iMore Best 2014 Awards

iMore names 1Password 5 for iOS an App of the Year for 2014!

It isn’t every day that we have a chance at winning a best-of-the-year award from iMore. In fact, I am told that the opportunity comes only once a year.

And this year we won!

We are thrilled and thankful and just plain touched that iMore named 1Password 5 as the iOS Utility App of the Year for 2014, and 1Password 5 for Mac as a runner-up for Mac Utility App of the Year!

iMore reviewed and listed a ton of stuff for its awards this year, from apps to accessories for both iOS and the Mac. It’s a great list from a bunch of smart folks, so be sure to give the entire thing a look!

1P Emergency Kit v3

Incredible 1Password users release 1Password Emergency Kit 3.0

The 1Password Emergency Kit is a clever PDF created by some of our brilliant users to help families and friends during unfortunate times. Invented by Mike Vardy at Productivityist a couple years ago, it recently reached version 3 and looks even more useful.

The idea behind this user-created Emergency Kit is simple: we create a will and place sensitive items in safe deposit boxes in case something happens to us. But with so much of our lives these days depending on the internet, many of us want a way to make 1Password part of these plans.

Thanks to Productivityist reader and 1Password user Charles Hamons, the 1Password Emergency Kit v3 is now a fillable PDF and includes space for even more useful information, such as locations of multiple vaults (and their Master Passwords) and even instructions for what to do with one’s social media accounts.

Admittedly, this isn’t quite a fun or exciting feature to boast about. But we are absolutely thankful for the work of Mike Vardy, Charles Hamons, and others in the community for building a useful 1Password tool that can help immensely during one of the most painful times in our lives.

App_Store_Best_of_2014

Apple lists 1Password among the App Store Best of 2014

App_Store_Best_of_2014

We are amazed, humbled, and absolutely thrilled that Apple has listed 1Password among the App Store Best of 2014 for iPhone and iPad!

We’re listed alongside some incredible peers, too, from Storehouse to Xcom: Enemy Within, Litely to NYT Now. Apple sure does know how to pick ’em.

We are especially honored since v5 was both a major feature release and a huge step in taking 1Password for iOS freemium. We added some of our best features ever—like Touch ID and App Extension support for other apps— and we made 1Password 5 for iOS free to start using for new customers. Now, everyone can enjoy 1Password’s security and convenience, then unlock their full potential with a single, one-time in-app purchase.

We might be biased, but we agree that makes 1Password worthy of a Best App of 2014 spot. Thanks to you, our customers, for getting us here!

1P4 Android bot

Avoiding the clipboard with 1Password and Lollipop

Copy & Paste clipboards (or “pasteboards” as they are called on Mac and iOS) can be dangerous places for secrets if you have malicious software running on your device. On most operating systems – mobile and desktop alike – most running applications can read from the system clipboard. When you copy a secret to the system clipboard, a malicious process may be able to read and steal that secret.

This, by the way, is not news, but it is good that it has made the news. It helps people be aware of clipboard usage, and it gives me the opportunity to talk a bit about what we have been doing over the years about this.

We have always worked to reduce how much people need to depend on system clipboards when using 1Password. The details differ from system to system, and each operating environment gives us different ways to help reduce clipboard use. On the Mac and Windows PCs we have the 1Password Browser Extensions communicate with 1Password so that web form filling can avoid the clipboard. 1Password for Windows also uses auto-type to reduce clipboard activity. 1Password 5 on iOS offers 1Browser and integration with other apps through App Extensions

1Password Android browserBut today I will reveal a few things that our 1Password for Android beta testers know.

Aside: Before I get to that discussion, I should point out (as I often do), that the single best defense against a malicious program running on your machine or device is to keep your systems up to date with all software and system updates. It is also important to be careful in what you install on your system. 1Password can offer some significant defenses against malware on your system, but you have to help keep your systems free of malware.

1Password 4 for Android already has a simple built-in browser. This allows you to go directly from your Login item in 1Password to the web page, filling the data without the clipboard. Our iOS users are already familiar with 1Browser, and this is shaping up on Android.

Lollipop provides clipboardless sweetness

Of course, web pages aren’t the only thing that people need to fill passwords into, and sometimes people may wish to use something other than the browser built in to 1Password. In the current Beta release of 1Password for Android, we used the latest security and accessibility features in Android 5 (Lollipop) to allow 1Password to fill into other apps without making use of the clipboard.

