## April Fools’ Day in the Teare house

It’s April Fools’ Day, and once again we racked our brains trying to find the right prank we can pull here at AgileBits. Finding that right balance is tricky though, because the last thing we want to do is scare someone who is trusting us with all their personal information!

And so we end up with a ton of ideas that are really funny, but don’t really work for actually doing. You know how it goes: There is always that super funny prank you want to pull, but don’t, because you know that plastic snake hidden in the bed will give your mother a heart attack, and you don’t want to be responsible for that!

Late last year when 1Password 6 launched, we switched to the All Vaults view, which is a great feature that people continue to enjoy. The All Vaults view showed our helpful Demo vault that people use to show off 1Password without revealing their own personal details, and this caused some confusion. We had a number of folks reaching out to us, concerned that their information had been compromised thanks to Wendy Appleseed’s details showing up in their new All Vaults view!

Once we explained how it got there, they completely understood, but it was definitely a good example of how difficult it would be to have any kind of practical joke hidden within 1Password.

So for this year, I thought it would be fun to share a few stories about how we celebrate at my house:) And, rest assured, these pranks are meant to be fun and silly, without having to worry about potential heart attacks!

Over the years, the idea of April Fools has evolved as our kids have gotten older. Last year, we tried a new prank: the Underroo Switcherrooo. I took all the clothes from Abby’s dresser and moved it into Jack’s—and vice versa—while they slept. Getting dressed in the morning was a bit more challenging last year!

One that has become a tradition of sorts for us is waking up on April 1st with a moustache! When I first thought of trying this, I didn’t think it would work, as I thought the kids would wake up, but evidently they are sound sleepers!! Armed with washable markers, I sneak into their rooms and add some creative drawings for them to discover when they wake up. The first year was quite something as Abby noticed Jack’s moustache before her own;)

My most favourite prank of all time, though, was a number of years back, when it was just Dave and me. It had been a long day and I thought it would be fun to try “getting” him, but I was short on time and supplies. I ended up using some giant white (and obvious!) garbage bag ties to tie down the handle of the vegetable sprayer attached to the kitchen sink. I figured Dave would see the ties, laugh and then tell me what a sad attempt at pranking him it was. Instead, he went to the sink and turned it on. I could hear the “Ugh!” from the other room and stunned silence.

As I went in to claim my victory, though, I heard the tap turn on again — he evidently didn’t realize what had happened and tried to turn the sink on again, only to get sprayed again! I stopped in my tracks, laughing too hard to walk. The jig was definitely up then, and he retaliated by throwing a glass of water at me. Totally worth it. I’m laughing to myself now as I write this!

I hope that your April Fools’ Day is filled with fun pranks and good times. As for me, I’m going to spend the day trying to avoid wanting to buy things that don’t exist. ThinkGeek already got me, as I thought I found the perfect new toy for the office :)

Image courtesy of ThinkGeek

## Introducing the new Strong Character Generator!

Creating secure passwords for you is one of the most important things that we do here at AgileBits. We’re constantly looking for ways to improve 1Password to make it more secure and more convenient.

Today, we believe we’ve come up with an innovative solution that will allow users to create secure passwords … even in the face of unreasonably low character limits.

### Security, in eight characters.

Too many websites today still restrict passwords to 8 or 10 characters, when we all know that 8-10 alphanumeric characters just isn’t going to cut it with today’s password cracking technology.

The next update to 1Password will include a brand new addition to our Strong Password Generator that introduces a whole new method of creating secure passwords: a random character generator.

### Passwords:  Now with random-er characters!

Our new character generator gives you security with only a few characters.

Because attackers do not have facial recognition built into their algorithms, these passwords will thwart even the craftiest crackers.

We’re introducing this feature first on 1Password for Mac, with a limited character set, and we’d love for your help in making this tool even more secure-ier! Check out our list of available characters and let us know which ones you’d like to see added next. We’re taking votes and will add characters based on the highest popularity.

Never have seven characters looked more secure.

As awesome as an ‘all-wil-wheaton’ password looks, it’s not quite as secure as a randomly generated character set, please use sparingly.

Who’s missing here? Let us know which characters you’d love to see in the next update!

## People accidentally tell their passwords to Jimmy Kimmel and the world

See? This is why you don’t use your pet’s name and high school graduation year for your password. Because you’ll end up on Jimmy Kimmel Live, telling it to the entire world.

To stay safe online, you want good, strong, unique passwords for all your accounts. That’s where 1Password‘s Strong Password Generator for Mac, iOS, Windows, and Android has you covered.

## Getting chilly for charity

I’m not sure if you’ve been on the Internet lately, but there’s this “ice bucket challenge” thing going around. Sure enough, some members of the AgileBits crew were challenged, and in good form … we challenged all of our co-workers.

