1Password 4 for Windows Tip: How to upgrade from the previous version

1P4 Windows hero banner 600pxLet’s face it: the new 1Password 4 for Windows is awesome. Everybody’s upgrading, and I want to make that process as seamless as possible. You can see more details on our upgrade policy and process in this support document, but here’s the cliff notes version.

If you purchased in 2013 or 2014, version 4 is free!

Nope, not a typo. Our free upgrade window for 1Password 4 for Windows is a whopping one-and-a-half years wide. All you need to do is:

  1. Download and install 1Password 4 for Windows
  2. open 1Password and go to Help > Enter License Key
  3. Enter your existing license key
  4. Enjoy 1Password 4 for Windows!

If you purchased before 2013, take advantage of our upgrade pricing!

There’s an extra step, but it’s still super simple. Before you install 1Password 4:

  1. Open 1Password, find your 1Password license item, and copy it, OR
    1. Go to Help > Enter License Key and click the Replace License button
    2. Select and copy your entire license from that window
  2. Visit AgileBits.com/Store/Upgrade
  3. Paste your license code, click ‘Search’, and check out your upgrade options
  4. Download and install 1Password 4 using your spiffy new license
  5. Enjoy 1Password 4 for Windows!

This should get you on your way, but you can follow a more detailed process in our support document if you like. As always, thanks for using 1Password!

No, you do not need to change passwords in response to the OpenSSL CCS bugs

For the third time this year, there is yet another flaw in an underlying security technology used across the net: the recently fixed OpenSSL bugs announced on June 5. For our customers, we are happy to report that 1Password is not affected by bugs in SSL implementations, nor do these bugs require that most people change passwords.

1Password is not affected and your data remains secure, and you do not need to make password changes. The bug that everyone is talking about, lovingly referred to as “ChangeCipherSpec (CCS)” (also known as “CVE-2014-0224″ or “SSL/TLS MITM vulnerability”), is not in the same category as the recent, catastrophic Heartbleed. It does not require a response from most people in the way that Heartbleed did.

Why no password changes?

As bad as the CCS bug is, here is what makes it different from Heartbleed from a user’s perspective.

1. The attacker must be in a “privileged network position”

Not anyone can launch a CCS-based attack. The attacker must be the operator of some of the network between you and the site you are using. In this respect, the attack is similar to the GotoFail bug in February on Apple’s Secure Transport. In contrast, Heartbleed could be easily launched by anyone anywhere on the net.

2. Both the client and the server must be vulnerable for the attack to work

This means that if you are not using a vulnerable SSL client (web browser, email program, etc), then you remain safe from this attack even if the server is vulnerable. Few desktop browsers use the OpenSSL libraries to manage their SSL connections. Chrome on Android and Konqueror on KDE (linux) are the two most popular ones I can think of that do. Chrome on desktops does not use OpenSSL. In contract, Heartbleed only required the server to be vulnerable.

3. Many systems were fixed before the news of the bugs were made fully public

It is very tricky to fix a bug in open source software without making knowledge of the bug public at the same time. The OpenSSL team and the discoverers of Heartbleed attempted, but failed, to get most systems fixed before going public. With these bugs, they did a better job, so the window of vulnerability was much shorter.

Each of the first two reasons, on their own, are sufficient for me to conclude that the large majority of people do not need to worry about changing passwords. The combination of them and the other two make me extremely comfortable in this advice.

If you are concerned about governments or network operators having exploited this bug, and if you used clients that relied on OpenSSL for their SSL operations (such as Chrome on Android or Konqueror and other KDE tools on Linux), you may wish to change those passwords. But most people don’t need to take any action. It remains important that you do change passwords for systems that had been vulnerable to the Heartbleed bug reported in April. With Heartbleed, there really is a wolf we are crying about.

These new OpenSSL bugs do mean that system administrators need to update their systems quickly, but it does not require them to rekey their server certificates. These bugs are substantial, but the response is the usual “upgrade affected systems promptly”.

