1Password Blog

Tips and tricks for setting up 1Password on your new Android device

Michael Verde — Tue, 24 Dec 2019

Lucky enough to have found a new Android device under the tree this Christmas? Here’s how to set it up so you can take it for a spin.

I recently upgraded to a Pixel 4 XL, and I have a few tips and tricks to share for getting your shiny new phone up and running with 1Password.

Let’s get started

First things first: if you don’t already have one, sign up for a 1Password account. 1Password for Android makes it quick and easy to sign up and set up your subscription through Google Play billing.

Take your time creating your Master Password. Your Master Password plays an important role in protecting your data, so you want to go with something that’s memorable to you, but unguessable to anyone else.

If you already have a 1Password account, scan your setup code to add your 1Password account to your new device.

The perfect setup

There are a few 1Password features I’d recommend enabling or tweaking as soon as you set up.

The first thing I’d suggest is getting 1Password to automatically check for any vulnerable passwords you have. This will help you identify any passwords that have been reused or included in a data breach, so you can replace them with something stronger.

Then, turn on both Autofill and Accessibility. These features allow you to get the most out of 1Password by detecting the appropriate Login item to auto-fill into apps and websites for you. No more tapping out long passwords. Just open and click!

Enable Biometric Unlock on your phone right away so you can unlock 1Password without typing in your Master Password. Just glance at your phone or tap your fingerprint to log in, and you’re ready to go.

Speaking of locking, you have the option to tweak those lock settings to your liking. Personally, I like to turn off “lock on exit” and instead choose to have 1Password lock automatically after two minutes of being idle. This allows me to open and flip between apps for short periods without having to repeatedly unlock 1Password.

With 1Password for Android 7.2 we added support for a system-wide Dark Theme. You can tell 1Password to use the Light Theme or Dark Theme exclusively, or you can do what I do and let 1Password follow the system default.

Download your other apps

Once 1Password is set up, you’re ready to start downloading and signing in to all of your other apps. If you’ve already had your Login items for your apps stored and saved in 1Password, Autofill takes care of filling those in for you. Just a click and you’re signed in!

And if you don’t have your credentials for an app already saved in 1Password? You can easily create a new Login item without ever having to leave the app. I love how much this speeds up the setup process, getting me to the fun parts much more quickly.

Did you get a brand new Android from Santa this year? Let us know about your favorite features on Google Play, Twitter, or the 1Password Forums.

Sign up for 30 days free!

If you want to try 1Password on your brand new Android device, sign up now for a 30-day free trial!

Try 1Password FREE

1Password X 1.17: New brain, new menu, and even more accessible

Sarah Brown — Wed, 04 Dec 2019

1Password X harnesses the power of your 1Password account to fill and save passwords, view and edit items, and more – all in your browser. And with today’s release, 1Password X gets even better! Here’s what’s new in 1Password X 1.17.

New Filling brain written in Rust

1Password’s filling brain is the technology responsible for autofilling your information. The brain analyzes webpages in the background so it can suggest relevant items to fill in the available fields.

In 1Password X 1.17, we’ve completely rewritten the brain in Rust and WebAssembly. Rust gives us a boost in both speed and portability - making it smarter, faster, and more embeddable in all our apps.

Not to get too technical on you, but we’re now using Rust libraries to power many parts of the extension, including all Markdown parsing and time-based one-time password (TOTP) generation. By taking advantage of Rust’s ability to compile to WebAssembly, we can now share this implementation across all of our apps.

The inline menu gives you autofill suggestions as you browse the web, and now it’s faster than ever. With a single click, you can use “Hide on this page” to stop the inline icon and menu from appearing on specific pages. When you’re ready for it to show up again, just restart your browser.

We also make things easier for people with multiple Google accounts. When signing in to Google, all Login items with a matching username are automatically sorted to the top.

Accessibility

We want everyone to be able to access their accounts with ease. That’s why we followed the web accessibility spec defined by WAI-ARIA, the Accessible Rich Internet Applications Suite when we rewrote the inline menu. WAI-ARIA works to establish the best way to create web content and web applications to make them more accessible to people with disabilities.

