1Password tips

Quick Tip: Migrate your details between 1Password items

We all have our own ways of keeping things neat and tidy, and having something out of place can just throw your whole day out of whack. Luckily, 1Password mini can help you keep things organized just the way you like them.

Let’s say someone sends you the details for the Wi-Fi router at their house, but it’s in a Secure Note instead of the Wireless Router template for 1Password.

Wireless network data stored in a Secure Note

If you’re like me, this is the kind of thing that could make you a bit, well…

homer_go_crazy

So, let’s move the relevant data over to a new Wireless Router item and set things right with a few simple steps:

1. Create the new item

In 1Password, create a new item in the proper category. Launch 1Password, and choose File > New Item > Wireless Router. This is the new item where the previous Secure Note’s content will go. Leave this new item in edit mode.

Create a new Wireless Router item

2. Open the original item in 1Password mini and anchor it

Click the 1Password mini icon in the toolbar and search for or browse to the Secure Note containing the details you want to migrate to the new entry. Click the anchor button in the bottom left of the detail view to keep the item on screen.

Copy and paste the details

3. Copy and paste

At this point, you can copy and paste the relevant information from the original item. You can also create new sections and fields for any important information that doesn’t fit elsewhere. When you’re finished, save the new item.

4. Delete the original item

At this point, the original item is no longer needed and can be safely deleted.

5. Bonus points: share!

Share the new entry with the person who sent you the Secure Note version using the item’s Share button.

Share the item

This use case comes up for me more often than I would have thought in the past. The Wireless Router example is a real one from a recent trip to visit the team in our Toronto office. Beyond that, I have quite a few items I exported from Yojimbo long ago, and those only exported as plain text files. I imported those text files as Secure Notes in 1Password and I have been migrating them to proper 1Password entries here and there over time. Instead of switching back and forth between items in 1Password, using 1Password mini’s anchored windows helps to make the process of migrating data between categories a lot simpler.

more than just passwords

Staying on top of deadlines and expiry dates

1Password is at its best when it’s helping us forget — not just our passwords and credit card numbers, but also where we put that thing. 1Password remembers, so we don’t have to. It’s easy to get hooked on this line of thinking. You start to ask yourself: what else can I afford to forget about?

How about deadlines? I’m not talking about calendar appointments. Think instead of the warranty on your laptop — the one that always runs out days before you need to use it. Think of the gift card you need to spend before Father’s Day. The domain name you keep forgetting to renew. The annual subscription you plan to cancel before you get charged again.

So much of our sensitive information comes with a best before date — and 1Password is great at keeping track of best before dates.

expires soon

You’re probably used to filling in the expiry date field for your credit card, but you might know that it’s also built into lots of other 1Password items — Passports, Memberships, Driver’s Licenses, etc. You can also add it to your own items using custom fields.

Once you assign expiry dates to all your time-sensitive items, you’re one smart folder away from seeing anything that needs your immediate attention.

expiry smart folder

The key to making this work is the second field (“Any Value” -> “contains”), which I’ve set to the current year. You could also fill in “2015-05″ to see only the items that expire in May, but tweaking this value every month might be too fiddly for your tastes. I find a year’s worth of expiry dates is manageable so long as I review the folder every once in a while.

1Password won’t ever replace my calendar, but there are some due dates it handles with style — especially when it comes to information I can’t risk keeping anywhere else.

How do you use 1Password to make your life a little more manageable? We’d love to find out. Share your creative ideas in the comments!

more than just passwords

Simple and secure gifting with 1Password

I’ve moved a lot during my ‘adult’ life, and as such, I’ve got friends and family across the country, and around the world. Since I don’t see most of them nearly as much as I would like to, I like to send out random gifts every now and then to remind them that I think they’re awesome and to give them a bit of a smile. It can be a silly little craft I’ve made or a card with a note. Often, it’s something that I see online that I know they’d just love.shirt design by DoOomcat on woot.com

One frequent benefactor of my online shopping addiction is my soon-to-be-seven year old niece, Maddie. When a friend showed me a new nerdy t-shirt design on one of our favourite shirt-a-day sites the other day, I knew it would be perfect for Maddie.

When I went to fill in Maddie’s address in the shipping details, it occurred to me that I type this address a lot … and I really don’t want to.  So, I switched over to 1Password and filled her address into a fresh new Identity item instead. When I switched back to the shipping form, I could fill her address with a few clicks. Now it will be easier than ever to send stuff her way, and I’m quickly filling up my Identities category with the addresses of other family and friends.