Everything that follows goes into technical details explaining what the recent bugs are and what they may mean in general. They have no specific impact on 1Password, but I know that some of you are curious, and I do indeed suffer from a pathological compulsion to explain things.

Read more

Take Control of 1Password ebook updated for our new Watchtower service

Take Control 1P 1-2By now you’ve probably heard of 1Password Watchtower, our new service that warns and informs you when websites of your Logins have been compromised. Watchtower has been a huge hit with our Mac customers and is coming soon to Windows, and now you can learn more about it in the latest update to Take Control of 1Password, the comprehensive ebook by Joe Kissell.

This latest free update to the book—version 1.2.1 for those keeping track at home—adds a new section in “Perform a Password Security Audit” that explains what 1Password Watchtower is and does, and how to make it part of your security regimen. Honestly, that whole section is perfect to review and re-review for both current and new book owners alike, as it walks through some of 1Password’s most useful and effective tools under Security Audit.

Take Control of 1Password v1.2.1 is now available. Current owners can sign into their Take Control Ebooks account to grab the latest edition, or you can pick up your copy for just $10.

1Password, Heartbleed, and You

Heartbleed icon 200pxOur co-founder, Dave Teare, sent an AgileBits newsletter to our subscribers Friday night about the internet’s Heartbleed bug and how you can use 1Password to defend yourself and change all your passwords. We had a surprising number of requests to republish it here, so I’m happy to oblige!

If you want to receive our occasional AgileBits newsletter with news and tips about 1Password and Knox, as well as other goodies, hit the button below.


And now, our Heartbleed newsletter, republished here for our blog readers.


Hello everyone,

I’m writing to you today with some very important news. A vulnerability named Heartbleed was discovered in the software that protects most web sites.

Please read on to see what actions you need to take.

What is Heartbleed?

Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.

Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.

I found this XKCD comic explained perfectly how the Heartbleed exploit works.

1P4 Mac icon

1Password is Not Affected

There is a lot of work to be done as a result of Heartbleed, but lets start by talking about what this vulnerability does not mean.

1Password does not rely on OpenSSL to secure your data. Your data in 1Password is protected using Authenticated AES 256-bit encryption and can only be unlocked with your Master Password.

This means 1Password is not affected by the Heartbleed bug and there is no need to change your Master Password.

With that said, there is still a lot of work to be done…

update passwords 200px

Update Your Passwords, Phase 1

While your data is safe within 1Password itself, there is a good chance websites you used were vulnerable and did not protect your username and password.

The knee jerk reaction to this news is to change all your passwords immediately. While I will be recommending you change your passwords, not all websites have been updated yet to protect against this vulnerability.

The best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.

After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.

How to Change Your Passwords

Changing your passwords on every website is a chore. On the bright side, 1Password makes it easy to upgrade all your website passwords.

How to Update Your Passwords

Heartbleed is a very serious issue so I hope you will take the time needed to update your passwords. Ideally you would change all your passwords, but at the very least, please update the most important ones.

heartbleed sale 200px

Stop The Bleeding

New, strong, unique passwords are your best defense against Heartbleed. 1Password makes this easy.

To make it easier for everyone to improve their security we decided to put 1Password on sale.

Save 50% Off 1Password and Stop the Bleeding

Please share news of Heartbleed with your friends and families. Simply forwarding this email is a great first step to helping them know that this is a serious issue.

I know I will be using this opportunity to finally convince my mother that she needs to take her internet security more seriously. Hopefully you will also be able to turn this crisis into an opportunity for good.

Stay Tuned

The Heartbleed story is continuing to evolve. I’ll be in touch again soon with an update.

While I normally send these newsletters infrequently, given the gravity of this situation, I’ll likely be sending a few extra this month. I hope you find this helpful.

To get updates even faster, be sure to friend us on Facebook or follow @1Password on Twitter.

Please keep in touch and let us know if there is anything we can do to help.

1Password for Mac Tips: How to update your passwords

1P4 Mac update Login

In every password’s life, there comes a time to get changed. Maybe it was never a very good password to begin with, maybe you were a victim of password reuse, or maybe you were among the 200 million accounts stolen in the recent Adobe and Sony breaches.

