1Password: Store Passwords on your iPhone

Discussion in 'iOS Blog Discussion' started by MacRumors, Oct 9, 2007.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]

    Switchersblog details a new feature in the latest beta of 1Password -- a Mac password manager application.

    The new version adds a "Sync to iPhone" feature which exports all your stored passwords into an encrypted Safari Bookmarklet. The Bookmarklet is accessible from the iPhone's Safari bookmark list and protected by a password.


    [​IMG]


    The beta version of the software is available on their beta forum.

    Article Link
     
  2. macrumors 6502a

    ozziegn

    Joined:
    Aug 16, 2007
    Location:
    Central FL Area
    #2
    a web applet application that allows me to store all of my important passwords? sure, where do I sign up?

    NOT! :rolleyes:
     
  3. macrumors 65816

    chr1s60

    Joined:
    Jul 24, 2007
    Location:
    California
    #3
    Store all your passwords and gain access to the Fido network... where do I sign up?
     
  4. macrumors newbie

    Joined:
    May 18, 2007
    #4
    Excellent!

    I've been using the desktop app for a couple of weeks now, and I have to say I'm pretty impressed. I have over a 150 sites in my keychain and remembering all the different usernames and passwords is becoming impossible. So far, this app has done a great job of getting things organized, and as it also synchs across multiple computers through .mac, it's saves me a lot of time and grief. One thing I wished it would do was work on an iPhone or Touch. Looks like the developers are thinking along the same line.

    Ever try typing a long username and password on an iPhone or Touch? What a pain the ass! I'd definitely give this a shot if they can make it autofill on the iPhone. Also needs to store things other than just website logins, like multiple form fill profiles and text.
     
  5. macrumors member

    Joined:
    Mar 22, 2007
    #5
    i can understand your fear, a web applet that stores your personal passwords. In reality, the information is NEVER stored on another server/computer (if the makers of this dandy program read, please correct me). You actually have the program called 1password on YOUR computer, put in your website passwords, and there is a sync to iPhone button. Click on that, and the info gets sent to your iphone on the next sync. You are also asked to pick/type a password to retrieve this info. After syncing, go to your iphone, then safari, then bookmarks, and touch 1password. It then asks for your password, that you chose earlier, and all your info shows up on the iphone. So the key here is that the information was NEVER transmitted to over the net. To test this theory, and make sure that I was not sending some information that I did not want to, I put my phone in airplane mode and I was still able to retrieve my info using safari. I mainly use this to store my password, and look up the info so i can type it in another computer that i use at work. If you are connected to the net on your iphone, you can just click on the link to website, and safari will send you there and fill in the password info for you. It is a pretty good program and now with the iphone sync it got a whole lot better. Being an earlier adapter of the iphone, my gripe has always been no to-do list, and no way to encrypt financial/personal things. Well 1password has made a work around that lets us store secure data. No it is not the best program for the purpose, but it is the BEST thing we have on the iphone now, and being that this a version 1 of this feature, i would imagine it only gets better. One additional feature that would be nice is to be able to enter data that is not necessarily financial/website orientated such as Drivers License number, health information, and other data. All in all a great start by the company, and hopefully they build on it. Very clever programming to get around the "No 3rd Party Apps"
     
  6. macrumors newbie

    Joined:
    Sep 26, 2006
    Location:
    ny ny
    #6
    this has bad idea all over it
     
  7. macrumors regular

    Mr. Zorg

    Joined:
    Sep 5, 2007
    #7
    Guys, please pay attention to traderx1's post... He's nailed what most of you seem to be missing. This is basically just an adaptation of the previously released bookmarklet app that write a javascript/dhtml app with your encoded passwords into a Safari bookmark. Nothing's sent over the net. Very clever.

    Now, that said, I do have two concerns (I have not tried it yet):

    1) Previously when I was using bookmarklets, it made starting Safari very sluggish (on both my mac and my iphone). Presumably this is because if the size of the bookmarklets I had. I'm sure the bookmarks system was never optimized to carry such large amounts of data. Hopefully this generates a very small amount... Don't know.

    2) According to their site it uses some pretty strong cryptography (448 bit blowfish). While blowfish is a very fast cipher, I wonder just how fast it would run in javascript on the (relatively limited) horsepower of the iphone...

    I guess one way to find out is to try it. :)
     
  8. macrumors regular

    Aetles

    Joined:
    Nov 13, 2002
    Location:
    Sweden
    #8
    It seems a lot like the already announced PasswordWallet for iPhone.
     
  9. macrumors 65816

    kugino

    Joined:
    Jul 10, 2003
    #9
    everyone's fears and apprehensions are totally understandable. were i not using the desktop version of 1Password i'd be equally dubious.

    but it's really an amazing app by a good company. though i don't have an iphone (yet) i will most definitely look into this implementation when i pick up an iphone in january.

    just FYI, the TWIT macbreak guys really like 1Password, too, and they highly recommend it...and that's how i learned about this app. saves me a ton of time with a lot of password-protected sites my job forces me to engage with...and i feel very confident about the security measures implemented in this app. hopefully people will take a serious look at this app before judging it. if it's not for you, fine.
     
  10. macrumors newbie

    roustk

    Joined:
    Jul 14, 2006
    #10
    AFAIK, this is the most secure way to carry your passwords and other confidential information on iPhone.

    To address your concerns:

    1. All information and the javascript code to access it is stored locally inside the Safari bookmarklet. Internet access is NOT required to use it.

