1Password for Mac Gets Updated with 30 New Features, 1Password Mini Item Editing

[MacOG728893]

I'm curious. Do any of you seeing iCloud keychain becoming as elaborate of a service as 1Password.

I use iCloud keychain now and feel that it is lacking in many areas. However, since it is new to the market, I want to give Apple some time to fine tune it and see what product comes out of the pipeline.

 

[ohbrilliance]

Yeah, it sounds impressive, but then they told passengers the Titanic was unsinkable due to it's state of the art engineering.

No they didn't. The term had not been promoted to the general public or passengers. Where used, it was accompanied by plenty of qualifiers, rather then an outright quality of unsinkability.

 

[Arran]

[Disclosure: I work for AgileBits, the makers of 1Password]

You should, indeed, be wary of claims of "unsinkability". Quite frankly, anyone who claims that their security is unbreakable shouldn't be in the business. New kinds of attacks get developed and no software is bug free no matter how much we think we've tested and checked.

But there are things that we can legitimately claim. It is often possible to prove mathematically how much work an attacker has to do for a particular kind of attack to succeed. We can prove that many categories of attacks are infeasible where "infeasible" has a technical definition.

So for example, we can mathematically prove that the use of Encrypt-then-MAC authenticated encryption 1Password 4 makes it invulnerable to all chosen ciphertext attacks (CCAs) future and present. Likewise, we can show that the design protects against a variety of other categories of attacks.

What we can't prove is that this protects against yet unknown categories of attacks. Nor can we know that we've implemented everything correctly without bugs. Still, it is useful to know that we can design against unknown attacks of a certain type.

So yes, 1Password is not "unsinkable", but would you rather cross the North Atlantic in a modern designed ocean liner or in a canoe.



You are not alone here. In fact a lot of people who look for or boast about using 256 bit AES keys don't fully understand whether it's appropriate. There are cases were it truly is not appropriate. Take a look at this (accessible) article specifically about AES128 versus AES256 which will at least answer that question.

Let me quote a little from that article

Thanks for your well-reasoned and thoughtful responses here. Very helpful.

----------

No they didn't. The term had not been promoted to the general public or passengers. Where used, it was accompanied by plenty of qualifiers, rather then an outright quality of unsinkability.

I won't debate nautical history with you because I'd lose.

That said, hubris is hubris.

 

[AGKyle]

Still nothing on the App Store for the update any other way to update?

Sorry about that. At this point it is in Apple's hands and dependent upon them approving. According to this:

http://reviewtimes.shinydevelopment.com

The average review time is 4 days for Mac App Store submissions. Given we put the app up for Apple to review on Tuesday, we should be awfully close today. If not today, probably tomorrow.

Let me know if that's too long of a wait and maybe we can work something out via private message.

Edit: Looks like we found a bug in the MAS version and will be self rejecting the 4.2 release and will submit a fixed version (4.2.2). So, expect another 4-5 days before the MAS version shows up.

Nopi dopi!

From what I've gathered, App Store developers have no way of passing licenses back and forth between the App Store and apps installed elsewhere. You could technically re-buy the app (not that I'd suggest anyone do that) but point updates are usually up within a couple of days unless there is an issue.

You see the same sort of thing when Android and iOS apps are released at the same time. Apple has to approve it before it goes live in either case and usually it isn't too painful of a wait.

Then again, I remember the 4.2 beta working (sorta) fine... So maybe I'm wrong.

Yea, we can actually auto-register the beta version with the Mac App Store receipt (a file the MAS puts on your Mac when you download the MAS version). This only works for the beta, not the normal stable build. This lets users who purchased the MAS version beta test without being nagged by the licensing of the application.

I know a few other applications do the same thing, but there's definitely no way to go the reverse direction (Website version to MAS) without repurchasing again.

 

[iHEARTcartoons]

Little late to the party, but I'm a big fan of this app!

Just started using it this year and worth every penny. I was looking for a program like this not only for my passwords/etc., but also for my graphic design customers. I have to store quite a bit of their information like control panel logins for their websites and vendors, as well as credit card information. There are of course several ways of keeping this type of information and keeping it secure, nothing was quite as easy is 1Password.

