1Password for Mac Gets Updated with 30 New Features, 1Password Mini Item Editing

[Hitch08]

I have a couple of questions.

It sounds like I will need to purchase versions for PC, MAC and iOS. If that's the case, where do I store all of the passwords? Do I have to use Drop Box? Is iCloud an option?

As far as just using it, when on a PC or OSX, you open the webpage by clicking on the icon in the browser that you are using? Is it sort of like going to a "favorites" folder of web sites? It then loads the page and your password?

In iOS, you just use the 1password app? In other words, not a browser like Safari?

If I am using Drop Box, do I need to enter the password for 1password and my password for Drop Box every time? Seems contrary to the whole one password idea, but I guess I am hung up on how 1password accesses Drop Box.

 

[AGKyle]

I have a couple of questions.

It sounds like I will need to purchase versions for PC, MAC and iOS. If that's the case, where do I store all of the passwords? Do I have to use Drop Box? Is iCloud an option?

As far as just using it, when on a PC or OSX, you open the webpage by clicking on the icon in the browser that you are using? Is it sort of like going to a "favorites" folder of web sites? It then loads the page and your password?

In iOS, you just use the 1password app? In other words, not a browser like Safari?

If I am using Drop Box, do I need to enter the password for 1password and my password for Drop Box every time? Seems contrary to the whole one password idea, but I guess I am hung up on how 1password accesses Drop Box.

Great questions!

You can purchase the Mac and Windows bundle from our website: http://www.agilebits.com/store

This gets you both the Mac and Windows versions for a discounted price than buying them separately. The iOS application is available separately on the App Store. It works for both iPhone and iPad with a single purchase.

You can try the trial versions first if you wish: http://www.agilebits.com/downloads

There is no trial of the iOS version, but you can use the Windows and Mac versions for 30 days.

For the sync question, do you want all of these devices to have the same passwords? If so, you should probably use Dropbox. It's the only one compatible with all 3 platforms. iCloud will only work with Mac and iOS.

My workflow is like this:

1) Open browser and goto page
2) Press Command+\ to fill username and password (Control+\ on PC)
3) If the data isn't already stored in 1Password, you can enter it in manually and 1Password will offer to save it for you.

Basics are covered here: http://learn.agilebits.com/1Password4/Mac/en/the-basics.html

On iOS, the browser we have built in is basically Safari. However, it's an embedded version that developers can use. We can fill your username and password into pages using this version. We cannot fill usernames and passwords into Safari at this time. It's a limitation of iOS.

You store your data in Dropbox. When you do this your data file exists in Dropbox and is synced there. When you set it up, you're logged into Dropbox so no need to login again, unless it's on a new device.

After syncing you then just open 1Password and unlock it with your master password. Your Master Password and your Dropbox password should be different. Please don't use the same password for this.

1Password will auto-lock (settings let you change this) so that after inactivity you will need to unlock it again. Accessing sites will basically require you unlock 1Password.

Let me know if this helps. If you have questions regarding the purchasing, please private message me and we can go through it all.

 

[Hitch08]

Thanks for the response above!

I thought of another question.

There are some sites that don't seem to let Keychain auto-load the username and password. Is that an issue with 1Password as well?

 

[jpgoldberg]

I input some of the passwords from that list into 1Password and it claims the password strength is good!

[Disclosure: I work for AgileBits, the makers of 1Password]

You are absolutely correct on that point.. Quite simply password strength meters, including our own, are extremely limited in what they can do. Here is part of one answer we posted to how our password strength meter works

The usual way to determine strength of a specific password is to sacrifice a chicken and then read the entrails. But in 1Password, we do better. We compute the horoscope of the chicken before sacrificing it. Given that some of our staff are vegetarians, we are always looking for alternative approaches.

The sad fact of the matter is that accurate password strength meters are impossible (short of spending years or decades trying to crack the offered password). The reason is because the strength of a password depends largely on the system by which it was generated. That is not something that can be determined with confidence by inspected a single password.

