1Password, Heartbleed, and You

Heartbleed icon 200pxOur co-founder, Dave Teare, sent an AgileBits newsletter to our subscribers Friday night about the internet’s Heartbleed bug and how you can use 1Password to defend yourself and change all your passwords. We had a surprising number of requests to republish it here, so I’m happy to oblige!

If you want to receive our occasional AgileBits newsletter with news and tips about 1Password and Knox, as well as other goodies, hit the button below.


And now, our Heartbleed newsletter, republished here for our blog readers.


Hello everyone,

I’m writing to you today with some very important news. A vulnerability named Heartbleed was discovered in the software that protects most web sites.

Please read on to see what actions you need to take.

What is Heartbleed?

Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.

Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.

I found this XKCD comic explained perfectly how the Heartbleed exploit works.

1P4 Mac icon

1Password is Not Affected

There is a lot of work to be done as a result of Heartbleed, but lets start by talking about what this vulnerability does not mean.

1Password does not rely on OpenSSL to secure your data. Your data in 1Password is protected using Authenticated AES 256-bit encryption and can only be unlocked with your Master Password.

This means 1Password is not affected by the Heartbleed bug and there is no need to change your Master Password.

With that said, there is still a lot of work to be done…

update passwords 200px

Update Your Passwords, Phase 1

While your data is safe within 1Password itself, there is a good chance websites you used were vulnerable and did not protect your username and password.

The knee jerk reaction to this news is to change all your passwords immediately. While I will be recommending you change your passwords, not all websites have been updated yet to protect against this vulnerability.

The best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.

After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.

How to Change Your Passwords

Changing your passwords on every website is a chore. On the bright side, 1Password makes it easy to upgrade all your website passwords.

How to Update Your Passwords

Heartbleed is a very serious issue so I hope you will take the time needed to update your passwords. Ideally you would change all your passwords, but at the very least, please update the most important ones.

heartbleed sale 200px

Stop The Bleeding

New, strong, unique passwords are your best defense against Heartbleed. 1Password makes this easy.

To make it easier for everyone to improve their security we decided to put 1Password on sale.

Save 50% Off 1Password and Stop the Bleeding

Please share news of Heartbleed with your friends and families. Simply forwarding this email is a great first step to helping them know that this is a serious issue.

I know I will be using this opportunity to finally convince my mother that she needs to take her internet security more seriously. Hopefully you will also be able to turn this crisis into an opportunity for good.

Stay Tuned

The Heartbleed story is continuing to evolve. I’ll be in touch again soon with an update.

While I normally send these newsletters infrequently, given the gravity of this situation, I’ll likely be sending a few extra this month. I hope you find this helpful.

To get updates even faster, be sure to friend us on Facebook or follow @1Password on Twitter.

Please keep in touch and let us know if there is anything we can do to help.

1Password for Mac Tips: How to update your passwords

1P4 Mac update Login

In every password’s life, there comes a time to get changed. Maybe it was never a very good password to begin with, maybe you were a victim of password reuse, or maybe you were among the 200 million accounts stolen in the recent Adobe and Sony breaches.

Fact is: every password dies, not every password really lives.

When it’s time to change a password, the latest versions of our browser extension and 1Password 4 for Mac make it really, really easy. Give this a shot:

  • Use the extension to log into your service of choice
  • Go to the password reset page, it’s usually in Settings or Options somewhere
  • (Optional) If your current password is required, click our extension and mouse to the right of the Login you want to update. Your details will appear in a menu to the right. Mouseover your password and click to copy it to your clipboard, then paste it into the Current Password field in the webpage (keyboard shortcut fans will be happy to know you can do all this with arrows keys and Return to copy the password)
  • Click our browser extension and go to the Password Generator to get a unique, super strong new password. Customize any details you like (such as length or special characters), then click Fill to automatically fill it into the New Password fields on the page
  • Click the Save button in the password reset form, and the 1Password extension will offer to update your existing Login, much like that glorious window you see above. If you have multiple Logins for the current site, be sure to pick the right one to update

Click Update in that window, and your new password is now saved for your existing Login! But wait, there’s more, and you can see it if you click that little details arrow next to the Login name:

1P4 Mac update Login extra details

If you make use of 1Password’s tags and folders (you should, they’re really handy!), you can add tags and file this updated Login into an existing folder, all right from the extension. Plus, if you give 1Password 4 for Mac’s new Security Audit feature a whirl, you can get a good idea of which passwords you might want to update first. Super cool?