I searched for several options, but found this to be the best cross platform option. Not to mention, they've been around for a while with a great reputation and that makes the price well worth admission. Sure you can buy a cheap safe, but what's the point if it's not as secure or comes with a history of trustworthiness. Not to mention it was a tax write off anyway.

As an aside, I have found this very useful for remembering my not so often used login/passwords too! Like that site you login once a year and always forget your login/password and have to reset. Not anymore.

 

[jpgoldberg]

Holy crap. Seriously? The clipboard? Surely the whole concept of amazing security goes right out the window when I'm in Chrome or whatever app with my password in the clipboard?

[Disclosure: I work for Agilebits, the makers of 1Password]

You are absolutely correct that a malicious app running in background on your iOS device can read the system pasteboard. I'm sure that you've heard this before, but I feel obliged to repeat it. Apple's curation of the iTunes store doesn't entirely eliminate the availability of malicious apps, as some do get through. But they are rare, and you should exercise some caution in what you install.

With that (obligatory) blurb said, this is a really difficult problem for us.
iOS's strict sandboxing is, in general, a great thing for security, but in this case it forces us to communicate with other apps via the clipboard. It is an example of a trade-off of security in one thing versus security in another. This is a major reason why we have a web browser built into 1Password, so that the circumstances in which you need to copy/paste are limited.

If you really want to avoid sending these high value passwords across the clipboard, you could generate "pronounceable" or Diceware-like passwords for those services, which should be easier to transcribe and type in. Using these kinds of password will make it easier for your brain to be a substitute for the clipboard.

 

[Small White Car]

In the case where I need a password that can't be autofilled on a device that does not have 1Password installed on, I lookup the required password in 1Password on my iPhone and hand type it in.

This is why I don't use any password managers. I tried but was doing this constantly and it's just not sustainable.

Yes, I KNOW I'm being less safe, but I just couldn't put up with it.

 

[jpgoldberg]

Undoubtably 1Password is a great app, and I liked it when I used the trial. However, I'm now using LastPass. The main reason for this is I felt that 1Password did a poor job of form filling, specifically because I'm in the UK, and our address fields are rather different from the US. 1Password tends to be quite US centric.

[Disclosure: I work for AgileBits, the makers of 1Password]

I'm not sure when you last tried 1Password, but form filling is something that we are always tinkering with and improving. There was, quite a while ago, a problem with date handing in early versions of 1Password 3 and perhaps you were testing then, or perhaps 1Password failed on the particular forms you encountered.

Several of us at AgileBits live in the UK, many of us are Canadian, and there are a few scattered around Germany and the Netherlands. I'm among the substantial US contingent, though perhaps my European affectations make me more of a "rootless cosmopolitan". I've lived in enough places that I have no idea of how to write dates any more. I always spell out the month.

Anyway, if you would like to give 1Password a try again please contact support at AgileBits about arranging for a new trial period. I would also like to ask you to report pages that don't full properly.

 

[jpgoldberg]

This [cases where one needs to read passwords from a password manager and manually typing them in] is why I don't use any password managers.

[Disclosure: I work for AgileBits, the makers of 1Password]

There are a handful of passwords that I typically do need to type in for which there is no way for 1Password to type them for me. My Apple ID password is one of these.

What I do and recommend in these cases, is to use passwords generated as "pronounceable" from 1Password's Strong Password Generator. This will get you passwords like, "yof-new-wak-da". These are easier to transcribe and type. If you replace the hyphens with spaces, then you would have "yof new wak da" which can by typed easily on an iPhone keyboard.

You can also use the memorable (and typeable) password scheme described in Toward Better Master Passwords.

Anyway, you need to find a solution that works for you. Whether the mitigating solutions I've outlined here will work for you is a question only you can answer. But as you are not alone in facing this problem, I thought it would be useful for me to mention these.

Best of wishes for whatever you choose.

 

[ix.heart]

4.2 updated for password

Im still waiting for the update to show up in the Mac store. Is anyone else having that issue.My current version is 4.1.2 and I'm hoping i won't have to pay for the update.

