1Password for Mac Gets Updated with 30 New Features, 1Password Mini Item Editing

[savar]

Anyone use this before? Is it safe to save all password in one place?

I use it and love it. If you're not using a password manager, you absolutely should, for several reasons: 1. You should not be using the same password on two different sites ever. 2. When you create a new password, it should be very long (20-50 characters) and completely random. These objectives are both infeasible without a password manager.

1Password is great, but I've also heard good things about LastPass. I prefer 1Password because the passwords are stored locally, not on 1Password's servers. If you want to sync between devices, they support Dropbox, which works for me. (Even if you don't trust Dropbox, the synced files are encrypted.)

I use it on my MBP, iPhone, iPad, and 2 Linux (Kubuntu) machines with Wine*. I've emailed them in the past and they have really friendly, responsive customer support. The only downside is price. This is not a cheap product, but based on the value of the secrets it protects, I'm happy to pay good money for a good product, and I hope they make a good enough living doing it that they continue to build great software.

The most awkward part of using 1Password is that there is no standard for websites to communicate which inputs they use for login credentials. Presumably 1Password (and all of their competitors) have some heuristics for figuring this stuff out, but it frequently does trippy things. For example, if you register on a new site, 1Password will offer to save your login, but it's really just saving the values of that registration form. On some sites, this may mean that the login form doesn't work, because the login form and registration form are substantially different.

I personally do this whenever I register for a site:

• Register
• Tell 1Password not to remember the password
• Immediately log out and log back in
• 1Password will again ask to remember the password, and this time I click yes

I wish LastPass and AgileBits would get together and lobby the W3C for a more sane approach to password management. As it stands now, I hesitate to recommend password managers to less technical people because I fear it is too confusing or too likely to break in confusing ways at inopportune times.

* The Windows client runs in Wine, but the browser plugin does not run on Linux, making this a bit more tedious to use on Linux than on OS X, but not a deal breaker for me.

So while "256 bit locker encryption" sounds great, I don't understand what it means, whether it's appropriate, nor do I have any way of verifying it really is secure.

They have a good write up of how it works:

http://help.agilebits.com/1Password3/agile_keychain_design.html

They are relying on 3rd parties for most of the crypto (which is a good thing), but as with any closed source system, we have to take them at their word that it's implemented the way they say it is, and that there are no significant mistakes.

 

[enklined]

AgileBits, would it be possible to add the ability to create a password per this method?

i.e. generate a password of real words, using a user defined amount of letters per word, and total words?

 

[AGKyle]

AgileBits, would it be possible to add the ability to create a password per this method?

Image

i.e. generate a password of real words, using a user defined amount of letters per word, and total words?

You can try the pronounceable option.

Just goto the password generator, click "Password Recipe" and try the option for Pronounceable. It isn't exactly the same, but it does help in terms of providing a more pronounceable password instead of being completely random. I use this for Dropbox, AppleID, etc that I have to remember.

 

[Apple_Robert]

Check their twitter feed for sales.

Some of us are old school and don't use Twiiter.

 

[silvetti]

You can try the pronounceable option.

Just goto the password generator, click "Password Recipe" and try the option for Pronounceable. It isn't exactly the same, but it does help in terms of providing a more pronounceable password instead of being completely random. I use this for Dropbox, AppleID, etc that I have to remember.

How about you finally update your iOS version ? Last update was in November last year, for an app that cost more than 10 bucks and still uses iOS 6 keyboard I think you are pushing it...

 

[Apple_Robert]

How about you finally update your iOS version ? Last update was in November last year, for an app that cost more than 10 bucks and still uses iOS 6 keyboard I think you are pushing it...

Kyle mentioned earlier, that they are working on an update.

 

[silvetti]

Kyle mentioned earlier, that they are working on an update.

I'm just curious if it will be an update or a 1Password 5 for another 14,99...

 

[Msail30bay]

You can add secure notes to login items, that should cover that.

THANKS, that was fast. I think I might give it a try…… copy/paste should do the job on notes.

 

[AGKyle]

I'm just curious if it will be an update or a 1Password 5 for another 14,99...

It'll be a free update to existing users. Version will be 4.5 unless things change between now and then.

There is far more happening in this release than just an iOS 7 keyboard.