Here are the accessibility improvements in 1Password X:

List item selector. Use your keyboard to open the item list selector from anywhere within the pop-up.
Screen reader support. We let screen readers know 1Password is available by stating “1Password menu available. Press the down arrow key to select,” when focusing in a field, selecting items, or changing the list type.
List navigation. Easily navigate the item list and item list selector using your keyboard. For example, pressing “Home” will select the first item in the list.
Type-ahead support. Both lists now support type-ahead, which allows you to start typing in the field and see the suggested items pop up for selection.

Get the update today

If you’re a 1Password X user, you already have this update. Open your browser and enjoy!

If you’re new to 1Password X, you can download and install it from the Chrome Web Store (supports Chrome, Chromium, Brave, Vivaldi, Opera, and Microsoft Edge) or the Firefox Add-ons Gallery, where we are one of Mozilla’s Recommended Extensions.

You can also join our beta to be the first to enjoy new features as we add them. We have a lot more exciting features in the works, and we can’t wait to share them with you.

Sign up for 30 days free!

To take 1Password X for a spin and see if it fits your workflow, sign up for a free 30-day trial of 1Password today.

Try 1Password FREE

1Password SCIM bridge now available on the DigitalOcean Marketplace

Jeff Shiner — Fri, 29 Nov 2019

I’m excited to announce that you can now install the 1Password SCIM bridge from the DigitalOcean Marketplace! The SCIM bridge makes it simple to automate many common administrative tasks in 1Password Business while keeping your account keys within your control.

This one-click install makes it easy to manage your team and control your 1Password account using the enterprise identity provider you’re already familiar with. Give your administrators a central place to:

Create users and groups, including automated account confirmation
Grant and revoke access to groups
Suspend deprovisioned users

Get started with just a click

We’re thrilled to partner with DigitalOcean. They make it easy to run and scale your applications, services, and environments in the cloud. Our one-click application allows you to quickly set up and deploy the SCIM bridge to a cluster in your environment. The SCIM bridge uses the same security as the rest of 1Password, so the encryption keys for your account are only available to you and no one else.

The 1Password SCIM bridge provides a SCIM 2.0-compatible web service that accepts OAuth bearer tokens for authentication, so you can use it with both Azure Active Directory and Okta.

“Having the SCIM bridge available as a one-click install from DigitalOcean opens up this feature to all businesses regardless of their internal IT setup. This means that more companies get to take advantage of the SCIM bridge’s incredible capabilities!” – Connor Hicks

Get down to business

Your business already has access, password, and security policies in place, and rolling out 1Password with the SCIM bridge makes it easy to automate and enforce them. And now with 1Password Advanced Protection you can do even more!

1Password Advanced Protection gives you the ability to create Master Password requirements, set up required two-factor authentication, create firewall rules, require up-to-date apps, and even monitor sign-in attempts. The SCIM Bridge and 1Password Advanced Protection work together to make your account a breeze to administer.

If you’re a 1Password Business administrator, take advantage of the power that the SCIM bridge has to offer and install it from the DigitalOcean Marketplace today. For more information, contact the 1Password Business team or get started on your own.

From Black Friday to seasonal travel: how to stay safe over the holidays

Sarah Brown — Wed, 27 Nov 2019

‘Tis the season for travel, shopping, and family visits, and this tends to leave us busy and distracted. Scammers and crooks like to take advantage of this, so here are some tips for staying safe and merry over the holidays.

The holiday season brings a drastic increase in emails. Phishing scams are a favorite of cybercriminals, and the lasting popularity of online shopping has made email phishing even more effective. Be wary of emails with attachments like fake receipts or invoices. These files can expose your computer and account to malware, keyloggers, and ransomware when you open the attachment.

Malicious links like false purchase verifications or shipping notifications offer prime opportunities for hackers to steal your login credentials. And if you’ve reused those login credentials on multiple sites, your other accounts may be vulnerable.