Starting with Lollipop, we have a way to fill password data into other apps without using the clipboard. Perhaps it would be best to just quote what Nik, our Happiness Engineer, had to say in the beta newsletter just a couple of weeks ago:

Wondering why app and browser filling requires OS 5.0? Me too! So I asked our developers. It turns out that the only way for us to do this in earlier versions of Android OS was to use copy/paste accessibility APIs, meaning that any clipboard manager or malicious app could listen to clipboard events and collect login credentials as they were filled.

In Lollipop, 1Password can fill your information directly, without using the clipboard. Therefore, it isn’t possible for a third party to obtain your passwords by snooping on what 1Password’s doing.

Prior to Lollipop, it would be possible to get this kind of app-filling, but it would have relied on the clipboard under the hood. Because using the clipboard involves known risks, we feel that we should make it clear when copy/paste is being used and minimize it’s use wherever possible. As a result, we decided to focus on a Lollipop-only implementation of our filling feature

If you have an Android device with Lollipop installed and would like a sneak peek, I invite you to sign up for our Android beta.

Clipboards may always be with us

As you can see, we are working to reduce dependency on system clipboards when using 1Password. This is an on-going process. Browser integration on the desktops was something we started with back when the very first versions of 1Password was released for the Mac nearly eight years ago. Later, we introduced our own browser into 1Password for iOS, and much more recently encouraged 1Password integration for other iOS 8 apps using App Extensions. Along the way, we introduced auto-type in 1Password for Windows and a web browser into 1Password for Android. As you’ve learned here, we have in-app filling in our Android Beta, making use of the latest features of Android 5.0, Lollipop.

But while we are progressively reducing the need for copy and paste to a system clipboard, we are a long way from eliminating the need to use these. This is why I must repeat my advice to keep your system free of malicious software.

What I would like to see is a clipboard that could only be read when the user explicitly chooses to paste. This is something that has been suggested a number of times before, but has not be implemented on the most popular operating systems. I suspect that there is a reason for that, but if you know, I eagerly await your insights in the comments.

 

Watchtower icon 1024

Viewing Drupal from the 1Password Watchtower

1Password WatchtowerWhen a large number of websites are discovered to have been vulnerable, as is the case with websites running recent versions of Drupal, people need clear and unambiguous advice that you can act on. And so, our clear and unambiguous advice is:

If you have a username and password on a site which has been using Drupal for its content management, you should change that password. You will need to change that password everywhere you use it, not just on the potentially affected sites.

Our Watchtower service within 1Password for Mac and Windows will recommend password changes for a number of sites that we detect as using Drupal. Here you can see what that will look like.

Drupal Watchtower example

We should also make it clear that none of our systems are affected by the Drupal vulnerability. We don’t use Drupal.

Site administrators know best

We don’t know the status of any particular site other than it appears to be running Drupal. Therefore, if our advice conflicts with advice you received from the administrators of a site, follow their recommendations.

We don’t know when a site gets fixed

Some vulnerable Drupal systems may have been fixed on October 15. Others may still not be fixed yet. Our tests are only capable of determining whether a website is using Drupal (and even that test is imperfect).

Merely patching Drupal is not sufficient for sites that may have been compromised. That is because an attacker using the vulnerability may have left a “backdoor” in a site allowing them back in even after the original vulnerability has been fixed. This makes it yet more difficult to determine whether a site remains vulnerable.

We don’t know if a site has been compromised

Drupal icon 400pxJust because a site has been vulnerable doesn’t mean that it has been compromised. However, it appears that automated attacks have been systematically breaking into vulnerable sites and planting “back doors” that would allow the attacker a way back in at any time in the future. So we should assume that most Drupal sites which weren’t patched very quickly on October 15 have been compromised.

A password compromised anywhere must be changed everywhere

If you reuse the same password on more than one site, you will have some extra work cut out for you. Let me explain why.

Suppose that Molly (one of my dogs) has used the same password on Bark Book as she does on Sprayed By a Mink Anonymous, and let’s also suppose that Bark Book gets compromised by Mr Talk (the neighbor’s cat).  Molly will need to change her password on both the compromised site (BarkBook.com) and on the uncompromised site (SprayedByMinkAnon.org) . That is because Mr Talk can use what he has learned from Bark Book against all of the sites and services that he thinks that Molly may be using. I must also report that Mr Talk, along with everyone down wind, can easily guess that Molly may well be visiting SprayedByMinkAnon.org.

