can’t help but send this email. I received an email from MyFitnessPal today and of course the news-breaking headlines.

In reading the email, I simply smiled. Headed to my 1password vault and checked the password.

Sure enough, there was a 40 character, numbers + symbols password. I smiled smugly and thought of you.

Your amazing product keeps my data safe every single day. I have not one single duplicated password. Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ).

I have recommended so many people to your platform knowing that you have an amazing product and just as importantly, a fantastic support team.

Take care my friend and I send you a warm-hearted thanks from Darwin, Northern Territory, Australia!

Keep doing what you’re doing!
Benjamin Fox.

We really do have the best users in the world. 😘

Thank you for helping us to help others

With spring finally here, looking back towards the winter months can leave you feeling chilly! But never fear, we’re here to bring you some good news to warm your heart 🙂

Over the Christmas Season, we had our annual newsletter – this year we decided to ask you all to help us share the gift of food security with the community. With $50,000 as our goal, we were all super excited when the peppermint meter reached the top.

Since then our team has been visiting food banks throughout Ontario to drop off cheques totaling $50,000 to wonderful groups who have been helping people secure healthy meals. We’d love to take this chance to share with you some information about all of them.


One of our first stops was The Grace Cafe in St. Thomas, Ontario. This street mission is headed up by a wonderful woman named Ginny who makes sure every person coming in receives a warm meal with a side of smiles and friendship. Ginny was surprised and happily shocked when she learned of our donation – knowing how many people she can help with this made our day!

Next we visited the St. Thomas Elgin Food Bank, also known as The Caring Cupboard. Karen is the General Manager and she took us through their space, explaining how everything operated and talking about all the various networks that they work with to provide for people in the community – it was great to know how much our donation would help. 🙂

We moved on to the Brantford Food Bank after that, where one of our team members had recently moved. Due to unprecedented flooding in the area, the timing of the donation couldn’t have been better for the community, and Will was excited to help make an impact for those in his new home town. 🙂

The Markham Food Bank was next. Since 1984, this group has been helping to provide for members of the community. Shiner was super excited to drop off our donation, where he also got to meet one of the founders – Gladys Keeble, who is 92 years young and still an active member!

Our last stop in our tour was the Ontario Association of Food Banks. Based in Toronto, this group helps to coordinate resources and help food funding throughout the province. It’s a huge project to undertake and they do a great job helping people in need, while also providing advocacy and leadership for the community at large.

Thank you all for your help over this Christmas to help us meet our goal! It was a wonderful feeling to make an impact on our community, and I’d like to encourage you to remember your local food banks when out grocery shopping – every dollar makes a huge impact for these groups!

Finding Pwned Passwords with 1Password

Yesterday, Troy Hunt launched Pwned Passwords, a new service that allows you to check if your passwords have been leaked on the Internet. His database now has more than 500 million passwords collected from various breaches. Checking your own passwords against this list is immensely valuable.

We loved Troy’s new service so much that we couldn’t help but create a proof of concept that integrates it with 1Password. Here’s how it looks:

What’s even more fun than watching this video is giving it a try yourself. 🙂

Checking your passwords

This proof of concept was so awesome that we wanted to share it with you right away. It’s available today to everyone with a 1Password membership. To check your passwords:

  1. Sign in to your account on 1Password.com.
  2. Click Open Vault to view the items in a vault, then click an item to see its details.
  3. Enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept.
  4. Click the Check Password button that appears next to your password.

Check if your password has been pwned

Clicking the Check Password button will call out to Troy’s service and let you know if your password exists in his database. If your password is found, it doesn’t necessarily mean that your account was breached. Someone else could have been using the same password. Either way, we recommend you change your password.

In future releases we’ll be adding this to Watchtower within the 1Password apps, so you can see your pwned passwords right in the 1Password app you use every day.

As cool as this new feature is, we would never add it to 1Password unless it was private and secure.

Keep your passwords private and secure

Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent, it’s known, and I can’t use it anymore. It’s the same reason why “correct horse battery staple” was a strong password until this comic came out. 🙂

Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.

I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.

Hopefully you’re as intrigued about how this works as much as I am. It’s what got me the most excited when I saw Troy’s announcement!

How it works

Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

Troy has a detailed writeup of how this works under the hood in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.

Take some time to play with our proof of concept. Generate some new passwords to replace your pwned ones, and let me know what you think in the comments. 😎

A thank you to Troy Hunt

Troy Hunt is a respected member of the security community. He’s most well known for his Have I been pwned? service.

Troy invests a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database. The Internet is a safer place thanks to Troy Hunt.

Edited: I’m thrilled to see Troy likes what we’ve done with this. 🙂

1Password command-line tool 0.2: Tim’s new toys

Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com.

Tim can script and automate with the best of them, and from the moment he got a preview of op, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just start playing with op 0.2 now. To find out more, read on.

Vault into the new year

Our first gift to Tim was more control over vault access. He can now use op to add users to vaults, remove users from vaults, and even delete vaults.

So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up.

Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project:

op create vault "Honey Badger"

But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault:

op add "Chris Meek" "Honey Badger"
op add "Betty Da" "Honey Badger"
op add "Matt Davey" "Honey Badger"

Tim can even create a script to take a list of email addresses and add everyone to the vault at once:

#!/bin/bash
# Usage: add-everyone.sh "Honey Badger" < emailaddresses.txt
while read p; do
    op add $p $1
done

After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault:

op remove "Matt Davey" "Honey Badger"

When everyone is done with the project, Tim can use op delete vault "Honey Badger" and move on to his next gift.

