1Password: Store Passwords on your iPhone

[MacRumors]

Switchersblog details a new feature in the latest beta of 1Password -- a Mac password manager application.

The new version adds a "Sync to iPhone" feature which exports all your stored passwords into an encrypted Safari Bookmarklet. The Bookmarklet is accessible from the iPhone's Safari bookmark list and protected by a password.





The beta version of the software is available on their beta forum.

Article Link

[ozziegn]

a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT!

[chr1s60]

Store all your passwords and gain access to the Fido network... where do I sign up?

[traderx1]

Quote:

Originally Posted by ozziegn

a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT!

i can understand your fear, a web applet that stores your personal passwords. In reality, the information is NEVER stored on another server/computer (if the makers of this dandy program read, please correct me). You actually have the program called 1password on YOUR computer, put in your website passwords, and there is a sync to iPhone button. Click on that, and the info gets sent to your iphone on the next sync. You are also asked to pick/type a password to retrieve this info. After syncing, go to your iphone, then safari, then bookmarks, and touch 1password. It then asks for your password, that you chose earlier, and all your info shows up on the iphone. So the key here is that the information was NEVER transmitted to over the net. To test this theory, and make sure that I was not sending some information that I did not want to, I put my phone in airplane mode and I was still able to retrieve my info using safari. I mainly use this to store my password, and look up the info so i can type it in another computer that i use at work. If you are connected to the net on your iphone, you can just click on the link to website, and safari will send you there and fill in the password info for you. It is a pretty good program and now with the iphone sync it got a whole lot better. Being an earlier adapter of the iphone, my gripe has always been no to-do list, and no way to encrypt financial/personal things. Well 1password has made a work around that lets us store secure data. No it is not the best program for the purpose, but it is the BEST thing we have on the iphone now, and being that this a version 1 of this feature, i would imagine it only gets better. One additional feature that would be nice is to be able to enter data that is not necessarily financial/website orientated such as Drivers License number, health information, and other data. All in all a great start by the company, and hopefully they build on it. Very clever programming to get around the "No 3rd Party Apps"

[Mr. Zorg]

Quote:

Originally Posted by traderx1

i can understand your fear, a web applet that stores your personal passwords. In reality, the information is NEVER stored on another server/computer (if the makers of this dandy program read, please correct me).

Guys, please pay attention to traderx1's post... He's nailed what most of you seem to be missing. This is basically just an adaptation of the previously released bookmarklet app that write a javascript/dhtml app with your encoded passwords into a Safari bookmark. Nothing's sent over the net. Very clever.

Now, that said, I do have two concerns (I have not tried it yet):

1) Previously when I was using bookmarklets, it made starting Safari very sluggish (on both my mac and my iphone). Presumably this is because if the size of the bookmarklets I had. I'm sure the bookmarks system was never optimized to carry such large amounts of data. Hopefully this generates a very small amount... Don't know.

2) According to their site it uses some pretty strong cryptography (448 bit blowfish). While blowfish is a very fast cipher, I wonder just how fast it would run in javascript on the (relatively limited) horsepower of the iphone...

I guess one way to find out is to try it.

[dteare]

Quote:

Originally Posted by Mr. Zorg

Guys, please pay attention to traderx1's post... He's nailed what most of you seem to be missing. This is basically just an adaptation of the previously released bookmarklet app that write a javascript/dhtml app with your encoded passwords into a Safari bookmark. Nothing's sent over the net. Very clever.

Exactly correct!

All your information is encrypted into a bookmarklet, and stored in Safari on your Mac. When you sync your iPhone in iTunes, the bookmarklet is synced just like all your other bookmarks.

The data is then decrypted in Safari on your iPhone once you provide the correct password.

No external web servers. And No hacks!

Quote:

Originally Posted by Mr. Zorg

Now, that said, I do have two concerns (I have not tried it yet):

1) Previously when I was using bookmarklets, it made starting Safari very sluggish (on both my mac and my iphone). Presumably this is because if the size of the bookmarklets I had. I'm sure the bookmarks system was never optimized to carry such large amounts of data. Hopefully this generates a very small amount... Don't know.

This can be true, but for us the only delay was in the initial load (see below).

Quote:

Originally Posted by Mr. Zorg

2) According to their site it uses some pretty strong cryptography (448 bit blowfish). While blowfish is a very fast cipher, I wonder just how fast it would run in javascript on the (relatively limited) horsepower of the iphone...

Blowfish is amazingly fast. We actually started with AES encryption, but it was just too much overhead for the iPhone. Blowfish was over 10 times faster and it decrypts your individual entries almost instantly.

The only performance bottleneck is the initial loading of the page. Since *everything* is stored inside the bookmarklet, it can get pretty big. On our personal datasets of 800 items, it is 600KB, which takes Safari a while to load (mine takes 9 seconds to load). Thankfully most users have less than 200 entries, which load in just a few seconds.

Quote:

Originally Posted by Mr. Zorg

I guess one way to find out is to try it.