We’ve made a donation to ALS (as well as several other causes near and dear to our hearts) and thoroughly enjoyed helping our teammates take the plunge.

Now that we’ve done our good deed for the week, we challenge YOU. Make the world a better place. Donate to a worthy cause and dump a bucket of ice water on a friend.

## 1Password makes cameo in Silicon Valley

No, we haven’t moved our new office to San Francisco, CA. But 1Password did make a brief appearance in HBO’s Silicon Valley comedy this week, episode “Third Party Insourcing.” Those entrepreneurs may be struggling with the trials and tribulations of… being entrepreneurial, but at least they don’t have to struggle with strong passwords.

[thanks for the heads up, Luca Zorzi!]

## Large even prime number discovered

You have probably been taught that two is the only even prime number. But today mathematicians at the University of Southern North Dakota at Hoople have discovered a new, large, even prime. It is more than a million digits long and is equal to the value of 3²²³⁷⁵⁶¹+3¹¹¹⁸⁷⁸¹.

Many people are under the erroneous belief that two is the only even prime number, but as Professor Paul Forester explains, “tings get really meshuga vhen numbers get large.” For example, when some number n gets very large, it becomes approximately the same as its successor. Because:

$\displaystyle\lim_{n \to \infty} \frac{1}{n} = \frac{1}{n+1}$

we can see that n must get closer and closer to n+1 when n is very large. So when numbers are pretty much the same as their neighbors at these large values, the notion of odd and even don’t hold in the traditional sense.

## What does this mean for cryptography

First of all, this surprising mathematical discovery has no (immediate) bearing on the security of 1Password, as 1Password does not use the kind of cryptography that depends heavily on the theory of prime numbers. But this might have some implications for cryptography. At the moment, the only immediately visible impact is that it should make some of the slowest cryptographic computations quicker and more efficient.

In some cryptographic systems (though not 1Password), the software must generate large, randomly chosen prime numbers. This is a very time consuming process, and it works by first picking large random numbers, then checking whether they are prime through a series of tests. Almost all software implementations of this will only pick odd numbers by setting the least significant bit of the random number of 1. But this excludes half of the numbers it could pick, thus failing to find any of the even large primes.

### Testing for primes

Once a random number is picked in the appropriate range it needs to be tested for primality. Many of the tests result in answers that aren’t quite definitive. Indeed, a number of tests produce results of either “definitely not prime” and “possibly prime” and each of these tests may different amounts of time to run. The general strategy is to run the quickest tests first on your candidate number, and only then run the more expensive tests. If your candidate number passes a sufficient number of those tests, then you can determine with sufficiently high probability that the number really is prime.

There is a way, of course, to definitively test whether a number, N, is prime. And that is to attempt to divide by every prime number less than or equal to the square root of N. But while that approach if definitive, it is simply far too many divisions to actually test.

### The prime numbers in cryptography

The prime numbers used in cryptographic systems are typically 1024 bits (about 308 digits) long. Pairs of these are generated and multiplied together to produce 2048 bit (about 616 digit) products. Note that when you multiply, say, a five digit number by a three digit number you usually end up with an eight (five plus three) digit number. This holds when using bits instead of decimal numbers. So the product of two 1024 bit numbers will typically be a 2048 bit number.

Even for 300 digit numbers, which are far, far smaller than the million digit prime announced Saturday, it isn’t feasible to run definitive primality tests in the time we need when picking prime numbers. Indeed, it is probably near the edge of the NSA’s capability to factor 1024 bit products of 512 bit primes. This is why it is no longer recommended to use 1024 bit RSA keys.

### A note on key sizes

If I am saying that 1024 bit keys aren’t safe, why does 1Password “only” use 256 bit keys? This is because different kinds of encryption systems have different kinds of keys. Keys used for the AES algorithm are completely random numbers. Guessing the key means trying every single 256 bit key until you find the one that works. That just isn’t possible even for a 128 bit key. But for public key encryption systems, not just any public key will do. Not just any 2048-bit numbers can be an Rivest-Shamir-Adleman (RSA) public key. Instead, it must (essentially) be the product of two 1024-bit prime numbers (which are, in essence, the private key).

I say “essentially” in there because if two prime numbers are p and q, then the actually public key isn’t p times q, pq, but is in fact Φ(p)Φ(q), which works out to (p-1)(q-1) in this case. The Φ function is known of as Euler’s totient function. For quite some time, I believed that there was a mathematician whose name sounded like “Oiler” who worked on similar stuff as the mathematician I’d read about, whose name I pronounced “Yuler”. Along the same lines, it was only when someone read the Little Prince aloud that I realized that the word I’d heard as “yu-neek” was the same as the one that I pronounce “un-ee-cue”. I still think of the Prince as “un-ee-cue in all the world.”