Maddies Identity

Bonus tip:  to make this category even more useful, use the notes field of the Identity to store gift ideas – you’ll know where they are when you need them, and they’ll be safe from curious prying eyes!

more than just passwords

“1Password, find my stuff!”  (How to not lose anything ever again)

Paper: it’s the bane of our digital existence.

Most of it you can scan and keep in 1Password. But some of it you just can’t digitize away. Think of those handwritten postcards from your best friend. Your glossy, autographed Star Trek prints. Your passport. Your college diploma. Your tax returns (‘tis the season).

All that stuff has to be kept somewhere safe, somewhere not-on-a-computer. And for people like me, that’s a virtual guarantee it will end up lost.

If you’re nodding your head empathetically right now, I encourage you to read on. Because I’d like to let you in on a secret:

With a bit of encouragement, 1Password can actually give you the answer to an all-too-familiar question: Where did I put that thing?

findmystuff

How I trained 1Password to find my stuff

The first time I misplaced my passport on the morning of an international flight, I cursed my bad luck. The second time, I resolved to teach 1Password how to keep track of my most important possessions. That way, I wouldn’t have to.

I created entries for anything and everything I was afraid to lose: the lease for my apartment, my health card, even my winter gloves.1 In each entry, I added a section—“Where is it?”—and a custom field labelled “location”. I filled in each “location” field with the object’s last known hiding place.

autographed

Once I had catalogued enough stuff, all I had to do was create a new smart folder and configure it to match any items with a “location” field.

smartfolder

Now I could look up my physical possessions just as easily as my digital ones. And because “Find my stuff” was a smart folder, it would stay up-to-date as I added new items. (Picture a hyper-intelligent take out drawer—it always has the dim sum menu you’re looking for.)

I still can’t remember what I did with last year’s tax return. But whenever I do need to look up something that I’ve filed away in meatspace, the answer is now just a click away. “Hey 1Password! Where’s my stuff?”

How do you use 1Password to make your life a little more manageable? We’d love to find out. Share your creative ideas in the comments!


  1. Don’t knock it! On that first cold morning in October you’ll be glad you told 1Password where your gloves were back in April.
1PM icon 1024

The new wonderful-ness of Wi-Fi sync

The ability to have your secure password data with you on all of your devices is one of the most important features of 1Password. Of course, strong encryption of your data is vital as well, but it is sync that ensures that you can use these strong and unique passwords across all your devices easily.

Ensuring that users have access to their data everywhere they need it is not always a simple process. Let’s take a look at the development of Wi-Fi sync in 1Password, and see some of the great improvements our developers have made lately.

The beginning of Wi-Fi

We begin back before the dawn of 1Password 4. The Wi-Fi Sync of 1Password 3 provided a… less than ideal user experience. When our developers sharpened their tools to craft 1Password 4, the initial version of 1Password 4 for iOS was released without the feature.

Users were not content with this omission and lobbied us by forum and by email and by all means necessary, declaring their love for Wi-Fi Sync (and as well they should!) Hearing their pleas, our developers went back to the Agile Forge and re-designed Wi-Fi Sync for its triumphant return in 1Password 4 for Mac.

Wi-Fi’s triumphant return

Even after we reintroduced Wi-Fi Sync in 1Password 4 for Mac, we knew we could do better. We kept polishing and strengthening the feature, and now with the release of the Syncerrific Edition, Wi-Fi Sync is the powerful, cloud-free sync option that our users both need and deserve.

Let’s look at some of the improvements to Wi-Fi sync in 1Password 5:

  • Attachments: Wi-Fi sync now syncs every nook and cranny of your vault … including all of your attachments.
  • Multiple Vaults: Got multiple vaults? No problem. Wi-Fi sync can handle that. Sync all your vaults to your mobile devices without ever touching the cloud.
  • Automatic: No more need to frequently type in secrets – sync your data whenever your devices are linked to the same Wi-Fi network as your Mac.

1Password 5 Wi-Fi preferences

Learn about how to set up Wi-Fi sync for all of your vaults in our User Guide.

We’d like to thank all our wonderful users for their persistence. 1Password is a better, stronger, faster product for you today because you keep us on our toes.

Keep being awesome.

1PW4 expand notes field

1Password for Windows Tips: The Incredible Expanding Notes

All 1Password items have a notes field where you can add any extra details you want. Some people add street addresses to items that have physical locations, others add device serial numbers to their maker’s Login items for quick reference.