Very super cool.

‘Take Control of 1Password’ ebook updated for all our big v4.1 Mac features!

Take Control 1P 1-1Remember how Joe Kissell wrote an entire book about 1Password? It covers how to get started with creating unique, strong passwords for all your sites, then how to get the most out of 1Password by securing all the other critical aspects of your identity, financials, and more. Well, Joe didn’t stop there—he’s already back with a free update!

Take Control of 1Password v1.1 covers the big changes we brought to 1Password 4.1 for Mac, including the excellent new ability to update an existing Login’s password right in your browser, new printing options, and much more. It’s a great update and we thank Joe for covering all our new goodies so thoroughly!

If you already own a copy, you may have received an email with instructions on how to update, or you can log into your Take Control Books account and grab it there. If you have yet to pick up your copy—run, don’t walk, and grab Take Control of 1Password for yourself or a friend to learn about all the ways 1Password can make security more convenient.

1Password for Mac Tip: One-click to tidy up your vault

Passwords mingling with LoginsYour 1Password 4 for Mac vault is probably filled with a collection of website Logins, Secure Notes, reward program memberships, and more. There may also be a number of Generated Password items too, and some of them might be redundant because they were turned into Logins. If you want a simple way to clean up these redundant items (and an explanation for why they’re there), here’s a quick trick you can use.

Simply unlock 1Password with your Master Password, then go to Help > Tools > Remove Redundant Generated Passwords. You’ll get a prompt like the one below, telling you how many items were found and offering the chance to back out.

Trash redundant duplicates

Note: I have over 1,500 items, so your results may vary :)

If you click Move to Trash, 1Password will do your bidding. To err on the side of caution, 1Password does not automatically empty the Trash, so you have one last opportunity to recover any you might need.

The backstory, if you’re curious

Erring on the side of caution is the reason these redundant Generated Password items are around in the first place. In many cases, we can detect when a Generated Password item becomes a Login, and we automatically convert the item to get it out of your way.

Bonus Tip: click any Generated Password item, then click the Convert to Login button at the bottom to perform this process manually.

However, in some cases, we can’t detect this Password –> Login process. Instead of guessing wrongly and deleting an item that you actually need, we play it safe and keep them around. But with this Remove Redundant Generated Passwords tool, we gave you a choice and a quick way to do some spring vault cleaning.

1Password + Holidays = Sanity

bowed icon macWe’re headed into the home stretch of 2013, and between travel coordination, meal planning, and shopping, there’s a whole lot of holiday stuff to juggle. If only we had computers that fit in our pockets that could make things easier… wait. We do have pocket computers, and 1Password for iOS just went on sale, so here are a few tips that will help you stay on track during the holiday season.

Secure Notes And You

We love Secure Notes. You can keep all kinds of things in them! A few examples:

  • Travel itineraries. Since you already have your logins in 1Password, add your trip info as a Secure Note. Then if you need to rebook or make a change, you’re one tap from logged in! You can also add the garage door or alarm codes for your in-laws house, or other temporary things you might need.
  • Shopping information. Got lots of people to track gifts for? Create a Note for each person, and add clothing or shoe sizes, preferences in colors, or ideas you came across before you were in full Gift Shopping Mode.
  • Epic menu data. You can keep lists of guests, their allergies, and their preferences, or even keep those Secret Family Recipes super secret!
  • You can keep lists of how people are related to each other (particularly handy for new family members), and nobody will stumble across it by accident! They’ll just think you have a great memory!

bowed icon iOSShop Securely… anywhere!

You already know you can store your credit card data in 1Password and fill it securely in a snap. Some other ways you can make shopping with 1Password more convenient are below:

  • Add all your card info to the 1Password Credit Card item, including all that information on the back about calling customer service or replacing a card. Then if you need it, just tap the phone number to make the call.
  • A number of popular websites have gotten more mobile-friendly, so now when you have the inspiration, you can log in using the built-in 1Browser and whip up a little holiday magic right from your iOS device. And if you combine that with “buy online, pick up in store” service, you’re only in the store long enough to pick it up, get a receipt, and get out again. (This does wonders for my budget!)
  • Identity Sorcery. Set up Identities for family members you regularly ship things to. Label them clearly, and voila! No more fumbling for info when you need to send something to kids or grandkids or anyone else.
  • Remember that you can always gift 1Password to those family members who are bad at remembering passwords or use the back of their address book. You can gift a copy from our store, or you can buy an iTunes gift card to gift the Mac App Store version.