Molly should take this opportunity to work towards having a unique password for each and every service. 1Password will remember those for her. The closer she gets to having a unique password for each site, the less of a headache the next big incident will be.

Launch_stats_thumb

1Password 5 for Mac, by the numbers

It’s been a week since we released 1Password 5 for Mac. Big releases can be a whirlwind, so I thought it would be fun to share some statistics from this past launch week.

1Password 5

  • 4 months of design/development
  • 32 beta versions released prior to the App Store release
  • 1 awesome new UI and icon
  • 4725 crashes reported since launch (although one poor customer accounted for over 1000 of those)
  • 2 feature spots: Best New Apps and Great Apps for OS X Yosemite
  • 3rd Top Grossing in the US Mac App Store
  • 3rd Top Paid in the US Mac App Store

A quick view of our customer interactions

Launch stats 1P5 Mac views ratings searches

  • 16700 views for the Web Store and iCloud FAQ (sync still dominates our top searches).

Launch stats 1P5 Mac top searches

  • 300% increase in email help desk inflows (compared to prior week)

Screen Shot 2014-10-21 at 1.46.48 AM

Website traffic

  • 100% increase in website visits (compared to prior week)
  • 300% increase in downloads of 1Password 5 for Mac
  • 74,600 sessions on launch day

Mac OS breakdown visiting our website (prior month, current month)

* Fascinating how quickly the number of people using Yosemite increased.

Launch stats 1P5 Mac OS breakdownTop 10 countries visiting during launch week

Screen Shot 2014-10-23 at 6.22.17 PM

 The best stat of all

All these stats are cool. But this one is the coolest. Thank you, everyone. We would be nothing without our customers.

Launch stats 1P5 Mac MAS rating

1P icon 200

1Password 4.1 for Windows puts more control at your fingertips

1P icon 200I have to say, 1Password 4 for Windows has been our 1Passwordiest yet. You’ve given us a ton of great feedback, so we’re back with our first big, free update.

To put it simply, you get more control over some of 1Password’s little details that make a big difference. In v4.1, you can enable rich icons for an even prettier view of your items (View > Show Rich Icons) and lock 1Password when you close your browser (check File > Preferences (Ctrl+P) > Security).

For those who often have many Logins for a particular site, check File > Preferences (Ctrl+P) > Logins > Show X more items… to see more of them at a time.

We also made a ton of improvements across the board to everything from keyboard shortcuts to icon display, linking our fantastic new help guides, adding attachments to items and support for the Comodo Dragon browser, and much more. Check out our full v4.1 release notes for the quite the list of details.

The latest version of 1Password 4.1 for Windows is available now via our built-in automatic updater.

1P5 Mac icon

1Password 5 for Mac is here

What’s a major OS X release without a major 1Password update? I don’t know, but we would rather not find out. That’s why you can now get 1Password 5 for Mac in the Mac App Store and our web store!

First-class Yosemite citizen

It was only a year ago that we released 1Password 4, and 1Password 5 for Mac ensures we’re ready for the next major chapter of OS X. We completely redesigned 1Password to be a first-class OS X Yosemite citizen—in fact, it requires Yosemite now—right down to compatibility with its new Dark Mode; if you enable it, be sure to check out 1Password mini in the menu bar!

1Password mini also got its own major upgrade. Besides Dark Mode, we redesigned it to be faster and more intuitive so you can fly through menus, anchor an item in its own window with a shortcut, and more. Plus, if you trigger 1Password mini with the system-wide shortcut (⌘-⌥-\ by default), it now conveniently appears in the center of your display.

Go for an iCloud Drive

If you want to use iCloud to sync with 1Password 5 for iOS, I am thrilled to say Apple’s next-gen sync is now available in 1Password 5 for Mac. iCloud sync also now requires the Mac App Store version.

The new iCloud sync is a really big deal. It’s faster and just plain better in every way, and you simply need to upgrade to iCloud Drive on all your Apple devices to sync 1Password 5 (note: we do not store your data in iCloud Drive. We use CloudKit, its underlying technology, for sync). That means you’ll need to iOS 8 and OS X Yosemite all the things. For more details and a guide to making the transition, please check out our iCloud FAQ support document.