New year, new groups

The next gift we gave Tim was control over group membership. He can now use op to create and delete groups and choose who belongs to them.

When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands:

op remove "Wendy Appleseed" "Support"
op add "Wendy Appleseed" "Design"

Tim can also create and remove groups with op create group and op delete group if ever he needs to.

Resolve to level up your skills

The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the full documentation on our support site.

Level up with op 0.2!

Then pop in to the 1Password Support forum to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release.

We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.

Same as it ever was: There’s no reason to melt down

The Intel CPU flaw, that is being referred to as “meltdown”, is a big deal. It allows for a whole (new) category of malware to do things that it otherwise shouldn’t be able to do. This is not a good thing, and it remains a threat until operating systems are updated to no longer rely on some specific security features of the CPUs.

But just because it is an extraordinary bug doesn’t mean that it requires an extraordinary response from most people. (Operating system designers are not “most people.”) The same practices that you should already be doing are enough.

What you can do is what you may already be doing

Stay updated, be careful where you get your software

Malware that exploits meltdown may be particularly powerful, but it is still just malware. And so the practices that we’ve always recommended are the practices that will protect you now.

  1. Keep your system and software up to date
  2. Be careful about where you get your software.

Regarding point 1, it appears that the latest version of High Sierra already has defenses to guard against meltdown. If you are using macOS be sure that you are up to date. It also appears that Microsoft is in the process of releasing a security update for Windows.

For the second point, I recommend downloading software from app stores, such as the Mac App Store and the Microsoft Store. They can’t guarantee that no malware slips through, but they provide the easiest and most effective filter available.

Whatever you do, don’t respond to “scareware”. Scareware is typically sold through something that pops up fake alerts about your system being infected or compromised. These scary (and fraudulent) alerts then try to entice you into installing and running tools that will “clean” or “repair” your system. Unfortunately those tools do the exact opposite of what they claim to do.

Panicked people make poor security choices. And so this is why I am worried that fear about this issue might lead people to become more susceptible to scareware. Take a deep breath, don’t panic, and be calmly suspicious of scary alerts.

What we can do is what we have already been doing

1Password is designed so that even if an attacker can read every bit of data on our systems they cannot learn your secrets. We simply don’t have the capacity to decrypt your data, and that holds of anyone who compromises our systems. This has been essential to 1Password’s design from the very beginning, and it is why we don’t have to panic either.

Furthermore, it appears that AWS (our hosting provider) has already begun patching the servers. Keeping up with updates is one of the things we hire them to do.
1Password Encryption

Same as it ever was

I don’t want to downplay the extraordinariness of this bug. It is fascinating in many ways, and it does have broad impacts. But unless your job is to design and maintain operating systems, you should just follow normal practices of keeping your system up to date and not installing dodgy software.

There is a great deal of speculation and news coming thick and fast and it may well be that some of the details of what I have said here will need correction. But the core message should remain the same. Keep your systems and software up to date, and don’t install software from untrusted sources.

The 1Password Slack app makes administrators happy

Our all new 1Password app for Slack automatically posts messages in Slack when important events happen on your team. It also includes some new functionality that makes it easy for administrators to stay coordinated.

Let me tell you a story about how Slack can be so much more powerful than email.

Going crazy

 Once upon a time, there were three administrators: Jeff, Dave, and Roustem. Dave needed more help developing 1Password X, so he hired a new team member. You won’t be surprised to know that part of that process includes inviting the new hire to our 1Password team.

Once the new team member accepts their invitation and joins the team, their membership needs to be confirmed. To make this easier, 1Password sends a helpful email to all the administrators.


Jeff checked his mail the soonest and quickly confirmed the new team member. Dave was busy working on 1Password X, so he didn’t even have a chance to see the email. A few hours later, Roustem took a break from coding and saw the email. When he went to confirm the new team member, he saw that there were no team members to confirm. Did something go wrong? Or had someone else already beat him to it?

Roustem knew there had to be a better way and almost started to code the solution himself. Then he realized he was in the middle of five other things, so he let me take a crack at it. :)

Staying sane

Slack had all the tools we needed to create an intuitive system to keep all the administrators on a team in sync. The Slack API is really simple to work with, and I was able to have a shiny new Slack app up and running in about a week.

There are two kinds of messages that can be posted in your Slack workspace, and you can choose to post them in a single channel or separate ones.

Alerts that require action

1Password Teams can now post alerts in Slack for things that need your attention, so you can take action right away. But the main problem we wanted to solve was having some way to let administrators know what didn’t need their attention anymore.

After an action is completed, the message is automatically updated to let everyone else know. You’ll immediately know when someone else has already completed the action.

Notifications that let you know what’s up

Every day stuff happens on your team that doesn’t necessarily require you to take action. But it’s handy to have it all in one place. Notifications are informational messages that allow you to keep tabs on important activity, so there are no surprises.

For example, seeing that everyone is signing in from locations that you expect can help ease an otherwise stressful day for an administrator.

Happy administrators

The 1Password Slack app is easy to set up. You can get started today in your account settings:

Use the 1Password Slack app

Roustem couldn’t be more pleased. We hope you are too. Let us know what you think in the comments.

If you’re curious about some of the technical aspects of how we securely authorize with Slack, check out our post on the Slack Platform Blog.