 

[sportsnapper]

A UK perspective...

Undoubtably 1Password is a great app, and I liked it when I used the trial. However, I'm now using LastPass. The main reason for this is I felt that 1Password did a poor job of form filling, specifically because I'm in the UK, and our address fields are rather different from the US. 1Password tends to be quite US centric.

 

[Berknip]

I'll add two more benefits of 1password:

• vs. Keychain - 1password allows customization of the password generation. For some sites, Keychain's recommendations are not usable.
• Support - you're unlikely to find a better company to purchase from; whether it's routine questions, support for issues with the software, insightful information on security topics and industry trends, or participation in threads such as these.

I've never regretting purchasing any versions of their products. Period.

You might find companies with equivalent customer service or relations, but I doubt you'll find better.

 

[EttVenter]

Guys, I'm keen on buying 1Password, but I have one question:

How does it work in anything that's NOT the browser in the app? For example: I open up a new mail app on my phone, and it asks me to sign in with google, and I'm presented with the standard google login. How the heck do I get the app on the phone to fill in those details?

Same with Apps. Let's say I install a new twitter app that doesn't natively support 1P, and then it asks for my twitter password. How do I fill in that info?

 

[AGKyle]

Guys, I'm keen on buying 1Password, but I have one question:

How does it work in anything that's NOT the browser in the app? For example: I open up a new mail app on my phone, and it asks me to sign in with google, and I'm presented with the standard google login. How the heck do I get the app on the phone to fill in those details?

Same with Apps. Let's say I install a new twitter app that doesn't natively support 1P, and then it asks for my twitter password. How do I fill in that info?

iOS does't let us "fill" into other applications. We can't really interact in any real crazy way to allow this to happen.

But, for now the process is this:

* Open 1Password
* Unlock if necessary
* Locate item
* Copy password to clipboard (just tap the password and choose Copy)
* Paste it into the other application

Some applications use a 3rd party tool that lets applications automatically open 1Password (locked) and search for their app:

http://blog.agilebits.com/tag/apps-that-love-1password/

So those apps all solve a few of the steps above automatically by using that framework we mention.

Hopefully we can get some improvements in iOS 8 that let us make this more seamless for users, but it's really up to Apple to provide these tools so that we can interact with other applications better.

 

[EttVenter]

iOS does't let us "fill" into other applications. We can't really interact in any real crazy way to allow this to happen. I have a few ideas how we could, but it's not a super secure way to do it.

If Apple every supports something like "intents" on Android we could possibly figure out a way to make this work better.

But, for now the process is this:

* Open 1Password
* Unlock if necessary
* Locate item
* Copy password to clipboard (just tap the password and choose Copy)
* Paste it into the other application

Some applications use a 3rd party tool that lets applications automatically open 1Password (locked) and search for their app:

http://blog.agilebits.com/tag/apps-that-love-1password/

So those apps all solve a few of the steps above automatically by using that framework we mention.

Hopefully we can get some improvements in iOS 8 that let us make this more seamless for users, but it's really up to Apple to provide these tools so that we can interact with other applications better.

Holy crap. Seriously? The clipboard? Surely the whole concept of amazing security goes right out the window when I'm in Chrome or whatever app with my password in the clipboard?

 

[AGKyle]

Holy crap. Seriously? The clipboard? Surely the whole concept of amazing security goes right out the window when I'm in Chrome or whatever app with my password in the clipboard?

We can clear the clipboard from the 1Password application. You can clear it after as little as 30 seconds. This gives you time to paste it into the app and away you go.

Note there is no way we can otherwise fill into other applications. This is a limitation of iOS. Apple does not let other applications communicate in any meaningful way with other applications.

We have to work within what Apple allows in this case. Believe me, we'd love to see something better here.

I don't think you have anything really to worry about with copying and pasting passwords. This is how all password managers work on iOS, not just 1Password. Instead, this totally depends on whether or not you trust the other application. If you don't trust the other application, you wouldn't be putting the password into it.

We do support filling usernames, passwords, credit cards, and identity information into our built in browser on iOS. This prevents any copying and pasting for those.

 

[KoolAid-Drink]

Sorta unrelated, but when do you plan to release the update for the iOS update? Approximately?

