PDA

View Full Version : 1Password: Store Passwords on your iPhone




MacRumors
Oct 9, 2007, 11:45 AM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Switchersblog (http://switchersblog.com/2007/10/05/iphone-password-manager.html) details a new feature in the latest beta of 1Password -- a Mac password manager application.

The new version adds a "Sync to iPhone" feature which exports all your stored passwords into an encrypted Safari Bookmarklet. The Bookmarklet is accessible from the iPhone's Safari bookmark list and protected by a password.


http://images.macrumors.com/article/2007/10/09/200710052114-2_300.jpg


The beta version of the software is available on their beta forum (http://forum.agilewebsolutions.com/viewtopic.php?t=1747).

Article Link (http://www.macrumors.com/iphone/2007/10/09/1password-store-passwords-on-your-iphone/)



ozziegn
Oct 9, 2007, 12:51 PM
a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT! :rolleyes:

chr1s60
Oct 9, 2007, 12:55 PM
Store all your passwords and gain access to the Fido network... where do I sign up?

deep
Oct 9, 2007, 01:08 PM
I've been using the desktop app for a couple of weeks now, and I have to say I'm pretty impressed. I have over a 150 sites in my keychain and remembering all the different usernames and passwords is becoming impossible. So far, this app has done a great job of getting things organized, and as it also synchs across multiple computers through .mac, it's saves me a lot of time and grief. One thing I wished it would do was work on an iPhone or Touch. Looks like the developers are thinking along the same line.

Ever try typing a long username and password on an iPhone or Touch? What a pain the ass! I'd definitely give this a shot if they can make it autofill on the iPhone. Also needs to store things other than just website logins, like multiple form fill profiles and text.

traderx1
Oct 9, 2007, 01:21 PM
a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT! :rolleyes:

i can understand your fear, a web applet that stores your personal passwords. In reality, the information is NEVER stored on another server/computer (if the makers of this dandy program read, please correct me). You actually have the program called 1password on YOUR computer, put in your website passwords, and there is a sync to iPhone button. Click on that, and the info gets sent to your iphone on the next sync. You are also asked to pick/type a password to retrieve this info. After syncing, go to your iphone, then safari, then bookmarks, and touch 1password. It then asks for your password, that you chose earlier, and all your info shows up on the iphone. So the key here is that the information was NEVER transmitted to over the net. To test this theory, and make sure that I was not sending some information that I did not want to, I put my phone in airplane mode and I was still able to retrieve my info using safari. I mainly use this to store my password, and look up the info so i can type it in another computer that i use at work. If you are connected to the net on your iphone, you can just click on the link to website, and safari will send you there and fill in the password info for you. It is a pretty good program and now with the iphone sync it got a whole lot better. Being an earlier adapter of the iphone, my gripe has always been no to-do list, and no way to encrypt financial/personal things. Well 1password has made a work around that lets us store secure data. No it is not the best program for the purpose, but it is the BEST thing we have on the iphone now, and being that this a version 1 of this feature, i would imagine it only gets better. One additional feature that would be nice is to be able to enter data that is not necessarily financial/website orientated such as Drivers License number, health information, and other data. All in all a great start by the company, and hopefully they build on it. Very clever programming to get around the "No 3rd Party Apps"

Danicus
Oct 9, 2007, 01:32 PM
this has bad idea all over it

Mr. Zorg
Oct 9, 2007, 02:21 PM
i can understand your fear, a web applet that stores your personal passwords. In reality, the information is NEVER stored on another server/computer (if the makers of this dandy program read, please correct me).
Guys, please pay attention to traderx1's post... He's nailed what most of you seem to be missing. This is basically just an adaptation of the previously released bookmarklet app that write a javascript/dhtml app with your encoded passwords into a Safari bookmark. Nothing's sent over the net. Very clever.

Now, that said, I do have two concerns (I have not tried it yet):

1) Previously when I was using bookmarklets, it made starting Safari very sluggish (on both my mac and my iphone). Presumably this is because if the size of the bookmarklets I had. I'm sure the bookmarks system was never optimized to carry such large amounts of data. Hopefully this generates a very small amount... Don't know.

2) According to their site it uses some pretty strong cryptography (448 bit blowfish). While blowfish is a very fast cipher, I wonder just how fast it would run in javascript on the (relatively limited) horsepower of the iphone...