Secure your wallet when shopping

Online shopping saves time during the busy holiday season. But the price for this convenience could be increased risk. It may be tempting to save your credit card information on a site for easy access, but not all websites are created equal when it comes to security.

Use 1Password to securely store everything you need to make a purchase, from the expiration date to the CCV number on the back of the card. When it’s time to check out, it only takes one click to fill everything you need. 1Password also protects you by checking the url before suggesting items to autofill. If the item you’re expecting to see isn’t suggested, double-check the url to make sure you haven’t been sent to Amaz0n.com instead of Amazon.com.

The best way to stay safe is to use a unique password for every site. After all, the more often a password is reused, the more likely it is to be compromised or stolen. Use Watchtower to check for weak or reused passwords, then use the strong password generator to replace them with strong, unique ones.

Keep your family safe and connected

The holidays can be hectic, and you may need your partner’s credit card details to buy a last-minute gift. Or you need to know which flight your grandparents are on so you can meet them at the airport. And if you’re the one traveling, you may need your parents’ new Wi-Fi password to survive the week.

Help your family practice smart online security and share passwords securely with a 1Password Families account. With a shared vault, you can quickly and safely share passwords for things like Netflix, bank accounts, Wi-Fi routers, and more. This holiday season, give your loved ones the tools they need to stay safe online without taking away their independence.

Get organized before you hit the road

Whether you’re traveling to visit family or just escaping the snow this holiday season, the contents of your devices need just as much protection as the items in your suitcase. When planning for a trip, take the time to store any critical information you’ll need in 1Password. You can save details like emergency contact information for your airline, the code for your hotel safe, travel insurance details, and even copies of your passport.

Before you head to the airport, turn on Travel Mode for your 1Password account. This protects all the information in your account when you cross borders by temporarily removing it from your devices. When you reach your destination, turn off Travel Mode to restore your data.

Turn on two-factor for all accounts

Add an extra layer of protection to your accounts with two-factor authentication. With two-factor authentication enabled, even someone who learns your password won’t be able to access your account.

1Password can even take care of any one-time password needs for you, so you don’t need to wait for an SMS message or use an additional app.

And if you haven’t already, now’s a great time to turn on two-factor authentication for your 1Password account.

Get started with 1Password Families

Protect your personal information and passwords from things that go bump in the night. Try 1Password Families free for 30 days.

Start your free trial

CEOs, take action: how to defend your business from CEO fraud

Jeff Shiner — Wed, 20 Nov 2019

CEO fraud is a simple scam that has cost businesses USD$26 billion worldwide since 2016, according to the FBI. We’re calling for CEOs to step up to protect their business. All it takes is a conversation.

What is CEO fraud?

1Password (like many others) have experienced a recent spate of phishing attempts. The team received emails from an attacker pretending to be me, asking for personal information. Although the scam wasn’t successful at 1Password, businesses all over the world have been less fortunate.

CEO fraud is a form of BEC (Business Email Compromise). An attacker spoofs the email address of the CEO or poses as them in an email. In the message, they ask an employee to transfer money to an account they control, or to provide personal or financial information.

Often, the message will invoke a sense of urgency and put pressure on employees to act quickly. Here’s a real example that resulted in USD$8million going missing.

“Hey, the deal is done. Please wire USD$8 million to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.”

If employees are in the middle of an important deal or eager to impress you, it’s easy to see how something like this could catch them off guard.

CEO fraud comes in different forms

In the example above, the email came from the CEO’s spoofed email address, and the attacker knew that a real deal was underway.

Often, this type of attack will have a different reply-to address, tricking an unwitting member of staff into sending valuable information to the person running the fraud. In some cases, the domain is just one or two characters different from the real company email address.

Other attacks have been successful using just the name of the CEO. The email comes from a generic email address (Gmail, Yahoo, and so on.), set up to look like the personal email of the CEO. Although the scam has many guises, it is essentially the same. A member of staff receives an email, signed by someone important, asking for something valuable.