Wi-Fi Sync your attachments

Using Wi-Fi Sync to keep your data close to home? As long as you’re using the new 1Password 5 for Mac and iOS, I am delighted to say your attachments will now sync as well.

Upgrades and sales, oh my!

We’re so excited about 1Password 5 for Mac that we want all our v4 customers to have it for free! But what about people who have yet to buy a 1Password License of Awesomeness? No, we don’t actually call it that. But we should.

We want to help you out too, so we’re throwing a 30-percent-off launch sale! That means you can get secure and save a ton of time online for just $35!

How long does the sale run? We don’t know yet. Does it matter? Nope! Grab your 1Password License of Awesomeness now (see? it sounds great), start creating strong, unique passwords for all your accounts, and up your security.

Shellshock bash terminal

Shellshock is bad, unique passwords are good

Shellshock bash terminalA new security bug, commonly known as Shellshock (Officially CVE-2014-6271, is bad. It is fair to say that a large number of servers (particularly web servers) were vulnerable to serious attack for some time. It is likely that many still are, and we are unlikely to learn about most of them.

What are we do to? Answer: Use unique passwords for each site and service.

Squirrels, rabbits, and passwords

Squirrel mollyLet’s consider Molly, one of my dogs. She has a one track mind: Squirrels and rabbits. She also is not very good at counting, so she doesn’t understand the difference between one track and two tracks.

Molly tends to reuse the same password for lots of things. Her password for Barkbook is squirrel. It’s also the password for CatChasers and a number of other sites and services.

Suppose that Patty, my other dog, isn’t the sweet innocent little thing that she pretends to be. Suppose that she breaks into CatChasers and is able to steal user passwords from it. She learns that Molly’s password was “squirrel” on CatChasers, so she’ll check if Molly used the same password on Barkbook and other sites.

1P squirrel password

Password reuse is doubly bad

Indeed, when Molly uses the password “squirrel” on multiple sites, she is putting all those squirrels in one basket. If her password is stolen on any one of those sites, Patty can get into all of those.

The more places that Molly uses the password “squirrel,” the more likely it is that at least one of that sites will get breached, and the more damage is done when her password gets discovered at any one of those sites.

If Molly uses “squirrel” for twenty sites, there is a very strong chance that several of them are vulnerable to this new Shellshock flaw, Heartbleed, or any of the other known and unknown vulnerabilities being exploited. When Patty does break into one of those twenty sites, she will now have control of twenty of Molly’s accounts.

What you can do

In short, be careful. System administrators will be busy for a while. In addition to upgrading bash on systems that use it, they should be trying to track down which systems create environment variables with untrusted content and whether those systems ever invoke a shell.

But normal people (and I don’t think that many will dispute that system administrators are not “normal people”) are left with the knowledge that there are a lot of vulnerable systems out there. By far, the single best things we can do is to cut down on our password reuse. The easiest way to do that with 1Password is to give Security Audit a whirl.

There is so much more to say

Everyone with some sort of security point to make is using Shellshock to help illustrate and draw their favorite lesson from it. This is easy to do because Shellshock isn’t just a bug, it is a bug that can be exploited because of a series of design decisions that were pretty much asking for trouble. Each one of those decisions (or non-decisions) is something that everyone in the business really does know better about. But somehow, the software and systems engineering community has managed to ignore its own wisdom at each step of the way.

  1. We members of this community know not to pass untrusted data to various other processes, yet we’ve allowed systems that create shell environment variables (things designed to be passed all over the place) from the most untrusted sources of all. [E.g. CGI, DHCP Clients, etc].
  2. Our community knows that tricking systems into executing “data” is often how attacks happen, yet bash has a feature that deliberately allows what is normally data passed around to be executed.
  3. Whether computer science students like it or not they are taught that when data is in a particular class of languages it is impossible to validate it, yet with bash we’ve stuck a Type 0 languages inside of variables.
  4. Scripts and programs should (generally) avoid invoking a shell as even the Linux manual page for system(3) says

    Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity.

    Yet calling system(3) is common practice because it is easier than invoking other programs the proper way.

When a system falls victim to Shellshock, it is because every one of those principles and guidelines have been ignored. The first one is in the design of various network services (such as web servers). Numbers two and three are in the design of bash, and number four crops up in innumerable scripts and programs. None of them are actually about the specific bug in bash. Instead, one through three are about specific design features of various systems.