So the password strength measure in 1Password uses the same sorts of heuristics that others do. It checks against a list of 10000 popular passwords. It looks for simple words and simple combinations. It is very sensitive to password length. [...]

Let me highlight the point by considering the following three passphrases.

1. All the world's a stage
2. All the world's a phage
3. world's all phage a the

The first one is a terrible password as it is a phrase that has been published and is well known. The second one is better than the first because I don't think it has every been written before now. (I should check Google), but it is a variant of a familiar phrase and it is grammatical English. The third is substantially better, (but still not perfect).

A password strength meter that is supposed to operate in a fraction of a second is just not going to distinguish among these.

The good news about password strength meters is that they have the desired effect on behavior even though they are fundamentally limited in what they can do.

To get even more abstract, it's not only that the world lacks practical means for calculating the strength of a password, we don't have consensus on a definition of password strength. For the excessively nerdy, here are the slides from a talk that I gave at PasswordsCon13 in which I attempt to offer a definition.

 

[AGKyle]

Thanks for the response above!

I thought of another question.

There are some sites that don't seem to let Keychain auto-load the username and password. Is that an issue with 1Password as well?

You're very welcome!

We have to insert your username and password differently than Apple's keychain does. There will likely be some sites that don't fill with Apple's or with our's. If you run into these we do ask that you contact us so we can look into why. It's possible we can figure out a workaround, or we can try to improve our browser extension to fill it properly.

We actively try to fix these issues, but yes, you probably will run into a site at some point that doesn't fill properly.

To add a little more here. Filling into webpages can be extraordinarily difficult. Every site does things differently and there is no real standard way of developers writing websites to do this. It's this variety of methods and developer process that make filling so difficult.

 

[Apple_Robert]

You're very welcome!

We have to insert your username and password differently than Apple's keychain does. There will likely be some sites that don't fill with Apple's or with our's. If you run into these we do ask that you contact us so we can look into why. It's possible we can figure out a workaround, or we can try to improve our browser extension to fill it properly.

We actively try to fix these issues, but yes, you probably will run into a site at some point that doesn't fill properly.

To add a little more here. Filling into webpages can be extraordinarily difficult. Every site does things differently and there is no real standard way of developers writing websites to do this. It's this variety of methods and developer process that make filling so difficult.

What happens if a website changes it's login page? Does 1Password see it as a new site asking the user if he or she wishes to save a new password?

 

[Parasprite]

2) Press Command+\ to fill username and password (Control+\ on PC)

Will have to remember that one, thanks again Kyle!

 

[Apple_Robert]

For those concerned about Dropbox and iCloud security and government requests, one could set up his or her own personal cloud accessible anywhere you want it to be. Western Digital Cloud drive comes to mind.

Don't know if such could be used to sync 1Password with and other similar apps, but, thought I would throw it out there.

 

[Parasprite]

What happens if a website changes it's login page? Does 1Password see it as a new site asking the user if he or she wishes to save a new password?

The same sort if thing that any other autocomplete would do. If it's on a new domain (gmail.com instead of google.com) you can fill it in with different info and merge the two as one account. If the page is just different, it shouldn't matter unless they have some weird implementation (e.g., Flash player).

Ninja edit: What he said ↓

 

[AGKyle]

What happens if a website changes it's login page? Does 1Password see it as a new site asking the user if he or she wishes to save a new password?

Two things can happen in the case of a website changing its login page:

1) Our extension can still fill if it's clear what needs filling.
2) In some cases you would need to re-save the username and password and that would fix any filling issues.

We save information like the field name for the username and password entries. If these change we can try to fill despite them being different, but in some cases re-saving the login would update the field names and allow it to fill properly if our general filling can't do it.

It won't see it as a new item to save unless it's on a different domain. If it's on a different domain then it will see it as a new item to be saved. In some rare cases it might happen even if the domain hasn't changed completely. I've only seen this a small handful of times.

 

[AGKyle]

Will have to remember that one, thanks again Kyle!