60% of emails involved in BEC scams don’t contain a link, so it’s difficult for security systems to detect them. Your team is your best defense. Everyone needs to be on the alert, but finance, HR, and executives are the most likely targets.

It’s for time CEOs to take action

We’re campaigning to raise awareness of CEO fraud in a bid to tackle it head-on, and we’re calling for CEOs to commit to doing the same. Your authority and influence have the power to really make a difference here.

You need to have a conversation with your employees. Let them know that you will never ask them to make a payment or to send personal information over email. When your employees are armed with the knowledge of how to spot and stop fraud, they’re much less likely to be manipulated into complying.

To help, we’ve put together a template to send your employees or use to guide meetings with your teams.

Dear team,

To tighten our security and protect our business, I’m writing to you to highlight a scam that’s costing businesses billions: CEO fraud.

We, as a team, are our best line of defense against such attacks, so please take a moment to read this carefully.

What is CEO fraud?

CEO fraud is when an attacker impersonates the CEO or another high-level executive via email to request either a payment or the transmission of personal or financial information. The email may come from my company email address, an email address very similar to mine, or one that looks like a personal email. For example, CEO fraud could come from an email address like this:

- ceoname@companydomain.com

- ceoname@companyname1.com

- ceoname@gmail.com

Example CEO fraud emails

“Please pay USD$10,000 to this account to finalize the deal I’ve been working on. This needs to be done by the end of the day. Thank you for your help.”

“I’ve forgotten the password and have been locked out of our banking system. Please send me the password ASAP as I need to close a deal today.”

What you can do about it

If you get an email from myself or someone else in the company asking you to make a payment or send confidential information, question it. If you are unsure, ask the person who sent it either in person (if possible) or via another channel (phone, instant messenger) if the email is legitimate.

Report anything suspicious to [name] [email@domain.com].

Most importantly, I will never ask you for the following in an email:

For you to make a payment

Your own or company payment details (credit card numbers, bank details, and so on.)

Passwords, verification codes, or secret answers

Personally identifiable information (phone number, personal email address, date of birth)

To follow a link to sign in to a bank account

For you to purchase iTunes or Google Play gift cards

If you ever get an email like this from me, report it immediately.

Thank you for your support in securing our business and protecting our employees.

Regards

[CEO name]

Make it a company-wide effort

CEOs are valuable targets, and it’s vital that they lead the charge against this scam. But they’re not the only people in your organization vulnerable to Business Email Compromise. It could happen to anyone.

To defend against this fraud in all its forms, make it company policy to never ask for this type of information in an email and provide training on the subject as part of your onboarding process. That way you’ll be protecting your employees from day one.

91% of all cyberattacks start with phishing, so although the focus is on spotting suspicious emails, it’s also a good time to go over the basics of spotting all types of phishing with your team.

When employees feel confident and empowered when it comes to security, they’re more likely to make better decisions and spot scams. Remind them of the following good email security practices:

Always question the legitimacy of any email. If something feels suspicious double-check with the sender. Ideally, check in person. If you can’t, call or instant message them.
Never reply to a request for personal information (for example, your Social Security number, phone number, home address) via email.
Never send payment details, bank details, or passwords in an email. If someone sends you a link that takes you to a login screen, go to the website some other way (for example, via Google search, or by typing in the URL).
Always scrutinize the email address of the sender, links, any URL you are directed to or attachments you weren’t expecting.
Be especially cautious of emails that trigger a warning banner or message.

We hope that you will join us in raising awareness of CEO fraud and Business Email Compromise. The more we talk about it, the less effective it becomes. All it takes is a quick email, or better yet, a training session, to equip your team with the knowledge they need to stop this underhanded scheme in its tracks.

1Password partners with Accel for continued growth

Dave Teare — Thu, 14 Nov 2019

I wanted to be the first one to tell you: I’m incredibly proud to announce that we’ve partnered with Accel to help 1Password continue the amazing growth and success we’ve seen over the past 14 years. Accel will be investing USD$200 million for a minority stake in 1Password. Along with the investment – their largest initial investment in their 35-year history – Accel brings the experience and expertise we need to grow further and faster.