A nice trick in 1Password 4 for Windows is the Notes field can expand when you need more room. If you simply mouseover the Notes field’s bottom bar (the one that separates it from Tags), you can click and drag to make it larger and add whatever you need.

Tips & Tricks: 1Password 5.1 for iOS

1Pi iOS 7 icon 1521Password 5.1 for iOS is now up in the App Store, and it sports some great new stuff based on your feedback. In fact, there’s enough for a bulleted list not much unlike this:

  • Touch ID now has 42% more touch, 27% more ID – We simplified our Auto-Lock settings for your Master Password and Touch ID to be clearer. Give Settings > Security a look.
  • Tags go mobile – Need more than folders? Folders just not your thing? Now you can add tags to items on iOS. Sub-tip: they’re comma separated.
  • iPhone 6- and 6-Plus-ified – Better graphics, even richer icons, and other tweaks for iPhone 6 and 6 Plus owners.
  • Custom keyboard control – Third-party keyboards are a big thing in iOS 8, but they don’t need to be in your 1Password (in short, some of them can transmit what you type to servers for, ideally, useful text-in-the-cloud stuff). We disable them by default, but you can turn them on in Settings > Advanced.

We hope you enjoy! If you get a minute, please spread some of your review magic in the App Store. They really do help!

1P iOS8 Safari Extension

1Password 5 for iOS how-to: Enable the extension for Safari and third-party apps

1P5 iOS App Extension sheet

1Password 5 for iOS is now available for iOS 8 and it. is. amazing. One of its best new features is an App Extension that lets you fill Logins directly in Safari and even third-party apps!

There’s just one thing you have to do: like all iOS 8 App Extensions, you have to manually enable the 1Password extension if you want to use it in Safari and other apps. It’s easy to do it, and we have a great support document that shows you how.

The simple version is that you just need to launch 1Password 5 first (and set it up if you never have), then tap the Action menu, scroll to the right of the actions list (the bottom one with black and white icons; Share extensions are on top), tap More, and enable it.

Then you can get on with filling Logins (and soon Identities and Credit Cards) right into Safari!

Windows v4 blog

Watch what you type: 1Password’s defenses against keystroke loggers

1Password for WindowsI have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer, particularly keystroke loggers, could capture your Master Password.

Safe at rest

Let me clarify one thing before going on. 1Password does protect you from the attacker who breaks into your computer and steals your 1Password data. The 1Password data format is designed with just such attacks in mind. This is why your data is encrypted with keys derived from your Master Password. It is also why we’ve put in measures to make it much harder for an attacker to try to guess your Master Password in the event that they do capture your data.

Even if an attacker gains access to your computer and 1Password data, there is little she can do without your Master Password. In this article, I’m focusing on another kind of attack in which the attacker tries to “listen in” to you typing your Master Password. This attacker is running a program on your computer that attempts to record everything you type on the keyboard or enter through some sort of keyboard-like device.

Countering counter-counter measures

I will get to the details below, but this article aims to describe and explain a change in how 1Password for Windows secures its Secure Desktop, a counter measure against a common type of keystroke logger. This change was added recently to 1Password 1 for Windows and has been included in 1Password 4 for Windows since its launch.

Márcio Almeida de Macêdo and Bruno Gonçalves de Oliveira of Trustwave SpiderLabs have discovered a way that a keystroke logger could work around our use of Secure Desktop and reported this to us. They have now reported this publicly (link might be having trouble, but it’s listed among their Security Advisories). We have since added a mechanism which prevents that particular counter measure to Secure Desktop. We very much appreciate SpiderLabs for giving us the opportunity to put a fix in place before announcing their discovery to the public. Trustwave SpiderLabs might grab fewer headlines by having done the right thing, but they have done the right thing.

Secure Desktop itself is a counter measure to keystroke loggers. De Macêdo and de Oliveira’s discovery is a counter measure to our counter measure. We have now introduced a counter-counter-counter measure. All of this will be explained, but it requires a lot of background into how keystroke loggers work and various ways to defend against them.

Keystroke loggers

Keystroke loggers attempt to capture everything that is typed on a particular computer or keyboard and pass that information on to a third party.

There are one or two legitimate uses of these (such as in research on writing), but those all involve the consent of those whose key strokes are being logged. More typically, keystroke loggers run surreptitiously, and are an attack on user privacy. I know that people don’t come to this blog for relationship advice, but if you are seriously tempted to install a keystroke logger to spy on a spouse or lover – a popular use of these things – then I have my doubts about the future of your relationship. Since you didn’t come here for relationship advice (and if you did you came to the wrong place), let’s return to how keystroke loggers work.