There is a great deal I would like to say about each of these, but I will leave that ranting for another time. Today, I just wish to remind everyone about the importance of using unique passwords for each and every service.

Bash update for Mac OS X

Apple has made bash updates available to those who do not wish to wait
for regular software update:

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X MavericksTo check that bash has been updated:* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
Simple-1Password-login thumb

Check out the first apps to support our 1Password App Extension for iOS 8!

Just in time for iOS 8, 1Password 5 for iOS has been unleashed in all its Touch ID, ready-for-iPhone-6-Plus glory. It also supports iOS 8’s brand new App Extensions feature, which means over 100 developers (and counting!) are building support directly into their apps for our 1Password App Extension, allowing you to unlock your vault with Touch ID, log in with a tap, and even update your app passwords!

In fact a number of developers shipped their 1Password-slinging updates alongside iOS 8 too, from a bank to community favorite apps for reading and work collaboration. Here’s our first rundown of the available 1Password-endowed apps so far, and keep an eye on our Apps that Love 1Password page for a major redesign soon!

Simple

Simple is a new kind of bank. It has no overdraft, minimums, or monthly fees, and it actually gives you great tools for savings and managing financial goals. Support is powered by human beings you can contact right inside this iPhone app, and you can instantly transfer money to (and from!) friends.

Simple integrated our 1Password extension so you can unlock your vault with Touch ID right inside the app and log into your account with a single tap. You can get Simple 2.1 with 1Password integration in the App Store now.

Slack

Slack is changing the way teams communicate. It’s real-time messaging for iPhone, iPad, and the web, combined with file storage and integrated with tools that teams are already using: Dropbox, Asana, Google+ Hangouts, Twitter, Zendesk, and many more. Conversations and files are archived, indexed, and instantly synced across multiple devices, making everything accessible through one simple search box.

You can find out more about Slack on its website, and get it on the App Store to see how Slack could help you be more productive and less busy.

Instapaper

Instapaper is the read-later service that lets you save anything and read it anywhere. You can save articles and other things on the web from any device, then grab this iPhone and iPad app to read those things later, even while offline.

Among plenty of other great new features, the new Instapaper added the 1Password extension so you can use Touch ID and log into your account with a single tap. You can pick up Instapaper 6.0 now in the App Store.

Retro

Retro is a beautiful Instagram browsing app for iPad. It supports multiple accounts, a Today widget for a quick glance at your feed, multiple themes, background updates, and much more.

With its latest update, Retro also gained the 1Password extension for that sweet Touch ID unlocking action and one-tap logging in. You can get Retro 2.2.1 for Instagram in the App Store.

InBrowser – Private Browsing

InBrowser is a web browser for iPhone and iPad with privacy at its heart. In fact, everything will be erased every time you exit InBrowser, including history, cookies, and sessions. You also get tabbed browsing, browser agent cloaking to avoid mobile sites, AirPlay, and more.

Considering InBrowser’s focus on privacy, it’s a good thing the latest version gained the 1Password extension. Now you can unlock your 1Password vault right inside InBrowser with Touch ID, log in with a tap, and leave no trace when you’re done. You can get InBrowser 1.55 in the App Store now.

Treehouse

Treehouse for iPad is “the best way to learn technology.” You can learn to build everything from websites to iPhone apps to web apps, or even to start a business. Over 1,000 videos, quizzes, and interactive code quizzes help you to learn and retain your new skills.

For its big upgrade, Treehouse now includes the 1Password extension so you can unlock your vault with Touch ID and log into your account with a single tap, or sign up for a new account with our Strong Password Generator! You can get learning with Treehouse 2 now in the App Store.

Paste+

 

Paste+ for iPhone is an interesting new breed of iOS 8 apps in that it is primarily a Today widget, and a useful one at that. When you copy something to your clipboard, Paste+ has lots of quick one-tap actions you can take with that thing, such as search it in Google, upload to Dropbox, share to social media and messaging, create reminders, make calls, and much more.

We’re thrilled to see that, for its 1.0 debut, Paste+ included our 1Password extension for login prompts. When you need to authorize Paste+ to access Dropbox, Twitter, or other services, you can unlock your vault with Touch ID and use 1Password to log in with a single tap.

You can get the first-ever version of Paste+ in the App Store now.