1Password is a completely bootstrapped company that’s never taken a dime of outside investment, so this announcement may surprise some of you. We’ve built the most-loved password manager and a world-class company, all while remaining profitable during our entire history. So why, after 14 years of self-funding, are we now partnering with Accel? That’s a great question. To answer it, let’s visit our founding heroes where it all began.

We’ve come so far

When Roustem and I founded 1Password in 2005, we were trying to solve a simple problem. We were developing a lot of websites, and filling out forms to test them was time-consuming. We started a one-month passion project so we could get our work done more quickly. We thought others might enjoy this as well, so on May 19, 2006, we uploaded the first version of “1Passwd” to MacUpdate and VersionTracker.

We were surprised by how many people loved it. Folks immediately began providing feedback, and we incorporated a lot of it into new releases, which led to more feedback which led to more late-night coding sessions. It was an incredible virtuous cycle. 🥰

Since then, 1Password has become more successful than we ever dreamed. It’s been humbling to watch as we’ve crossed one milestone after another. I still remember with fondness hiring our first employee, planning our first AGConf, recruiting my friend as CEO, opening our first office, and acquiring our first enterprise customer with over 300,000 employees.

In fact, millions of people use 1Password every day, including hundreds of thousands of families. And we have over 50,000 (fifty thousand!) paying business customers, like Basecamp, Slack, and IBM – with employees who actually enjoy using 1Password.

Being able to include IBM in that list is especially meaningful to me because I started my career at IBM as an intern in 1998, and they helped me create some of the best memories of my life.

We’ve stayed true to our values

With all that growth, I’m proud that the company I co-founded still reflects our core values. In fact, they’ve gotten stronger. We’ve been able to grow our team to turn our values into reality faster than Roustem and I ever could have on our own.

Privacy. We’ve always believed that privacy is a human right, and that’s why 1Password doesn’t have ads or track you. We even have a dedicated Privacy Officer who has the authority to make sure this never changes.
Security. Everyone deserves to be safe online, so we created the most modern security design to protect your data. Our expanded security team was able to complete our SOC2 certification and offer the highest bug bounty on BugCrowd.
Love. Love is an unexpected company value, but we mean it. We poured our heart and soul into 1Password every day for the last 14 years to give customers like you the love you deserve.

By growing our team we were able to double down on what’s most important to us. We want to do more, and we’re ready to take the next step.

We’ve made a new friend

We’ve been turning down Venture Capital firms for as long as they’ve been courting us. We were profitable and didn’t see the value in partnering with someone else. It was fun to grow the company ourselves from 2 to 176, but just like when we hired our CEO, we’ve reached a point where we need expertise and guidance from those who’ve made this journey before.

Thankfully, over the past 6 years we built a friendship with Arun Mathew from Accel. Accel has a lot of experience growing sustainable, founder-led companies like ours. We’ve watched them partner with other companies and nurture the things that made those companies great in the first place, change the things that were holding them back, and – most importantly – know the difference between the two. 🙂

Our friend Arun will be joining our board of directors along with Roustem, Sara, Jeff, and myself. For years we wanted the benefit of having an outside perspective, and we’re thrilled to finally get it. Our relationship is a true partnership, not just an influx of cash. We’re not getting ready for an exit. We’re boarding a rocket ship.

We’re excited for the future

We have a whole list of things we want to do to make 1Password even better. With Accel at our side, we have an opportunity to execute on our vision at an even faster pace with the help of some really smart friends.

Privacy. Privacy is a human right. Our partnership with Accel helps ensure that we have the resources to not only stay at the forefront of the privacy landscape, but push the industry forward as well.
Security. Security is a process, not a product. 1Password already has the most modern security design, and Accel will help us take our processes, protections, and research to the next level.
Love. Love is what makes 1Password truly special. With Accel’s help, we’re going to triple down on providing the best user experience and the customer support you deserve. ❤️

It’s important to me that you see the parallels between this list and the one I showed you earlier. Our partnership with Accel doesn’t represent a change in direction. Our values are what make 1Password 1Password-y. They’ve guided us this far, and they’ll lead the way through the next 14 years and beyond. Partnering with Accel allows us to be more 1Password-y than ever.