Logger in the middle

There are many different ways that keystroke loggers can work, but one useful way to think about this is as something (either hardware or software) that sits between your keyboard and the program you are typing into, something which shouldn’t be there.Hardware PS/2 keylogger in action

For keyboards that are attached to a computer with a cable, the simplest keystroke loggers are little physical devices that the attacker plugs into the computer, and then plugs the keyboard cable into that.

The keystroke logger is, in this case, sitting between the keyboard and the computer. The computer thinks it is talking directly to the keyboard, and the keyboard thinks it is talking to the computer, but the keystroke logger is sitting between them.

Alternatively, software keystroke loggers sit between components deep within the operating system and silently grab data. Things that are embedded that deeply or are using hardware loggers are not things that user software can detect or defend against.

Most keystroke logging is shallow

Most keystroke loggers take a simpler approach, rather than inserting themselves deep within the system. It is much simpler to write a program that says “hey, I am a program that needs to know everything that is coming in from the keyboard.” Operating systems provide hooks for programs to do exactly that.

You might be asking why operating systems might make writing keystroke loggers so easy. What business does any program running in the background have in seeing the input to some other program? One reason is to help my poor dog Molly, who suffers from (among other things) diabetes. This has led to sufficient necrosis in her paws so that she cannot easily type using a standard keyboard. The specialized device that she uses involves some clever software that looks at the input and uses various predictive technologies to replace the actual input with the intended text. This system intercepts (and changes) input bound for any program running on her computer; however, as far as most programs know, they are just getting input from a “keyboard”. Assistive technologies similar to the one Molly uses are a big part of making computing and communication accessible to more people.

Not only is a basic keystorke logger easy to write, it doesn’t require a complete break into a system. Different processes on a computer run with different privileges. When Molly logs in to her account and runs a program on a computer, the program is run under her user ID and with her privileges. This means that she isn’t able to interfere with processes that are run by Patty (the other dog). She also isn’t able to interfere with the system as a whole. If Mr Talk (the neighbor’s cat) tricks Molly into running a malicious program, that malware will be limited in the damage it can do.

The really deep and hard-to-avoid keystroke loggers would require full power over the system to install. But one of these simpler keystroke loggers requires only the privileges of the user whose keystrokes are to be recorded. So if Molly gets tricked into running a keystroke logger, it won’t affect Patty even if they use the same computer (as long as they are using different accounts). As you can imagine, the bulk of malicious keystroke loggers that spread through computer infection are of this shallower sort.

Counter measures

Now that we have some idea of how the typical keystroke logger works, it’s time to look at some counter-measures. The two most important counter-measures are:

  • keep your system and software up to date
  • exercise caution in what software you install and run

But let me focus a couple of the counter-measures that 1Password takes.

Counter measures on Mac: Secure Input

On Mac OS X, there are two simple provisions that makes it easy to thwart those shallow key loggers. The first one of these is called “Secure Input” and was introduced with OS X 10.3 Panther in 2003. A program—1Password for example—can say, “when the user types something into this particular input field, it must be done in a way that other processes can’t interfere.” Secure Input needs to be used sparingly, as it blocks all of the sorts legitimate activity, including assistive technologies that many people (and a few dogs) rely on. And Secure Input blocks TextExpander, which I rely on.

1Password declares the field in which you type your Master Password as a “Secure Input field”, then ordinary key loggers won’t have access to it. Since last year’s OS X 10.9 Mavericks, there is another defense built into the operating system. A program can only capture all of a users’ keystrokes if the user has explicitly granted it that permission in System Preferences > Security & Privacy > Privacy under Accessibility. As I described earlier, most (but not all) such software are components of assistive technologies designed to make computers accessible to more people. That is why this system preference is ultimately under Accessibility.

Between these two mechanisms – Secure Input and that any application which has the capacity to log keystrokes must have explicit user approval to do so – OS X defends against these otherwise common sorts of keystroke loggers.

Counter measures on Windows: Secure Desktop

1P Win unlock secure desktop

Windows doesn’t offer the same sorts of defenses that OS X has, but it does allow for the creation of somewhat isolated environments called “Desktops”. On Windows, one can set up different Desktops in which only your program is running (along with system processes). A program running in one Desktop will not be able to listen in on keyboard input in a separate Desktop.