Now here are a couple of bonus tips for those who think of Black Friday and December 26 not as days for power shopping, but as Family Technology Maintenance And Probably Assistance Hooking Up The New Thing They Just Got Day:

  • Keep Wi-Fi login information in 1Password for family routers. And while you’re at it, take photos of those stickers on the side/bottom of the router and modem with all the model information and serial numbers. Then when you’re trying to assist from afar, your search-fu is increased by including the model.
  • Expansion of the previous item: If you give or receive some tech, get a photo of that model/serial sticker on the device before you put it on the wall or in the A/V cabinet, then you have it later when you need it. (I attach these to secure notes with all the other information about the item, such as when and where it was purchased.)
  • Add other family logins to your login items, and tag them so you know they’re family items. Then save them in a smart folder. When you need a family login, that folder has everything in one place.

Hopefully these tips will keep your holiday season a fun one. :)

Time to give 1Password 4 for Mac’s Security Audit a whirl

1Password Security AuditIt was bound to happen eventually. A massive Adobe data theft of 130 million customer names, emails, encrypted passwords, source code, and more will enable almost limitless password reuse attacks in the coming weeks.

Suppose you are one of the 130 million people who’s oddly encrypted passwords were among the Adobe password breach. Suppose that you used the same password there as you do for PayPal.

To make matters worse, suppose you actually listed that fact in Adobe’s password hint. Since the malicious attackers dumped the Adobe data online, a quick check of Adobe customer password hints shows that there are more than 700 that say things like “paypal” or “sameaspaypal”. There are more than 20,000 hints referring to “bank”. I will talk about password hints at some other time; my point here is all about password reuse.

Only a fraction of the people who are reusing passwords will make that clear in their password hints. We already know password reuse is common. We also know that criminals do indeed exploit password to steal from people.

I am very tempted to explain all about Adobe’s peculiar method of storing passwords. It’s really a cool story with lots of interesting lessons, and explaining it would involve poorly encrypted pictures of a penguin.

I am also tempted to dive into gory details of the statistical properties of the data, the analysis of which has kept my computer busy for days on end. Likewise, I could rant about Cupid Media’s failure to encrypt or hash passwords for 42 million customers. Or I could talk about privilege escalation and the MacRumors discussion forums breach of 860,000 hashed passwords a week earlier, leading to the capture of all 860,000 hashed passwords.

But it is far more important for me to repeat what we’ve said in many different ways and at many different times: Password reuse—using the same password for different sites and services—is probably the biggest security problem with password behavior.

We want to fix that.

Knowing the right thing to do is easier than doing the right thing

Like most people, you weren’t born using 1Password, it’s something that came to use later in life. Now that you use 1Password, you will (or should) be using the Strong Password Generator when you register for a new website so you get a strong, unique password.

But think back to those dark days when you needed to come up with passwords on your own. You probably picked from a small handful that you had memorized, so now you’re stuck with a bunch of sites and services for which you used the same password.

Security Audit selections

Getting all of those old passwords sorted out is going to be a chore, but it doesn’t have to be done all at once. Best of all, 1Password 4 for Mac can help, thanks to its new Security Audit feature.

Let’s use an analogy: say that Molly (one of my dogs, and not really the cleverest of beasts) has just started using 1Password. She has a few passwords, but not many. Even though she doesn’t know how to push open a door that is already ajar, she can make use of the new Security Audit tool in 1Password for Mac.

In the left sidebar of 1Password 4 for Mac, down toward the bottom, there is a section called “Security Audit”. When Molly clicks (or paws) “Show” next to “Security Audit” she sees a number of audits available. She can select “Weak Passwords”, which will show her all of her items with weak passwords. She can also look at password items that are old. But the selection we are interested in today is “Duplicate Passwords”.

Security Audit: Molly's duplicates

Security Audit in 1Password 4 for Mac, displaying Molly’s duplicate passwords

What Molly sees is that she has two sets of duplicates. One of them is used for two Logins, and the other one is used for four Logins. As we can see, her Adobe.com password of “squirrel” is used for her Barkbook, Treats R Us, Cat Chasers Logins as well.

Molly transfixed by "squirrel"Molly should, of course, go to each of those sites and change her passwords on them. But there are squirrels in the back yard to bark at, and changing all of those passwords may seem overwhelming. So Patty (the cleverer dog in the family) advises Molly to think about which of those Logins are most crucial. Molly can’t tolerate the thought of anyone else getting a treat; so she starts with Treats are Us.