We can clear the clipboard from the 1Password application. You can clear it after as little as 30 seconds. This gives you time to paste it into the app and away you go.

Note there is no way we can otherwise fill into other applications. This is a limitation of iOS. Apple does not let other applications communicate in any meaningful way with other applications.

We have to work within what Apple allows in this case. Believe me, we'd love to see something better here.

I don't think you have anything really to worry about with copying and pasting passwords. This is how all password managers work on iOS, not just 1Password. Instead, this totally depends on whether or not you trust the other application. If you don't trust the other application, you wouldn't be putting the password into it.

We do support filling usernames, passwords, credit cards, and identity information into our built in browser on iOS. This prevents any copying and pasting for those.

 

[tdmac]

Does ANYONE knows IF it …. allows you to input/type security questions and answers for certain sites, such as government, banks, certain data base, etc….???

I have been doing it the old fashion way, on paper …. actually on Pages. For example, for one site I have a password (long) and four security questions, none of which I can really remember. It's a pain to go back and forth.

As other have said you can use either the secure notes field or custom field. I use the notes field. I also use 1passwords password generator and click pronounceable password. So if you set the length to 20, you would get something like this:

kyja-spom-phan-se-te

You then can paste that into the security question. I then put the question name and this password in the notes section. This then makes your security questions secure as well. That is the weak link. What good is a 20 digit password if you honestly fill out security questions with info identity thieves can obtain or info found easily in facebook profiles or online.

 

[AGKyle]

Sorta unrelated, but when do you plan to release the update for the iOS update? Approximately?

Nope, we don't typically comment on this until we know it's going to be released when we say it will be. There are just too many factors involved.

Wish I could give you more but sadly I cannot. If you follow us on Twitter you should see more information when we release. Our newsletter may have some information as well, though we try to only use that 3-4 times a year.

Sorry Hang in there though.

----------

As other have said you can use either the secure notes field or custom field. I use the notes field. I also use 1passwords password generator and click pronounceable password. So if you set the length to 20, you would get something like this:

kyja-spom-phan-se-te

You then can paste that into the security question. I then put the question name and this password in the notes section. This then makes your security questions secure as well. That is the weak link. What good is a 20 digit password if you honestly fill out security questions with info identity thieves can obtain or info found easily in facebook profiles or online.

Funny you mention that

http://blog.agilebits.com/2012/08/1...uestions-my-fathers-middle-name-is-vr2ut1vnj/

 

[tdmac]

Don't know if it was mentioned but a couple of other benefits of passwords are:

Phishing Prevention. - If you click a link and it opens up a link to what appears to be Bank of America and you click on the 1password extension or mini app to enter the password, it won't be avail since its not the legitimate site.

Keylogger Preventon - Can't capture what you don't physically type. So clicking the extension or mini app and filling in the password prevents passwords/info from being keylogged. This is also the case if you create identities, enter you credit cards, etc into 1password. Click to fil-in and data is safe.

----------

Funny you mention that

http://blog.agilebits.com/2012/08/1...uestions-my-fathers-middle-name-is-vr2ut1vnj/

I had also just previously posted an enhancement request/ID on your forums on how to make this process a little more automated.

 

[silvetti]

It'll be a free update to existing users. Version will be 4.5 unless things change between now and then.

There is far more happening in this release than just an iOS 7 keyboard.

Great to hear!

Don't want to sound annoying

1Password is the app I mostly use, I have around 150 entries in it and I use it every single day

 

[Msail30bay]

As other have said you can use either the secure notes field or custom field. I use the notes field. I also use 1passwords password generator and click pronounceable password. So if you set the length to 20, you would get something like this:

kyja-spom-phan-se-te

You then can paste that into the security question. I then put the question name and this password in the notes section. This then makes your security questions secure as well. That is the weak link. What good is a 20 digit password if you honestly fill out security questions with info identity thieves can obtain or info found easily in facebook profiles or online.

Thank You! You and another member gave me hope…… there is a way to my madness, what I have been doing, constant back and forth. Many of the passwords are 20 characters long or more. The questions are extra steps that I have to input and so forth. SO MANY thanks.

 

[jpgoldberg]

AgileBits, would it be possible to add the ability to create a password per this [XKCD "correct horse battery staple"] method?