What are you waiting for??

[traderx1]

dteare...

seeing that you are involved with the software company of 1password, i had a suggestions for future implementation. The software works wonderfully with my iphone, but my one request is the ability to put in other things other than web password. I see a option Credit Cards which is great and what I needed, but also put in other non-internet related info such has financial information, drivers license, car info, health insurance/info. the list could go on...but that would be a great start. Even the ability to have blank fields and add various private info would be awesome.
thanks

[roustk]

Quote:

Originally Posted by ozziegn

a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT!

AFAIK, this is the most secure way to carry your passwords and other confidential information on iPhone.

To address your concerns:

1. All information and the javascript code to access it is stored locally inside the Safari bookmarklet. Internet access is NOT required to use it.

2. The passwords are encrypted with 448 Blowfish encryption using CBC (Cipher Block Chaining) and a randomized salt. The access code is needed to decrypt individual entries.

3. The JavaScript code automatically locks the application after 5 minutes of inactivity.

[SC68Cal]

Quote:

Originally Posted by ozziegn

a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

NOT!

Quoted for Truth.

Also, storing the passwords locally on the iPhone is a terrible idea as well, when you are using a TIFF exploit to unlock the phone. Who says the same TIFF exploit can't be used to take those passwords?

Granted, you're using Blowfish, but still if the password database is able to be lifted from the phone then the game is up. Plus, just because you have encryption doesn't mean you're secure because you can have the encryption key being generated with a dictionary word.

[dteare]

Quote:

Originally Posted by SC68Cal

storing the passwords locally on the iPhone is a terrible idea as well, when you are using a TIFF exploit to unlock the phone. Who says the same TIFF exploit can't be used to take those passwords?

Nothing is perfect (as Bruce Schneier used to say) but 1Password for iPhone is the safest solution, next to not using a computer at all. Certainly it is much safer than reusing the same password all over again or trying to keep them on a piece of paper. If you need to access your accounts while on the road, you need a strong solution like 1Password's Sync to iPhone.

The TIFF exploit used on iPhone is simply one example of taking control of a device. Safari and other apps are frequently patched to prevent buffer overflows that allow "arbitrary code execution", so your Mac is vulnerable just like the iPhone (albeit, the iPhone is particularly bad because everything runs as root, but I digress). This is why keeping your software up-to-date is part of any good Defense-In-Depth plan.

Since 1Password's Sync to iPhone does not use any hacks, you are allowed to upgrade to the latest firmware which will fix these exploits, and you won't need to worry about bricking your iPhone

Quote:

Originally Posted by SC68Cal

Granted, you're using Blowfish, but still if the password database is able to be lifted from the phone then the game is up. Plus, just because you have encryption doesn't mean you're secure because you can have the encryption key being generated with a dictionary word.

The strength of the Blowfish encryption is directly proportional to the strength of your password (in terms of brute force attacks). Using a dictionary word for your master password is a terrible idea as specially designed applications can easily guess them. You must choose a good strong password! Otherwise, there is no sense in using encryption at all.

The beauty of 1Password is that you will only need to remember one password, so you are able to make it a strong password and since there is only one you will be able to commit it to memory.

[deep]

I've been using the desktop app for a couple of weeks now, and I have to say I'm pretty impressed. I have over a 150 sites in my keychain and remembering all the different usernames and passwords is becoming impossible. So far, this app has done a great job of getting things organized, and as it also synchs across multiple computers through .mac, it's saves me a lot of time and grief. One thing I wished it would do was work on an iPhone or Touch. Looks like the developers are thinking along the same line.

Ever try typing a long username and password on an iPhone or Touch? What a pain the ass! I'd definitely give this a shot if they can make it autofill on the iPhone. Also needs to store things other than just website logins, like multiple form fill profiles and text.

[Danicus]

this has bad idea all over it

[Aetles]

Quote:

Originally Posted by Macrumors

The new version adds a "Sync to iPhone" feature which exports all your stored passwords into an encrypted Safari Bookmarklet. The Bookmarklet is accessible from the iPhone's Safari bookmark list and protected by a password.

It seems a lot like the already announced PasswordWallet for iPhone.

[kugino]

everyone's fears and apprehensions are totally understandable. were i not using the desktop version of 1Password i'd be equally dubious.

but it's really an amazing app by a good company. though i don't have an iphone (yet) i will most definitely look into this implementation when i pick up an iphone in january.

just FYI, the TWIT macbreak guys really like 1Password, too, and they highly recommend it...and that's how i learned about this app. saves me a ton of time with a lot of password-protected sites my job forces me to engage with...and i feel very confident about the security measures implemented in this app. hopefully people will take a serious look at this app before judging it. if it's not for you, fine.

[NightOne]

Quote:

Originally Posted by Aetles

It seems a lot like the already announced PasswordWallet for iPhone.

Ironically, it was someone from Sweden who posted pretty much the same thing on the TUAW post.

Do you work for PasswordWallet or something?