 

[AGKyle]

Im still waiting for the update to show up in the Mac store. Is anyone else having that issue.My current version is 4.1.2 and I'm hoping i won't have to pay for the update.

We don't release the website version and Mac App Store version at the same time. Some developers do this, but we've found that due to review times, releasing the website version we are able to fix any bugs that might reach the MAS version before it's approved.

This is what actually happened here. Normally we don't have issues, but this release actually shows a good reason why it works well.

We released the website version earlier this week. A couple of users found a bug with regard to syncing. We'll be pushing a new update to the website version soon. Edit: In this case the bug just disables syncing

The Mac App Store version was in review, we've rejected it ourselves and will be submitting another version (probably 4.2.2) around the same time we release the new website version.

I know that our MAS using customers hate being behind the curve, but the alternative here was that you had a bug get into the release and it takes another 5 days to get a new version approved in the MAS to fix.

We can update the website faster, but we're reliant on Apple to approve the updates on the Mac App Store and as such if we can find and fix things before they ever reach the Mac App Store we'll be giving our MAS customers a better experience.

Please accept my apologies for the delay, it'll be in there as soon as we can get it approved by Apple.

 

[MBHockey]

I've been beta testing iOS 7 version along with the (now) released OS X version. You can select which browser in iOS you wish 1Password to use (such as Safari) and autofill. It's coming.

That's awesome!

 

[AGKyle]

That's awesome!

This isn't actually available. I had replied but probably should've been a bit more clear in it.

There is no way for us to interact with other applications and fill in other browsers at this time. Sorry!

It's a very difficult problem. We're hopeful that eventually Apple will allow for these types of interactions between applications, but until then we are not able to fill into Mobile Safari or other applications.

You can however have 1Password open the link in Safari and you can then fill the username and password in manually, or via copy and paste if you wish.

A neat trick, if you're on a page and need to login, edit the URL and add a "op" in front of the http:// so you get ophttp://

This will open 1Password and goto the page. You can then fill in using our built in browser that way.

 

[SteveW928]

Just started using it this year and worth every penny. I was looking for a program like this not only for my passwords/etc., but also for my graphic design customers. I have to store quite a bit of their information like control panel logins for their websites and vendors, as well as credit card information.

Same here. I have one 'wallet' with over 500 entries, and a couple of others approaching 100. I'm using an app called PasswordWallet, which I've also found to be very easy to use. Exactly, worth every penny and then some!

One thing I would recommend for a business, though, is to have a plan in case something happens to you. For example, I have a business partner (different companies, but we've worked on projects together for years). He gets a copy of the files periodically, and I have instructions left that should something happen to me, he gets the passwords and some instructions on how to help clients get them. I think one of the 1Password devs said something similar earlier on in the tread that he has this in his will or something.

----------

This is why I don't use any password managers. I tried but was doing this constantly and it's just not sustainable.

Yes, I KNOW I'm being less safe, but I just couldn't put up with it.

I guess I'm trying to figure out what the alternative is. Less safe? I'd think it would have to be extremely unsafe. Unless you have some kind of gifting in memory, you're using simple passwords, or using the same ones in many places, or both.

 

[aziatiklover]

Didnt read the whole thread, but are they ever gonna update the ios app to ios 7? Looks really outdated with ios 6 keyboard and UI. I stop using the app on both my iphone and ipad.

 

[patent10021]

I can't remember all the different passwords I use on each site I am a member of or do transactions with etc. And having a program on my computer, iPad or iPhone is much better and more secure (in my mind) than having unsecured text notes with the passwords on them. The program ensures that I can have hard to hack passwords and security of storage and use, without the hassle of trying to memorize numerous passwords that are 12 characters long (with numbers, letters, and symbols).

This is why people get hacked. They'd rather use tools than their own memory. If you think of a mnemonic it's easy. My password is a string of all character types mixed together and sometimes easy to remember characters take the place of letters.

NOTHING is safer than your mind.

There is no need for more than 3 passwords.