I guess one way to find out is to try it. :)

Aetles
Oct 9, 2007, 03:49 PM
The new version adds a "Sync to iPhone" feature which exports all your stored passwords into an encrypted Safari Bookmarklet. The Bookmarklet is accessible from the iPhone's Safari bookmark list and protected by a password.

It seems a lot like the already announced PasswordWallet for iPhone (http://www.selznick.com/products/passwordwallet/iphone/index.htm).

kugino
Oct 9, 2007, 04:46 PM
everyone's fears and apprehensions are totally understandable. were i not using the desktop version of 1Password i'd be equally dubious.

but it's really an amazing app by a good company. though i don't have an iphone (yet) i will most definitely look into this implementation when i pick up an iphone in january.

just FYI, the TWIT macbreak guys really like 1Password, too, and they highly recommend it...and that's how i learned about this app. saves me a ton of time with a lot of password-protected sites my job forces me to engage with...and i feel very confident about the security measures implemented in this app. hopefully people will take a serious look at this app before judging it. if it's not for you, fine.

roustk
Oct 9, 2007, 05:51 PM
a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT! :rolleyes:

AFAIK, this is the most secure way to carry your passwords and other confidential information on iPhone.

To address your concerns:

1. All information and the javascript code to access it is stored locally inside the Safari bookmarklet. Internet access is NOT required to use it.

2. The passwords are encrypted with 448 Blowfish encryption using CBC (Cipher Block Chaining) and a randomized salt. The access code is needed to decrypt individual entries.

3. The JavaScript code automatically locks the application after 5 minutes of inactivity.

dteare
Oct 9, 2007, 05:58 PM
Guys, please pay attention to traderx1's post... He's nailed what most of you seem to be missing. This is basically just an adaptation of the previously released bookmarklet app that write a javascript/dhtml app with your encoded passwords into a Safari bookmark. Nothing's sent over the net. Very clever.


Exactly correct!

All your information is encrypted into a bookmarklet, and stored in Safari on your Mac. When you sync your iPhone in iTunes, the bookmarklet is synced just like all your other bookmarks.

The data is then decrypted in Safari on your iPhone once you provide the correct password.

No external web servers. And No hacks!

Now, that said, I do have two concerns (I have not tried it yet):

1) Previously when I was using bookmarklets, it made starting Safari very sluggish (on both my mac and my iphone). Presumably this is because if the size of the bookmarklets I had. I'm sure the bookmarks system was never optimized to carry such large amounts of data. Hopefully this generates a very small amount... Don't know.


This can be true, but for us the only delay was in the initial load (see below).


2) According to their site it uses some pretty strong cryptography (448 bit blowfish). While blowfish is a very fast cipher, I wonder just how fast it would run in javascript on the (relatively limited) horsepower of the iphone...


Blowfish is amazingly fast. We actually started with AES encryption, but it was just too much overhead for the iPhone. Blowfish was over 10 times faster and it decrypts your individual entries almost instantly.

The only performance bottleneck is the initial loading of the page. Since *everything* is stored inside the bookmarklet, it can get pretty big. On our personal datasets of 800 items, it is 600KB, which takes Safari a while to load (mine takes 9 seconds to load). Thankfully most users have less than 200 entries, which load in just a few seconds.


I guess one way to find out is to try it. :)

What are you waiting for?? :D

NightOne
Oct 9, 2007, 06:40 PM
It seems a lot like the already announced PasswordWallet for iPhone (http://www.selznick.com/products/passwordwallet/iphone/index.htm).

Ironically, it was someone from Sweden who posted pretty much the same thing on the TUAW post.