Whether you joined us on our journey 14 years ago or 14 days ago, I want to offer you a heartfelt thanks. We wouldn’t have reached this point without you, and we’re honored to have you aboard this rocket ship with us. 🚀❤️

P.S. While writing this announcement, I was overwhelmed by so many wonderful memories that we created over the past 14 years. There were too many to include here so I wrote 14 years of growth: the 1Password story to share our founding story in more detail. 😘

Use the SCIM bridge and the command-line tool to automate 1Password Business

Connor Hicks — Wed, 13 Nov 2019

As a developer, I love getting different services to work together. Automating things gives me more time to focus on what matters and I want you to have that power, too. So, I’m going to show you how your business can use the 1Password command-line tool and 1Password SCIM bridge in perfect harmony to automate all sorts of administrative tasks. Let’s get to it.

Speed up specific tasks using the command-line tool

With 1Password Business, it’s simple for even the biggest, most complex enterprise to manage their account using the command-line tool. Just type a command to perform common administrative tasks like adding items, granting access to vaults, managing groups, and more — all in Terminal.

But what should you try first? Something we hear from a lot of large businesses is that it’s difficult to see and manage exactly who has access to what. The 1Password command-line makes it easy. I’ll show you.

To find out who has access to our Directors vault, I just type:

op list users --vault=Directors

Great! Now we have a list of people with direct access to the Directors vault. But while we’re here, we should check which groups have access, too. Use:

op list groups --vault=Directors

That gives us a list of groups with access to that vault. Now, we need to check who belongs to those groups. So, for each of the groups we got from the last command, we can do:

op list users --group=<group uuid>

And with just a bit of deduplication, we can see exactly who can use items from the Directors vault. It’s easy to script with the command-line tool, because the output is all JSON.

There’s so much you can do with the command-line tool, and we have lots of new features coming soon. Keep an eye on the blog for some exciting announcements.

Manage your whole team with the SCIM bridge

Automating specific tasks is great, but we know that managing multiple services and online accounts can be a headache for your business. Luckily, enterprise identity providers make it easier. They make sure that everyone in your company gets access to all the tools they need, without forcing you to manage each service individually.

If your business is using Okta or Azure Active Directory, SCIM integration makes provisioning employees in 1Password a breeze. Onboarding is seamless: 1Password automatically syncs your identity provider’s groups with the groups in your 1Password account, so everyone in the company has access to the credentials they need from the get-go. Revoking access is just as quick.

There are no complicated new systems for administrators to learn or time-consuming processes to implement — everything is managed from a single, central location. Oh, and the best part? It’s incredibly secure. All of this happens without ever sharing your account’s encryption keys, so you’re always in control of your data..

We’ve been working hard to make it simple to automate your 1Password account and we’ll continue to make more automations possible over the coming months. Give the 1Password command-line tool and SCIM bridge a try, and make sure to visit our discussion forums to let us know what you think!

Why 1Password excels on the new Surface Pro

Sarah Brown — Wed, 13 Nov 2019

Working remotely gives me the freedom to work from wherever I like: the couch, a coffee shop, a plane, or a hotel room. When I’m on the move, I need a device that’s both powerful and portable, so I often work from my iPad. And while I love my iPad, I’ve recently been thinking about changing it up.

I’ve spent a lot of time with our Windows team lately, hearing about the hard work they’ve put into 1Password for Windows, and it’s given me some food for thought. Now, I’m seriously considering swapping my iPad for a new Surface Pro. Here’s why.

Privacy-focused browsing

I’ve been using Edge on my Mac for a few months now, and I’ve been impressed by its performance and security features. Edge is faster, lighter-weight, and more secure than its predecessor, Internet Explorer. It’s the same browser I’ve come to know and love on my Mac, but feels even more intuitive on the Surface Pro.