1 throw away password for forums etc

1 "secure" password for stuff that you hope wouldn't get hacked but not the end
of the world if it does

1 password that is unhackable [sic] (this is the password that requires good memory). + you add Google authenticator + email authorization.

 

[Apple_Robert]

This is why people get hacked. They'd rather use tools than their own memory. If you think of a mnemonic it's easy. My password is a string of all character types mixed together and sometimes easy to remember characters take the place of letters.

NOTHING is safer than your mind.

There is no need for more than 3 passwords.

1 throw away password for forums etc

1 "secure" password for stuff that you hope wouldn't get hacked but not the end
of the world if it does

1 password that is unhackable [sic] (this is the password that requires good memory). + you add Google authenticator + email authorization.

I believe in having a different password for each registered site i use. As such, there is no way for me to remember all of the different passwords. You disagree on my modus operandi and that is fine. But, I content that using the method I do does not put me at anymore risk that someone else, including yourself.

 

[bpaluzzi]

This is why people get hacked. They'd rather use tools than their own memory. If you think of a mnemonic it's easy. My password is a string of all character types mixed together and sometimes easy to remember characters take the place of letters.

NOTHING is safer than your mind.

There is no need for more than 3 passwords.

1 throw away password for forums etc

1 "secure" password for stuff that you hope wouldn't get hacked but not the end
of the world if it does

1 password that is unhackable [sic] (this is the password that requires good memory). + you add Google authenticator + email authorization.

Wow, I don't wish bad on anyone, but it's going to be a totally deserved karmic retribution when you get hacked majorly.

 

[patent10021]

Wow, I don't wish bad on anyone, but it's going to be a totally deserved karmic retribution when you get hacked majorly.

Ultimately yes the NSA could hack you and me regardless of any system we use.

There's nothing I have that I really care about getting hacked. My credit card companies and banks etc would know whether it's me spending my money or me getting hacked.

Anything I actually worry about I cannot access unless I visit in person so I don't know what better security there is than actually having to be there in person or family via power of attorney. If you know it, please let me know.

 

[bpaluzzi]

Ultimately yes the NSA could hack you and me regardless of any system we use.

I'm not going to get in an argument with you. Not to be a jerk, but if you think your system is in anyway secure, you don't understand enough to even discuss this intelligently.

There's nothing I have that I really care about getting hacked. My credit card companies and banks etc would know whether it's me spending my money or me getting hacked.

Good luck with that, I guess.

 

[MikhailT]

Kyle, forgive me if I'm wrong, but I am currently using the latest iOS beta (4.5) and in settings I am allowed to change the "User Agent". See the attached pics. Essentially, this changes the browser "engine" but still needs to be within 1Password due to Apple's "sandboxing" regulations?

Personally, with the 5S, I've 'laxed 1Password's security (concealing password, time's, etc), so that I do not have to enter my password in repeatedly if I am simply copying a password for a site login via Safari. Most of the time, site's simply use the same email address, since only the passwords differ, multi-tasking over to 1Password, copying the login password then pasting it back into Safari isn't a "rough go". Using Keychain Syncing (for the life of me I do not know why Apple removed that and System Preferences, Dock syncing and iDisk during the move from .Mac to MobileMe), I can have iCloud store my passwords as well.

You might want to take down those screenshots, you're violating the beta rules not to share screenshots with the public.

As for the user agent, no, changing the browser's agent doesn't change its engine. What is happening is that 1Browser will appear to the website as Chrome if you select Chrome as the agent but it's still using Mobile Safari's engine on iOS.

Even if you change it to Safari, Firefox, Internet Explorer, it doesn't change its engine at all, it just means it'll appear to the site as one of those browsers.

The main reason 1Browser have this is because silly web designers who hardcode their web sites to only work for a specific browser but in reality, any modern browsers should support the same way.

Safari has the same thing if you enable its develop menu in the Advanced Preferences.

 

[AGKyle]

Didnt read the whole thread, but are they ever gonna update the ios app to ios 7? Looks really outdated with ios 6 keyboard and UI. I stop using the app on both my iphone and ipad.

You can see in the video here that we are in fact updating it:

http://vimeo.com/88901304

Hope that helps clarify things a bit.