Do you work for PasswordWallet or something? :)

traderx1
Oct 10, 2007, 09:58 AM
dteare...

seeing that you are involved with the software company of 1password, i had a suggestions for future implementation. The software works wonderfully with my iphone, but my one request is the ability to put in other things other than web password. I see a option Credit Cards which is great and what I needed, but also put in other non-internet related info such has financial information, drivers license, car info, health insurance/info. the list could go on...but that would be a great start. Even the ability to have blank fields and add various private info would be awesome.
thanks

dteare
Oct 10, 2007, 11:38 AM
dteare...

seeing that you are involved with the software company of 1password, i had a suggestions for future implementation. The software works wonderfully with my iphone, but my one request is the ability to put in other things other than web password. I see a option Credit Cards which is great and what I needed, but also put in other non-internet related info such has financial information, drivers license, car info, health insurance/info. the list could go on...but that would be a great start. Even the ability to have blank fields and add various private info would be awesome.
thanks

Hi traderx1. In terms of 1Password features, what you are asking for is more Wallet items. The ability to create Wallet items for licenses, financial info, etc, is high on our list and we will be adding it "soon". We elected to have "just" Credit Cards for now because we are trying to get version 2.5 "out the door" and are purposely limiting the features to make sure this happens in the next few weeks.

All the infrastructure is in place to add tonnes of more Wallet items, and I expect you will see them soon after the 2.5 release.

What other features are people interested in? We're always looking for ways to improve 1Password. I can't promise we'll implement them right away, but we can add them to the list ;)

dteare
Oct 10, 2007, 11:39 AM
Even the ability to have blank fields and add various private info would be awesome.

I forgot to mention, you can use Secure Notes for this. Secure Notes allow free-form text; you can put anything in there you please.

beate
Oct 19, 2007, 03:02 AM
I forgot to mention, you can use Secure Notes for this. Secure Notes allow free-form text; you can put anything in there you please.

Darn! I was just going to reply to traderx1 and suggest the same thing. At least I read through all the posts, else I would have made a fool of myself as my suggest would have been directly under yours...

Love the program, btw.

lawcomic
Oct 19, 2007, 09:28 AM
How long does the demo last before we need to pay?

SC68Cal
Oct 19, 2007, 09:52 AM
a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT! :rolleyes:

Quoted for Truth.

Also, storing the passwords locally on the iPhone is a terrible idea as well, when you are using a TIFF exploit to unlock the phone. Who says the same TIFF exploit can't be used to take those passwords?

Granted, you're using Blowfish, but still if the password database is able to be lifted from the phone then the game is up. Plus, just because you have encryption doesn't mean you're secure because you can have the encryption key being generated with a dictionary word.

dteare
Oct 19, 2007, 09:45 PM
How long does the demo last before we need to pay?

1Password 2.5 has a 30 day trial period. In previous versions we limited the number of Web Forms to 12, but based on feedback we got we thought a 30 day trial would be better.

dteare
Oct 19, 2007, 09:46 PM
Darn! I was just going to reply to traderx1 and suggest the same thing. At least I read through all the posts, else I would have made a fool of myself as my suggest would have been directly under yours...

The Edit button is your friend :)

Love the program, btw.

Thanks!

dteare
Oct 19, 2007, 10:14 PM
storing the passwords locally on the iPhone is a terrible idea as well, when you are using a TIFF exploit to unlock the phone. Who says the same TIFF exploit can't be used to take those passwords?

Nothing is perfect (as Bruce Schneier used to say) but 1Password for iPhone is the safest solution, next to not using a computer at all. Certainly it is much safer than reusing the same password all over again or trying to keep them on a piece of paper. If you need to access your accounts while on the road, you need a strong solution like 1Password's Sync to iPhone.

The TIFF exploit used on iPhone is simply one example of taking control of a device. Safari and other apps are frequently patched to prevent buffer overflows that allow "arbitrary code execution", so your Mac is vulnerable just like the iPhone (albeit, the iPhone is particularly bad because everything runs as root, but I digress). This is why keeping your software up-to-date is part of any good Defense-In-Depth plan.

Since 1Password's Sync to iPhone does not use any hacks, you are allowed to upgrade to the latest firmware which will fix these exploits, and you won't need to worry about bricking your iPhone :)


Granted, you're using Blowfish, but still if the password database is able to be lifted from the phone then the game is up. Plus, just because you have encryption doesn't mean you're secure because you can have the encryption key being generated with a dictionary word.

The strength of the Blowfish encryption is directly proportional to the strength of your password (in terms of brute force attacks). Using a dictionary word for your master password is a terrible idea as specially designed applications can easily guess them. You must choose a good strong password! Otherwise, there is no sense in using encryption at all.

The beauty of 1Password is that you will only need to remember one password, so you are able to make it a strong password and since there is only one you will be able to commit it to memory.