Let’s get back to key sizes. Not every public key system uses the RSA algorithm. The Diffie-Hellman (DH) system uses different mathematics, but has key length requirements similar to RSA. 1024 bits is no longer considered secure against the likes of the NSA. The third kind of public key algorithm in use is based on elliptical curves, and is sometimes called ECDH because it is actually based on the same logic as Diffie-Hellman at its heart, though it works through different mathematical operations. One advantage of ECDH is that it works with much smaller keys. So a 256-bit ECDH key is perfectly reasonable.

This article was posted on April 1, 2014. The claim that an even prime number other than two has been found is bogus. The notion of odd and even holds for all integers, no matter how large. The fictitious University of Southern North Dakota at Hoople is the creation of the real Peter Schickele. The fictitious mathematician Paul Forester is my resurrection of the great 20th century mathematician, Pál Erdős. Everything else here is actually meant to be reliable information. Including those bits that are un-ee-cue in all the world.

## Where’s Eddy?

You may remember that AgileBits won a Macworld Eddy Award in 2013 for 1Password 4 for Mac (We were a little bit excited about it). 1Password 4 has been a labour of love for the entire team, from developers to support, and it was a true honour to be singled out for such a prestigious award.

Well, because the powers-that-be at AgileBits are pretty awesome, they decided to share the honour. So, not only is there a shiny new Eddy from 2013 sitting next to his friend from 2010 on our office shelf, but Eddy is also gracing the shelves and homes of every AgileBits employee! I was completely blown away by this generosity, and it got me thinking: how were the rest of the AgileBits team celebrating the arrival of this shiny award?

As it turns out, there’s some excitement, a little bit of weirdness, and a whole lot of smiles. Check out some of our photos here and give us a like on Facebook to check out the full gallery!

## The top 6 worst passwords from the Star Trek universe [Updated]

You would think that, once we master space exploration and how to replicate the perfect cup of Earl Grey, everyone in the future according to Star Trek would understand the necessity for unique, strong passwords.

Unfortunately, you would be wrong. And no, as we’ll see later, biometrics (like voice authentication) don’t seem to help.

As the following evidence from various Star Trek clips shows, some of the passwords used by Starfleet’s finest are weaker than the passwords stolen from the recent Sony and Yahoo hacks. Clearly, these officers could’ve used 1Password.

# 1. Kirk, Scotty, and Checkov needed our Strong Password Generator

The longest password needed to blow up the Enterprise in Star Trek III is just five characters. My U.S. social security number is longer than that but, fortunately, I’m pretty sure it can’t self destruct anything.

# 2. It shouldn’t be this easy to eject the warp core

B’Elanna gets points for getting past five characters (yet she loses points for using her own name in her password). But it’s way too easy to strand a ship in the middle of nowhere with a simple “computer!” callout and what is still a weak password.

# 3. Honestly, who made it this easy to blow up ships

If it was this easy to blow up ships in the 24th century, I’d probably look for abandoned derelicts everywhere I went and do it as a hobby. Those explosions are totally GIF-worthy.

# 4. Picard’s authorization is so weak, the computer rejects it

Ok, maybe that torn power conduit had something to do with it, but still. If I were the Enterprise computer, I would’ve locked Picard out a long time ago and made him upgrade to a much stronger self destruct password.

# 5. Chekov’s ship-wide status update password is laughably short

With a password that weak, officers would break into the internal comms every other day and post Burger King-like prank announcements that the Enterprise was switching teams to the Romulans or launching a package delivery service.

# 6. The password to our shields might as well be 1-2-3-4-5

In Star Trek II: Wrath of Khan, Kirk and Spock are able to remotely shut down the shields of the Starfleet ship Khan “borrowed” by transmitting nothing more than a five-character “prefix code” of 16309.

I know luggage with tougher combinations than that.

Even worse, they looked it up in what seems to be not much more than an Excel spreadsheet of all Starfleet ship prefix codes. What could possibly go wrong?

The clip here doesn’t include the statement of the code. If you want that, skip to around 6:50 in this longer clip. Thanks to Joe Kissell for schooling us on our bad Star Trek passwords.

# Honorary mention: Data’s perfect-yet-flawed password

You might think Data created the perfect password that time he went nuts, took over the Enterprise, and mimicked Picard’s voice (hooray for 24th century biometrics!), all in the name of dropping in to say hi to dad. There’s just one problem: he said it out loud for everyone to hear, or at least for the computer to record and tell Picard later.