My pleasure

If the application is locked it'll ask to unlock it, but if it's unlocked and a login matches it exclusively it'll fill it in. If it's not exclusive, it'll present the list (just like clicking the extension icon).

 

[jpgoldberg]

If I am not mistaken, both programs have 256 bit locker encryption.

I work for AgileBits, the makers of 1Password, so I will not comment on the security design of other products. But I would like to highlight that there is a lot more to designing a security system than using AES-256. As you correctly note, 1Password does use AES-256 for a variety of reasons, but it is a mistake to think that AES256 is more security in any meaningful way than AES128. I know that that seems counter-intuitive, but please see this article of ours: Guess why we’re moving to 256-bit AES keys for an accessible explanation.

It is absolutely a wonderful thing that every software developer has easy access to the strongest cryptographic algorithms. But it is also very important to know how to use them. Unfortunately it is still easier to use those tools incorrectly than correctly. One example is the blunder that WhatsApp made with their client/server protocol. (They used the same key/nonce pair for encryption in each direction.) Here were very smart people trying to do the right thing, but ended up wrecking things because they weren't aware of a particularly kind of attack and what it means for key choice.

I am not for a moment suggesting that any of our competitors are using things incorrectly. Instead I'm trying to highlight the fact that cryptographic security failures are rarely the result of people picking 3DES over Blowfish. They are more subtle.

Here might be a more relevant example. AES is designed to withstand "related key attacks", but software designers should avoid using related keys anyway. It turns out that there are flaws in the key schedule of AES256 that aren't present in AES128. So if you are using related keys (which you shouldn't be), then AES128 is going to be a better choice than AES256. 1Password does not use related keys; so we decided to go with AES256, but if the problems with AES256 start to extend beyond that particular kind of attack, then we are ready to move to AES128 even if it isn't so-called "military grade."

 

[AGKyle]

For those concerned about Dropbox and iCloud security and government requests, one could set up his or her own personal cloud accessible anywhere you want it to be. Western Digital Cloud drive comes to mind.

Don't know if such could be used to sync 1Password with and other similar apps, but, thought I would throw it out there.

Macs and PCs can sync anywhere so long as it is part of the file system. I.e. a mounted drive or network folder.

iOS doesn't have that luxury though. It has no filesystem access, so it has to be coded specifically to sync with a particular service. Right now we only support iCloud, Dropbox and wifi syncing.

You could sync Mac/PC with a network drive, and then use wifi sync (on the mac) to sync to an iOS device.

Edit: To make this more clear though, please be very careful with availability of the network drive. If 1Password tries to sync to a location that isn't available, it will disable syncing (as of 4.2 for Mac)

 

[Apple_Robert]

I work for AgileBits, the makers of 1Password, so I will not comment on the security design of other products. But I would like to highlight that there is a lot more to designing a security system than using AES-256. As you correctly note, 1Password does use AES-256 for a variety of reasons, but it is a mistake to think that AES256 is more security in any meaningful way than AES128. I know that that seems counter-intuitive, but please see this article of ours: Guess why we’re moving to 256-bit AES keys for an accessible explanation.

It is absolutely a wonderful thing that every software developer has easy access to the strongest cryptographic algorithms. But it is also very important to know how to use them. Unfortunately it is still easier to use those tools incorrectly than correctly. One example is the blunder that WhatsApp made with their client/server protocol. (They used the same key/nonce pair for encryption in each direction.) Here were very smart people trying to do the right thing, but ended up wrecking things because they weren't aware of a particularly kind of attack and what it means for key choice.

I am not for a moment suggesting that any of our competitors are using things incorrectly. Instead I'm trying to highlight the fact that cryptographic security failures are rarely the result of people picking 3DES over Blowfish. They are more subtle.