Fact is: every password dies, not every password really lives.

When it’s time to change a password, the latest versions of our browser extension and 1Password 4 for Mac make it really, really easy. Give this a shot:

  • Use the extension to log into your service of choice
  • Go to the password reset page, it’s usually in Settings or Options somewhere
  • (Optional) If your current password is required, click our extension and mouse to the right of the Login you want to update. Your details will appear in a menu to the right. Mouseover your password and click to copy it to your clipboard, then paste it into the Current Password field in the webpage (keyboard shortcut fans will be happy to know you can do all this with arrows keys and Return to copy the password)
  • Click our browser extension and go to the Password Generator to get a unique, super strong new password. Customize any details you like (such as length or special characters), then click Fill to automatically fill it into the New Password fields on the page
  • Click the Save button in the password reset form, and the 1Password extension will offer to update your existing Login, much like that glorious window you see above. If you have multiple Logins for the current site, be sure to pick the right one to update

Click Update in that window, and your new password is now saved for your existing Login! But wait, there’s more, and you can see it if you click that little details arrow next to the Login name:

1P4 Mac update Login extra details

If you make use of 1Password’s tags and folders (you should, they’re really handy!), you can add tags and file this updated Login into an existing folder, all right from the extension. Plus, if you give 1Password 4 for Mac’s new Security Audit feature a whirl, you can get a good idea of which passwords you might want to update first. Super cool?

Very super cool.

‘Take Control of 1Password’ ebook updated for all our big v4.1 Mac features!

Take Control 1P 1-1Remember how Joe Kissell wrote an entire book about 1Password? It covers how to get started with creating unique, strong passwords for all your sites, then how to get the most out of 1Password by securing all the other critical aspects of your identity, financials, and more. Well, Joe didn’t stop there—he’s already back with a free update!

Take Control of 1Password v1.1 covers the big changes we brought to 1Password 4.1 for Mac, including the excellent new ability to update an existing Login’s password right in your browser, new printing options, and much more. It’s a great update and we thank Joe for covering all our new goodies so thoroughly!

If you already own a copy, you may have received an email with instructions on how to update, or you can log into your Take Control Books account and grab it there. If you have yet to pick up your copy—run, don’t walk, and grab Take Control of 1Password for yourself or a friend to learn about all the ways 1Password can make security more convenient.

1Password for Mac Tip: One-click to tidy up your vault

Passwords mingling with LoginsYour 1Password 4 for Mac vault is probably filled with a collection of website Logins, Secure Notes, reward program memberships, and more. There may also be a number of Generated Password items too, and some of them might be redundant because they were turned into Logins. If you want a simple way to clean up these redundant items (and an explanation for why they’re there), here’s a quick trick you can use.

Simply unlock 1Password with your Master Password, then go to Help > Tools > Remove Redundant Generated Passwords. You’ll get a prompt like the one below, telling you how many items were found and offering the chance to back out.

Trash redundant duplicates

Note: I have over 1,500 items, so your results may vary :)

If you click Move to Trash, 1Password will do your bidding. To err on the side of caution, 1Password does not automatically empty the Trash, so you have one last opportunity to recover any you might need.

The backstory, if you’re curious

Erring on the side of caution is the reason these redundant Generated Password items are around in the first place. In many cases, we can detect when a Generated Password item becomes a Login, and we automatically convert the item to get it out of your way.

Bonus Tip: click any Generated Password item, then click the Convert to Login button at the bottom to perform this process manually.

However, in some cases, we can’t detect this Password –> Login process. Instead of guessing wrongly and deleting an item that you actually need, we play it safe and keep them around. But with this Remove Redundant Generated Passwords tool, we gave you a choice and a quick way to do some spring vault cleaning.

1Password + Holidays = Sanity

bowed icon macWe’re headed into the home stretch of 2013, and between travel coordination, meal planning, and shopping, there’s a whole lot of holiday stuff to juggle. If only we had computers that fit in our pockets that could make things easier… wait. We do have pocket computers, and 1Password for iOS just went on sale, so here are a few tips that will help you stay on track during the holiday season.