I'm glad you asked that! [Disclosure: I work for AgileBits]

A Diceware-like generator is available in the 1Password for Windows beta, but we can't make any promises about when this will be brought to Mac and other platforms. For the time being, the "pronounceable" recipe in 1Password's Strong Password Generator is your best bet at getting strong, memorable passwords.

Some history

If I may brag about my role in this, I'd like to talk about the history. The original form of this proposed in 1995 by Arnold Reinhold, for a system he called Diceware for PBG passphrases. (One goal was to have the password creation be entirely off-line, and so it involved rolling dice to pick words from a list.) Though nothing is created in a vacuum and using a passphrase of randomly chosen words from a list was integral to the S/KEY one-time-password scheme developed by Leslie Lamport in the 1980s. (Yes, the same Leslie Lamport who put the "La" in "LaTeX".)

Anyway, in June 2011, I wrote an article advocating Diceware for 1Password Master Passwords. Toward Better Master Passwords.

Because the article explained the rationale along with what is wrong with most of the password advice floating around in those days and a friendly nod from the fickle finger of fate, that article became quite popular in the tech community, giving me my fifteen minutes of fame.

A few weeks later (August 2011) Randall Monroe, produced the comic that has brought Diceware-like systems to the attention of the modern world. He fully acknowledged his sources in the XKCD discussion section, and just as I had helped bring attention to Reinhold's scheme, he had done the same.

I did write a followup article that talked a little more about the math: Better Master Passwords: The geek edition.

Anyway, I hope you will forgive that history lesson, and the self-promotion it contains.

Back to your original question

It should be clear that we at AgileBits have been aware of Diceware-like schemes for quite a while. What has remained a question is whether the pronounceable passwords in the Strong Password Generator is superior to Diceware for machine generated passwords.

Remember that one of the advantages of Diceware (at least for its inventor) was that these passwords could be generated with no computer. A printout of the list and some dice is all you needed. That is not a consideration for our Strong Password Generator. The pronounceable passwords could not easily be created without a computer, but they are stronger per character than diceware ones.

We've been hoping to find solid research on the comparative memorability of Diceware versus pronounceable. It may be that the difference in strength per unit length isn't big enough to counteract the ease of memorability. (The easier these are to memorize and type, the longer passwords people will use.) So this is not a convenience/security trade-off. Instead it is a security/security trade-off, and we don't have sufficient data to know which is better.

And as for the strength of these, I'd like to point you to a table showing estimated crack times against 1Password Master Passwords given the details of how we use PBKDF2-HMAC-SHA512 in 1Password 4.

The article that is from explains where the 20,000 and 5,000 guesses per second comes from.

 

[AGKyle]

I had also just previously posted an enhancement request/ID on your forums on how to make this process a little more automated.

Do you have a link to this by chance? You can private message it to me so I can take a look. Or you can send me your email and I'll see if I can search for your past history based on the account you used on our forums.

Great to hear!

Don't want to sound annoying

1Password is the app I mostly use, I have around 150 entries in it and I use it every single day

No worries at all. We want it out too, but one thing I've learned working here is that good things take time so all we really ask is patience. We have our users best interest in mind but it will take longer than we initially intend I just don't want to disappoint any more than I have to by giving too much information about releases.

Keep those eyes peeled!

 

[KoolAid-Drink]

Still nothing on the App Store for the update any other way to update?

Do you have a link to this by chance? You can private message it to me so I can take a look. Or you can send me your email and I'll see if I can search for your past history based on the account you used on our forums.



No worries at all. We want it out too, but one thing I've learned working here is that good things take time so all we really ask is patience. We have our users best interest in mind but it will take longer than we initially intend I just don't want to disappoint any more than I have to by giving too much information about releases.

Keep those eyes peeled!

 

[Parasprite]

Still nothing on the App Store for the update any other way to update?

Nopi dopi!

From what I've gathered, App Store developers have no way of passing licenses back and forth between the App Store and apps installed elsewhere. You could technically re-buy the app (not that I'd suggest anyone do that) but point updates are usually up within a couple of days unless there is an issue.

You see the same sort of thing when Android and iOS apps are released at the same time. Apple has to approve it before it goes live in either case and usually it isn't too painful of a wait.

Then again, I remember the 4.2 beta working (sorta) fine... So maybe I'm wrong.