Here might be a more relevant example. AES is designed to withstand "related key attacks", but software designers should avoid using related keys anyway. It turns out that there are flaws in the key schedule of AES256 that aren't present in AES128. So if you are using related keys (which you shouldn't be), then AES128 is going to be a better choice than AES256. 1Password does not use related keys; so we decided to go with AES256, but if the problems with AES256 start to extend beyond that particular kind of attack, then we are ready to move to AES128 even if it isn't so-called "military grade."

Thank you, Jeff, for the informative post. I will take a look at the links you provided.

----------

Macs and PCs can sync anywhere so long as it is part of the file system. I.e. a mounted drive or network folder.

iOS doesn't have that luxury though. It has no filesystem access, so it has to be coded specifically to sync with a particular service. Right now we only support iCloud, Dropbox and wifi syncing.

You could sync Mac/PC with a network drive, and then use wifi sync (on the mac) to sync to an iOS device.

Thank you, Kyle, for the follow up clarification. My spur of the moment idea doesn't seem so practical now. lol

 

[bflowers]

Quick question for you: Do you consider any of the following passwords secure?

• thereisnofatebutwhatwemake
• eastofthesunwestofthemoon
• !)@(#*$&%^Test123
• *tecno9654postgres
• !@#$%^&*()_+lisa
• Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1

If your answer to just one of the above is "Yes": Think again real hard about using a good password manager!

Those passwords above were all guessed using "dictionary lookup" attacks within hours or days (not weeks or years)! Several hours to days!

(And please note: there are all considerably longer than your simple "8 or 9 character passwords"!)

Rule of thumb: if you try to come up with a password that is based on any (combination of) word(s) that can be found "on the Internet" (Twitter, Wikipedia, websites, news groups, the Bible, other book texts available in electronic form, ...), it is very likely that it will be guessed! Even 1f u d0!permutat1ons$and_try2bcl3v3r! ("rule-based substitution attacks").

For a detailed background why you should be very concerned:

http://arstechnica.com/security/201...ing-the-next-frontier-of-password-cracking/2/
"How the Bible and YouTube are fueling the next frontier of password cracking"

And considering that several major (commercial) sites were hacked and millions of encrypted passwords were stolen in the past few months, you should really have different passwords for each and every service!

(What people often forget: they might have a hugely "secure password" for e.g. their Apple ID, but they have a weak password for their email, so attackers can guess the email password, reset the Apple ID with a confirmation email sent to that email address, and *zonK*! There you go! Your Apple ID accessible now to them as well!)




Well, as I said: reconsider of what you think is "secure"...

Clearly you are unaware of this:

 

[mripadmini]

Still no update for the iOS version of 1password? It is features in apples essential productivity 101 in the iOS App Store.

 

[Primejimbo]

This is nice, I Like and use iCoud, but might try this someday. I don't like how iCloud really as no order of looking up a password.

 

[ix.heart]

! Password

One Password is a great App. The only issue i have is the fact that updates to IOS for iPhone dont come at regular rates and the integration between the version on the Mac and IOS could be more seamless. There should also be some kind of volume discount for multiple devices. If you aren't using a password manager you're not taking security seriously.

 

[AGKyle]

Still no update for the iOS version of 1password? It is features in apples essential productivity 101 in the iOS App Store.

See the video here: http://vimeo.com/88901304

It's far more than just an iOS 7 update though, sorry for the delay!

----------

One Password is a great App. The only issue i have is the fact that updates to IOS for iPhone dont come at regular rates and the integration between the version on the Mac and IOS could be more seamless. There should also be some kind of volume discount for multiple devices. If you aren't using a password manager you're not taking security seriously.

Could you private message me with how you think the Mac and iOS apps could be more seamless? I'm very curious what your thoughts are on this.

This goes for anyone actually, I prefer the private messages as they're easier to keep up with and reduce comments in the thread here that are perhaps slightly off topic.

We do offer volume discounts for businesses and schools and such.

For non-business use we do have the family packs, for $20 more you get 5 licenses instead of 1. This is probably our more popular volume discount, but we do have the business discounts as well. This applies to Mac and Windows.