This does mean going to the Treats are Us site and using its password change mechanism. 1Password is smart, but it isn’t quite smart enough to go browsing through the sites to find their password change pages. Molly may decide that her Barkbook Login is also very important, and so will change that one right away as well.

Ideally, Molly should fix all of her weak and duplicate passwords as soon as possible. And as Molly has only a handful of Logins, she could do that. But for those of us who may have a large number of old accounts, it is probably best to check Security Audit and update reused or weak passwords at the most important sites first. Then, updating other passwords a few at a time is an easy way to make all our accounts much more secure.

Apps that Love 1Password: Delivery Status touch

Delivery Status Touch iconYou buy stuff online, and you need to know when it’s going to show up at your house, work, or your lucky recipient’s doorstep. For years, community favorite Delivery Status touch has made it, dare I say, fun to track your packages. Now it’s adding the convenience of 1Password.

Delivery Status touch 5.0 just hit the App Store and it is a whopper of an upgrade. In addition to big new features like optional background notifications, Calendar support, and iCloud sync, you can use the new 1Password integration to quickly log into services and add packages to track.

For supported services like Amazon and Google Checkout, Delivery Status touch can simply log into your account and pull down the details it needs. Tap the new 1Password button in the service login section, and you will switch to 1Password with your All Items list already filtered for the service you’re adding. Swipe across the Login item you want to trigger the Action Bar, tap the clipboard button to copy your password to the clipboard, then switch back to Delivery Status touch to finish logging in.

We’d like to thank the fine folks at Junecloud for adding 1Password support to their legendary delivery tracker. Be sure to pick up Delivery Status touch in the App Store, and if you’re a developer, learn how you can add some 1Password to your iOS apps!

1Password for Mac tip: How to create, share a vault with family or coworkers

switching vaults

1Password 4 for Mac brought over 90 awesome new features, and one of its best (and most-requested) is the brand new Multiple Vaults. You can now create extra vaults, copy items to them, and optionally share them with family, coworkers, or anyone else you choose.

We have a great support document that explains step-by-step how to create and share a new vault, but here are the cliff notes:

  • Create a new vault (1Password > New Vault…)
  • Customize its icon, color, and Master Password (you can even use photos from your Mac!)
  • Copy some items to this new secondary vault (select any item, click the sharing arrow and choose your new vault as the destination)
  • Place the vault in a shared Dropbox folder or other location (1Password > Preferences > Sync)
  • Have your family members or coworkers use 1Password 4 for Mac to add your new vault
  • Enjoy 1Password’s new Shared Vault awesomeness

Our new Multiple Vaults feature is Mac-only for now, emphasis on for now. But we think it’s the best way to collaborate with family and coworkers yet conveniently use strong, unique passwords to protect all your sites, apps, and devices.

37signals recommends 1Password in new ‘Remote’ book

remote_frontYou might know 37signals from Basecamp, Highrise, and Campfire—excellent services that help team members collaborate better whether they’re across the hall or the world. Those folks know a thing or two about working remotely, so co-founder Jason Fried and company partner David Heinemeier Hansson wrote an entire book on the topic and called it Remote. You can get it in iBookstoreAmazon, and elsewhere.

Remote covers the advantages of allowing some or all of a company to work remotely and how to pull it off, and in the midst of all that, Fried and Hansson give a shout-out to 1Password. In a chapter called “Only the office can be secure,” Remote debunks the myth that employees need to be under the same roof in order to keep sensitive accounts and data under control. The company describes its simple security checklist that all employees must follow, and one of its cornerstones is to:

Use a unique, generated, long-form password for each site you visit, kept by a password-managing software, such as 1Password.

It’s a smart checklist overall, and one of the dozens of reasons you should really give Remote a look to learn more about how and why working remotely can open a lot of doors for you and your organization.

For bonus points, our very own co-founder Dave Teare had a brief Twitter conversation with Jason Fried to say thank you:

Dave Teare Jason Fried Remote Twitter conversation

1Password How To: Setup Dropbox sync on iOS

If you’re looking to gets some 1Password sync action going with iOS, this might be the how-to video for you. I show you how to create a Dropbox account and set it up on your iPhone and iPad so 1Password can wirelessly and automatically sync all your stuff, but the basic steps can apply to Mac and PC users, too (don’t worry, those videos are coming).

Let us know what you think of this, because there are more where it came from.