Secure Notes And You

We love Secure Notes. You can keep all kinds of things in them! A few examples:

  • Travel itineraries. Since you already have your logins in 1Password, add your trip info as a Secure Note. Then if you need to rebook or make a change, you’re one tap from logged in! You can also add the garage door or alarm codes for your in-laws house, or other temporary things you might need.
  • Shopping information. Got lots of people to track gifts for? Create a Note for each person, and add clothing or shoe sizes, preferences in colors, or ideas you came across before you were in full Gift Shopping Mode.
  • Epic menu data. You can keep lists of guests, their allergies, and their preferences, or even keep those Secret Family Recipes super secret!
  • You can keep lists of how people are related to each other (particularly handy for new family members), and nobody will stumble across it by accident! They’ll just think you have a great memory!

bowed icon iOSShop Securely… anywhere!

You already know you can store your credit card data in 1Password and fill it securely in a snap. Some other ways you can make shopping with 1Password more convenient are below:

  • Add all your card info to the 1Password Credit Card item, including all that information on the back about calling customer service or replacing a card. Then if you need it, just tap the phone number to make the call.
  • A number of popular websites have gotten more mobile-friendly, so now when you have the inspiration, you can log in using the built-in 1Browser and whip up a little holiday magic right from your iOS device. And if you combine that with “buy online, pick up in store” service, you’re only in the store long enough to pick it up, get a receipt, and get out again. (This does wonders for my budget!)
  • Identity Sorcery. Set up Identities for family members you regularly ship things to. Label them clearly, and voila! No more fumbling for info when you need to send something to kids or grandkids or anyone else.
  • Remember that you can always gift 1Password to those family members who are bad at remembering passwords or use the back of their address book. You can gift a copy from our store, or you can buy an iTunes gift card to gift the Mac App Store version.

Now here are a couple of bonus tips for those who think of Black Friday and December 26 not as days for power shopping, but as Family Technology Maintenance And Probably Assistance Hooking Up The New Thing They Just Got Day:

  • Keep Wi-Fi login information in 1Password for family routers. And while you’re at it, take photos of those stickers on the side/bottom of the router and modem with all the model information and serial numbers. Then when you’re trying to assist from afar, your search-fu is increased by including the model.
  • Expansion of the previous item: If you give or receive some tech, get a photo of that model/serial sticker on the device before you put it on the wall or in the A/V cabinet, then you have it later when you need it. (I attach these to secure notes with all the other information about the item, such as when and where it was purchased.)
  • Add other family logins to your login items, and tag them so you know they’re family items. Then save them in a smart folder. When you need a family login, that folder has everything in one place.

Hopefully these tips will keep your holiday season a fun one. :)

Time to give 1Password 4 for Mac’s Security Audit a whirl

1Password Security AuditIt was bound to happen eventually. A massive Adobe data theft of 130 million customer names, emails, encrypted passwords, source code, and more will enable almost limitless password reuse attacks in the coming weeks.

Suppose you are one of the 130 million people who’s oddly encrypted passwords were among the Adobe password breach. Suppose that you used the same password there as you do for PayPal.

To make matters worse, suppose you actually listed that fact in Adobe’s password hint. Since the malicious attackers dumped the Adobe data online, a quick check of Adobe customer password hints shows that there are more than 700 that say things like “paypal” or “sameaspaypal”. There are more than 20,000 hints referring to “bank”. I will talk about password hints at some other time; my point here is all about password reuse.

Only a fraction of the people who are reusing passwords will make that clear in their password hints. We already know password reuse is common. We also know that criminals do indeed exploit password to steal from people.

I am very tempted to explain all about Adobe’s peculiar method of storing passwords. It’s really a cool story with lots of interesting lessons, and explaining it would involve poorly encrypted pictures of a penguin.