Whoops, missed your iOS updates comment there. We are hard at work on a bigger update to the iOS app. You can see the video link above for a super quick preview. It's near the end.

 

[jlc1978]

This really worth $50? And do you have to buy separately for the iPad and iPhone version? $50 for a Mac app seems like a bit much when it just stores passwords...

It does more than store passwords. It also stores software licenses, credit card data, and personal data so you don't have to enter them every time.

Is it worth $50? I think it is, given how useful I have found it. They also do regular updates that are free as long as they are point releases; and they don't do a new major release every year so it's not like your upgrading every year.

Try the trial and see if you like it.

 

[Apple_Robert]

Two things can happen in the case of a website changing its login page:

1) Our extension can still fill if it's clear what needs filling.
2) In some cases you would need to re-save the username and password and that would fix any filling issues.

We save information like the field name for the username and password entries. If these change we can try to fill despite them being different, but in some cases re-saving the login would update the field names and allow it to fill properly if our general filling can't do it.

It won't see it as a new item to save unless it's on a different domain. If it's on a different domain then it will see it as a new item to be saved. In some rare cases it might happen even if the domain hasn't changed completely. I've only seen this a small handful of times.

Thank you Kyle and Parasprite for the explanation.

I think it is great that employees (Kyle and Jeff) take the time to make themselves accessible answering customer and potential customer questions.

 

[jpgoldberg]

Yeah, it sounds impressive, but then they told passengers the Titanic was unsinkable due to it's state of the art engineering.

[Disclosure: I work for AgileBits, the makers of 1Password]

You should, indeed, be wary of claims of "unsinkability". Quite frankly, anyone who claims that their security is unbreakable shouldn't be in the business. New kinds of attacks get developed and no software is bug free no matter how much we think we've tested and checked.

But there are things that we can legitimately claim. It is often possible to prove mathematically how much work an attacker has to do for a particular kind of attack to succeed. We can prove that many categories of attacks are infeasible where "infeasible" has a technical definition.

So for example, we can mathematically prove that the use of Encrypt-then-MAC authenticated encryption 1Password 4 makes it invulnerable to all chosen ciphertext attacks (CCAs) future and present. Likewise, we can show that the design protects against a variety of other categories of attacks.

What we can't prove is that this protects against yet unknown categories of attacks. Nor can we know that we've implemented everything correctly without bugs. Still, it is useful to know that we can design against unknown attacks of a certain type.

So yes, 1Password is not "unsinkable", but would you rather cross the North Atlantic in a modern designed ocean liner or in a canoe.

So while "256 bit locker encryption" sounds great, I don't understand what it means, whether it's appropriate, nor do I have any way of verifying it really is secure.

You are not alone here. In fact a lot of people who look for or boast about using 256 bit AES keys don't fully understand whether it's appropriate. There are cases were it truly is not appropriate. Take a look at this (accessible) article specifically about AES128 versus AES256 which will at least answer that question.

Let me quote a little from that article

Why do you think we are making this move [from AES128 to AES256]? If your answer is because AES 256 is stronger than AES 128, you’d be wrong. There is a technical sense in which AES 256 is enormously stronger than AES 128, but in every sense that actually matters for security there is no difference.

 

[Doctor Q]

I noticed some missing letters in the README text when Version 4.2 first came out ("ew Find Backup" and "ou can now"), but that was fixed later in the day.

​

Now Version 4.2.1 is now out with a few more fixes.

I suggest checking your Sync preferences in case they need to be re-established after installing the update.

 

[3282868]

Using Version 4.3.BETA-1 (430001), it gets even better, especially the iOS beta.

PS the one contention with 1Password I had was customer service and the length in OS X development over iOS, which has now been substantially improved. In fact, I applaud their team for working hard (Nik, Dave and everyone else involved in beta development especially).

Some have balked at the price, I used to be one of them, however I can honestly suggest it is well worth it for many reasons already stated, and many more once the iOS version is released.

 

[alexstjo]

Check their twitter feed for sales.