You will find a button that says “Unlock with Secure Desktop” in the upper right corner of the lock screen in 1Password 4. Clicking on that launches the Secure Desktop in which you will be prompted for your Master Password. You can take a look at Unlock with Secure Desktop in action.

Countering Secure Desktop

What de Macêdo and de Oliveira have discovered is that there is a way to set up a keystroke logger that does operate in all desktops, not just the one it was started in. Quite simply, their system launches a process that is able to listen for the creation of new desktops and add a process to each desktop created.

The ease at which they were able to do this (well, everything looks easy in retrospect) reflects the fact that the SwitchDesktop function in Windows was not designed for security purposes. We and others who use Secure Desktop as a mechanism for evading keystroke loggers have been taking advantage of the relatively isolated environment of a separate Desktop. Once the authors of keystroke loggers take our counter measures into account, they can launch counter-counter measures like the one Trustwave describes.

Knowing your environment

We want nothing but system processes and 1Password’s Master Password entry to be running in a Secure Desktop. We don’t want other, probably malicious, processes joining that Desktop. And so, our counter-counter-counter measure is to simply look around and see if there is anything running in the SecureDesktop that is unexpected.

If some unexpected process is found in the Secure Desktop environment, you’ll be prompted to close the Secure Desktop.

Secure Desktop: 1Password has detected an unknown process

Lessons

1. Keep your system and software up to date

The single biggest thing you can do for your computer security is to keep your system and
software up to date. The overwhelming majority of actual break-ins are through vulnerabilities that have already been fixed by the software vendors.

2. Pay attention to what software you install and where you get it from

Keystroke loggers and other malware are often installed unwittingly by the victims themselves. Try not to be one of those victims. Be particularly careful of anything that tries to frighten you into installing it. Fake security software and alerts are a common way to get people to install malicious software.

The move toward curated app stores offers additional protections, but it isn’t a complete solution. Still, using those where available will reduce your risks.

3. Use Windows Defender on Windows

I have long been skeptical of most anti-virus software, but Microsoft Security Essentials is something I can unequivocally recommend for those using Windows 7. In Windows 8, Windows Defender is automatically built in and enabled.

4. Understand what software can and can’t do for you

The core security design of 1Password is extremely strong. Quite simply: if you have a good Master Password, nobody who gets a copy of  your 1Password data will be able to decrypt it. 1Password can and does offer outstanding security.

At the same time, 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race. As you see, we have had to put into place a counter measure to a counter measure to our counter measure against common keystroke loggers.

This is why the first two items on this list are so important.

In conclusion

1Password takes extraordinary and effective steps to protect your data. This is built into every aspect of its design. But you have to help protect 1Password from malware running on your machine. We do what we can to make things harder for the malware writers, but we can’t do it alone. You must try to provide a safe environment for 1Password and all of your software to run in.

This shared responsibility is similar to that which we have with your Master Password. We provide excellent encryption and protections and defenses against automated password guessing. But you have to pick a good Master Password and treat it well. For those who might be wondering, displaying your password on a giant screen is not treating a password well.

wold-cup-wifi

Strong-Password-Generator-hero2

Heads up: Your best defense against the Russian hacker data breach is still strong, unique passwords

The bad news: Russian hackers claim to have gotten their hands on a sizeable collection of login credentials and emails.

The semi-good news: the story might not add up. According to The Verge, most, if not all, the credentials may simply have been collected from previous breaches we already knew about, including Adobe, LinkedIn, and others.

The good news: strong, unique passwords for all your sites are still your best defense. If shady individuals nab one or even more of your accounts, 1Password’s unique passwords prevent them from using that information to break into all your accounts.

Unfortunately, we live in a world where data breaches are going to happen. As my colleague Jeff Goldberg likes to remind us: security is a process, not a destination.

Strong Password Generator hero

The best way to defend against breaches large and small is the same as it ever was: use 1Password’s Strong Password Generator on Mac, Windows, and iOS to create strong, unique passwords for all your accounts with a single click.

1Password’s Security Audit feature is also a great way to stay on top of your security. It shows you duplicate and weak passwords, and our built-in 1Password Watchtower service warns you to change your passwords for any of your Login’s sites that have recently been breached.

As usual, the headlines sound big, but the solution is simple. Use 1Password’s Strong Password Generator for the best defense against data breaches. As this matter is examined further, we’ll let you know more about breach sources or any other pertinent details.