 

[till213]

I input some of the passwords from that list into 1Password and it claims the password strength is good! How am I to trust 1Password then?

Good is not "good enough" then! Let the passwords be created by 1Password itself. And read the article that I linked: current password cracking schemes rely on "existing words + permutations" - even combination of (common) words up to some degree, or existing complete sentences (e.g. coming from the Bible etc.).

I prefer to have memorable, non-random passwords for certain logins. 1Password suggests a long string of words for the Master Password. Are these long strings really so vulnerable to cracking?

Now what all those "password cracking" scenarios have in common: they ALREADY HAVE ACCESS to your ENCRYPTED PASSWORD! E.g. they have stolen thousands of millions of user account data from some web forum (such as this one!) and now they have all the time in the world (well, almost) to let their algorithms run on them.

In case of 1Password: that encrypted Master Password is either

a) locally on your computer
b) locally on your mobile device (phone, tablet, ...)
c) in the cloud (huh!)

Personally I don't do c), so in my case they would have to 1. steal my computer and 2. unlock my user account (guess my account password). That admittedly wouldn't be too hard, but they'd need PHYSICAL ACCESS to my device. Much less likely than my (encrypted) password being stolen "somewhere from the Internet".

Still, I use a rather complicated "Master Password"...

----------

i.e. generate a password of real words, using a user defined amount of letters per word, and total words?

Totally NOT secure! You MUST read

http://arstechnica.com/security/201...eling-the-next-frontier-of-password-cracking/

to figure out why!

----------

Clearly you are unaware of this:
Image

Now this is an absolute classic - EVERYONE knows that since YEARS!

It makes a joke about sys admins forcing their users to use "secure passwords" by having to change them every N weeks, not re-using older passwords, use at least a digit, symbol, alphanumeric and whatnot...

So what this "joke" is trying to imply might seem secure - and it was more secure YEARS ago - but read again the link that I gave and it will become INSTANTLY CLEAR that this method is ABSOLUTELY NOT SAFE ANYMORE these days!

So CLEARLY I am aware of this, and the fact that you're trying to imply that I did not know that comic shows that you did not BOTHER to read the Ars article about current password cracking schemes! Otherwise you would NOT be trying to imply that choosing REAL WORLD combinations would be secure!

By the way, the image you posted is from an XKCD comic, so if you would be so kind then also quote the ORIGINAL please!

http://xkcd.com/936/

Fixed that for you, Sir.

 

[bpaluzzi]

Totally NOT secure! You MUST read

http://arstechnica.com/security/201...eling-the-next-frontier-of-password-cracking/

That article isn't about random word passwords, that's about passphrases, which are a horrible idea. Random word passwords are still extremely secure.

So what this "joke" is trying to imply might seem secure - and it was more secure YEARS ago - but read again the link that I gave and it will become INSTANTLY CLEAR that this method is ABSOLUTELY NOT SAFE ANYMORE these days!

False, for the same reason as above.

 

[till213]

Wifi sync between desktops is actually pretty tricky. I'll certainly note your request for this and pass it along to our developers.

I think it has been discussed in your forums already, and the consensus was IIRC that "as soon Wifi sync between mobile - desktop was working, then we tackle Wifi sync between desktops".

It's not like I don't trust Dropbox or Apple - but will all this valuable data they become more and more a desirable target for hackers I am afraid.

(And I don't trust my Master Password to hold very long against an automated attack, even though it is still pretty long )

So I am trying to minimise the risks and NOT putting out my password keychain "out there".

Have you looked into using folder sync? This is how I have mine setup. I share a folder on my server (just a Mac Mini) and folder sync to that folder. Then each computer can simply be setup to log in to that shared folder and sync to it.

Also works with NAS devices.

That's exactly how I do it Unfortunately that wakes up my NAS (which is "sleeping" most of the time) each time I login into my Mac (OS X seems to remember the login credentials when 1password accesses that shared folder location, which is great - but I don't change/add my passwords that often, so an explicit "Wifi sync" once in a while would fit better in my use case.

Thanks for your reply