    2. The passwords are encrypted with 448 Blowfish encryption using CBC (Cipher Block Chaining) and a randomized salt. The access code is needed to decrypt individual entries.

    3. The JavaScript code automatically locks the application after 5 minutes of inactivity.
     
  11. macrumors newbie

    Joined:
    Jun 28, 2006
    #11
    Exactly correct!

    All your information is encrypted into a bookmarklet, and stored in Safari on your Mac. When you sync your iPhone in iTunes, the bookmarklet is synced just like all your other bookmarks.

    The data is then decrypted in Safari on your iPhone once you provide the correct password.

    No external web servers. And No hacks!

    This can be true, but for us the only delay was in the initial load (see below).

    Blowfish is amazingly fast. We actually started with AES encryption, but it was just too much overhead for the iPhone. Blowfish was over 10 times faster and it decrypts your individual entries almost instantly.

    The only performance bottleneck is the initial loading of the page. Since *everything* is stored inside the bookmarklet, it can get pretty big. On our personal datasets of 800 items, it is 600KB, which takes Safari a while to load (mine takes 9 seconds to load). Thankfully most users have less than 200 entries, which load in just a few seconds.

    What are you waiting for?? :D
     
  12. macrumors newbie

    NightOne

    Joined:
    Dec 23, 2006
    Location:
    TN
    #12
    Ironically, it was someone from Sweden who posted pretty much the same thing on the TUAW post.

    Do you work for PasswordWallet or something? :)
     
  13. macrumors member

    Joined:
    Mar 22, 2007
    #13
    dteare...

    seeing that you are involved with the software company of 1password, i had a suggestions for future implementation. The software works wonderfully with my iphone, but my one request is the ability to put in other things other than web password. I see a option Credit Cards which is great and what I needed, but also put in other non-internet related info such has financial information, drivers license, car info, health insurance/info. the list could go on...but that would be a great start. Even the ability to have blank fields and add various private info would be awesome.
    thanks
     
  14. macrumors newbie

    Joined:
    Jun 28, 2006
    #14
    Hi traderx1. In terms of 1Password features, what you are asking for is more Wallet items. The ability to create Wallet items for licenses, financial info, etc, is high on our list and we will be adding it "soon". We elected to have "just" Credit Cards for now because we are trying to get version 2.5 "out the door" and are purposely limiting the features to make sure this happens in the next few weeks.

    All the infrastructure is in place to add tonnes of more Wallet items, and I expect you will see them soon after the 2.5 release.

    What other features are people interested in? We're always looking for ways to improve 1Password. I can't promise we'll implement them right away, but we can add them to the list ;)
     
  15. macrumors newbie

    Joined:
    Jun 28, 2006
    #15
    I forgot to mention, you can use Secure Notes for this. Secure Notes allow free-form text; you can put anything in there you please.
     
  16. macrumors regular

    Joined:
    Jun 8, 2007
    #16
    Darn! I was just going to reply to traderx1 and suggest the same thing. At least I read through all the posts, else I would have made a fool of myself as my suggest would have been directly under yours...

    Love the program, btw.
     
  17. macrumors member

    Joined:
    Jul 6, 2007
    #17
    How long does the demo last before we need to pay?
     
  18. macrumors 68000

    Joined:
    Feb 23, 2006
    #18
    Quoted for Truth.

    Also, storing the passwords locally on the iPhone is a terrible idea as well, when you are using a TIFF exploit to unlock the phone. Who says the same TIFF exploit can't be used to take those passwords?

    Granted, you're using Blowfish, but still if the password database is able to be lifted from the phone then the game is up. Plus, just because you have encryption doesn't mean you're secure because you can have the encryption key being generated with a dictionary word.
     
  19. macrumors newbie

    Joined:
    Jun 28, 2006
    #19
    1Password 2.5 has a 30 day trial period. In previous versions we limited the number of Web Forms to 12, but based on feedback we got we thought a 30 day trial would be better.
     
  20. macrumors newbie

    Joined:
    Jun 28, 2006
    #20
    The Edit button is your friend :)

    Thanks!
     
  21. macrumors newbie

    Joined:
    Jun 28, 2006
    #21
    Nothing is perfect (as Bruce Schneier used to say) but 1Password for iPhone is the safest solution, next to not using a computer at all. Certainly it is much safer than reusing the same password all over again or trying to keep them on a piece of paper. If you need to access your accounts while on the road, you need a strong solution like 1Password's Sync to iPhone.

    The TIFF exploit used on iPhone is simply one example of taking control of a device. Safari and other apps are frequently patched to prevent buffer overflows that allow "arbitrary code execution", so your Mac is vulnerable just like the iPhone (albeit, the iPhone is particularly bad because everything runs as root, but I digress). This is why keeping your software up-to-date is part of any good Defense-In-Depth plan.

    Since 1Password's Sync to iPhone does not use any hacks, you are allowed to upgrade to the latest firmware which will fix these exploits, and you won't need to worry about bricking your iPhone :)

    The strength of the Blowfish encryption is directly proportional to the strength of your password (in terms of brute force attacks). Using a dictionary word for your master password is a terrible idea as specially designed applications can easily guess them. You must choose a good strong password! Otherwise, there is no sense in using encryption at all.

    The beauty of 1Password is that you will only need to remember one password, so you are able to make it a strong password and since there is only one you will be able to commit it to memory.
     

Share This Page