And it’s only going to get better. The new Microsoft Edge, currently in beta, is built on the Chromium engine, giving it better compatibility with extensions and websites. The new version of Edge is more privacy-focused and includes features like tracking prevention and InPrivate mode, which keeps my searches and browsing safe.

Unlocking with ease

Working from a tablet rather than a laptop means I don’t always have my hands free to type my passwords easily. With Windows Hello, I can get straight back to work using biometric authentication to unlock my screen and open 1Password.

On the Surface Pro, to unlock 1Password, I just place my finger on the fingerprint sensor or glance at the camera, making it quick and easy to pick up where I left off.

Make it my way

I’m guilty of having too many applications, windows, and tabs open on my computer at any given time. It’s easy for something to get lost, often forcing me to click through everything to find what I need. It can be frustrating, especially when I’m in a rush.

The revamped keyboard shortcuts in 1Password 7 work great on the Surface Pro and put all my information at the tip of my fingers. I can customize or disable shortcuts as needed, so 1Password fits seamlessly with my workflow.

Keep it small

To keep clutter to a minimum, I love using 1Password mini and it feels right at home on the Surface Pro. I can quickly and easily access my information, without having the full-screen version of 1Password open. This comes in handy for filling in details on apps and websites that don’t have 1Password integration.

The 1Password mini on Windows even supports the Quick Copy menu, so I can quickly copy usernames, passwords or grab a one-time password. I just open 1Password mini and everything I need is ready. Best of all, when 1Password detects the use of two-factor authentication, it will automatically copy a one-time use password to the clipboard.

Are you using 1Password on a Surface Pro? We’d love to hear what your favorite features are! Drop us a line on Twitter or reach out on the 1Password Forums.

Sign up for 30 days free!

If you want to try 1Password on your Windows Surface Pro, sign up now for a 30 day free trial!

Try 1Password FREE

1Password + Pixel 4 + Android 10 = ❤️🔐

Michael Verde — Mon, 11 Nov 2019

I’ve been itching to write this post since the end of September, when we added support for Android’s newest biometric library in 1Password for Android. We’ve known for a while now that face unlock was arriving with the Pixel 4, and this update prepared 1Password for that eventuality. The only thing I was missing was the actual device so I could write about the experience firsthand.

Each year, I eagerly await the Made by Google event in October when Google shows off their latest and greatest hardware. It’s like Christmas come early for me, and this year was no exception. As soon as I was able to, I pre-ordered a Pixel 4 XL from my carrier and waited impatiently for it to arrive.

I’m happy to say that it arrived last week, and it was well worth the wait. I’ve since put 1Password through its paces on my new device, and here’s where we truly shine.

Pixel 4 XL, meet 1Password

Of course, the first thing I do whenever I get a new device is set up 1Password. As you might imagine, I use a long Master Password to secure my 1Password accounts, and this can be a bit of a pain to type on mobile. Fingerprint unlock has made it so much quicker for me to unlock 1Password and I’ve made heavy use of it over the past few years.

Face unlock takes it to the next level. It took only a moment to set up and now when I launch 1Password, the sequence of verifying my face and unlocking happens faster than me even thinking about moving my finger to that non-existent fingerprint sensor. In fact, after a week of using face unlock, the muscle memory is all but gone.

Face unlock everywhere

After setting up 1Password on my new Pixel 4 XL, the next order of business was to sign back in to all of my apps. Autofill with 1Password made this a breeze. And even though some of my favourite apps don’t yet support face authentication, 1Password covered for them quite nicely. I simply tapped on the Autofill with 1Password prompt to unlock with my face and sign in to the app.

Speaking of Autofill, the improvements that we’ve been making over the last couple of releases go well beyond the Pixel 4. Depending on which version of Android you’re running and which browser you prefer, you may be using our Autofill service, our Accessibility service, or a combination of the two. We’ve synced them up so that you get the same experience, no matter which one you happen to be using.

We’ve enhanced both services to support filling in Login details, even when those details are split across multiple screens. This includes filling in your TOTP codes for you, so you no longer have to bother with copying them to the clipboard. Our Autofill and Accessibility services also let you create new Login items when signing up for a new account.