I am also tempted to dive into gory details of the statistical properties of the data, the analysis of which has kept my computer busy for days on end. Likewise, I could rant about Cupid Media’s failure to encrypt or hash passwords for 42 million customers. Or I could talk about privilege escalation and the MacRumors discussion forums breach of 860,000 hashed passwords a week earlier, leading to the capture of all 860,000 hashed passwords.

But it is far more important for me to repeat what we’ve said in many different ways and at many different times: Password reuse—using the same password for different sites and services—is probably the biggest security problem with password behavior.

We want to fix that.

Knowing the right thing to do is easier than doing the right thing

Like most people, you weren’t born using 1Password, it’s something that came to use later in life. Now that you use 1Password, you will (or should) be using the Strong Password Generator when you register for a new website so you get a strong, unique password.

But think back to those dark days when you needed to come up with passwords on your own. You probably picked from a small handful that you had memorized, so now you’re stuck with a bunch of sites and services for which you used the same password.

Security Audit selections

Getting all of those old passwords sorted out is going to be a chore, but it doesn’t have to be done all at once. Best of all, 1Password 4 for Mac can help, thanks to its new Security Audit feature.

Let’s use an analogy: say that Molly (one of my dogs, and not really the cleverest of beasts) has just started using 1Password. She has a few passwords, but not many. Even though she doesn’t know how to push open a door that is already ajar, she can make use of the new Security Audit tool in 1Password for Mac.

In the left sidebar of 1Password 4 for Mac, down toward the bottom, there is a section called “Security Audit”. When Molly clicks (or paws) “Show” next to “Security Audit” she sees a number of audits available. She can select “Weak Passwords”, which will show her all of her items with weak passwords. She can also look at password items that are old. But the selection we are interested in today is “Duplicate Passwords”.

Security Audit: Molly's duplicates

Security Audit in 1Password 4 for Mac, displaying Molly’s duplicate passwords

What Molly sees is that she has two sets of duplicates. One of them is used for two Logins, and the other one is used for four Logins. As we can see, her Adobe.com password of “squirrel” is used for her Barkbook, Treats R Us, Cat Chasers Logins as well.

Molly transfixed by "squirrel"Molly should, of course, go to each of those sites and change her passwords on them. But there are squirrels in the back yard to bark at, and changing all of those passwords may seem overwhelming. So Patty (the cleverer dog in the family) advises Molly to think about which of those Logins are most crucial. Molly can’t tolerate the thought of anyone else getting a treat; so she starts with Treats are Us.

This does mean going to the Treats are Us site and using its password change mechanism. 1Password is smart, but it isn’t quite smart enough to go browsing through the sites to find their password change pages. Molly may decide that her Barkbook Login is also very important, and so will change that one right away as well.

Ideally, Molly should fix all of her weak and duplicate passwords as soon as possible. And as Molly has only a handful of Logins, she could do that. But for those of us who may have a large number of old accounts, it is probably best to check Security Audit and update reused or weak passwords at the most important sites first. Then, updating other passwords a few at a time is an easy way to make all our accounts much more secure.

Apps that Love 1Password: Delivery Status touch

Delivery Status Touch iconYou buy stuff online, and you need to know when it’s going to show up at your house, work, or your lucky recipient’s doorstep. For years, community favorite Delivery Status touch has made it, dare I say, fun to track your packages. Now it’s adding the convenience of 1Password.

Delivery Status touch 5.0 just hit the App Store and it is a whopper of an upgrade. In addition to big new features like optional background notifications, Calendar support, and iCloud sync, you can use the new 1Password integration to quickly log into services and add packages to track.

For supported services like Amazon and Google Checkout, Delivery Status touch can simply log into your account and pull down the details it needs. Tap the new 1Password button in the service login section, and you will switch to 1Password with your All Items list already filtered for the service you’re adding. Swipe across the Login item you want to trigger the Action Bar, tap the clipboard button to copy your password to the clipboard, then switch back to Delivery Status touch to finish logging in.

We’d like to thank the fine folks at Junecloud for adding 1Password support to their legendary delivery tracker. Be sure to pick up Delivery Status touch in the App Store, and if you’re a developer, learn how you can add some 1Password to your iOS apps!