Taken together, these changes make it so much easier to sign up for and sign in to apps and websites. No more flipping between apps.

Looks aren’t everything, but they certainly help

Not only does 1Password work great on the Pixel 4, but it looks great too! When Android 10 launched earlier this year, we dressed 1Password up for the occasion in new dark attire. I thought it looked good then, but I have to say that the 90Hz screen of my new Pixel makes Dark Theme truly shine. And Ambient EQ ensures that the colour and brightness are right for any environment. Now I just need to decide whether to commit to one theme or to continue switching between the two.

Did you recently snag your own Pixel 4? Be sure to let us know about your favourite features on Google Play, Twitter, or the 1Password Forums.

Sign up for 30 days free!

If you want to try 1Password on your Android device, sign up now for a 30-day free trial!

Try 1Password FREE

Security is a key focus in macOS Catalina

Sarah Brown — Fri, 01 Nov 2019

macOS Catalina launched earlier this month, and it’s chock full of fantastic new features. We’re thrilled to see the emphasis Apple has placed on user privacy and security in this latest release. I installed it on launch day and have been exploring the ins and outs ever since. Here’s what I was most excited to see — and what the 1Password team thinks you’ll love too.

Lock it up tight

Losing my laptop is one of my worst nightmares — all my photos, music, and writing gone in a flash. Sure, I keep backups of everything, but I don’t want anyone else getting their hands on my important information. Or my high school photos that prove I had no sense of style. That’s why the new Activation Lock feature is so incredible.

With the new security feature in place, no one can access your account even if they physically have your computer. So, if your laptop is stolen from a coffee shop, the only person who can erase and reactivate it is you. It gives you peace of mind and adds an additional layer of security to your data. Even if someone got their hands on your laptop, they’d still be completely locked out of everything.

Exploring Safari

I’ve always flip-flopped between browsers. But, no matter what, I’ve always gone back to Safari. It’s like an old reliable friend. And with new intuitive features like directing me to the right tab when I start typing an address of a website I already have open, I may never look back.

There’s a lot to love in the latest version of Apple’s web browser. The new start page makes it easy to jump right to my bookmarks and frequently visited websites. It even pulls in and displays links from iMessage, so I don’t have to scroll through weeks of messages just to find the chocolate bourbon cake recipe my sister shared with me.

Protection for macOS

To keep your Mac running smoothly, Catalina also introduces a new dedicated, read-only system volume to keep your operating system files safe and sound. It’s completely separate from all your other data, which means it can’t be accidentally overwritten.

Apple has also made it easier to use and develop hardware peripherals and sophisticated features without compromising on security. With DriverKit and user space system extensions, code for these programs runs separately from the operating system, just like any other app, so they won’t affect macOS if something goes wrong.

All of this means extra layers of protection for your critical operating system files — improving reliability and reducing the risk of unwelcome system failures.

Enhanced Gatekeeper

Even with the plethora of apps available from the Mac App Store, there are still some that need to be downloaded directly from the developer’s site. And if you’re anything like me, you may sometimes forget to verify how safe and secure it is.

Enhanced Gatekeeper checks every new app you install for any security issues before you run it for the first time. It will also periodically check that the app remains safe to use, for as long as it’s installed on your machine.

It was no small feat for our developers to get 1Password working seamlessly with Apple’s new operating system, but I’m so glad they did. With all of the impressive upgrades to 1Password 7 and the new exciting features of macOS Catalina, this combination is now my favorite way to browse the web safely.

1Password 7 is included with every 1Password membership, and has everything you need to organize and secure your digital life. Upgrade today to enjoy the best compatibility with macOS Catalina and all of our new features.

Have you downloaded macOS Catalina yet? Drop us a line on Twitter, we’d love to hear your what your favorite features are!

Sign up for 30 days free!

1Password works great on macOS Catalina. Start your free trial today to see for yourself!

Try 1Password FREE

Ghosts of passwords past: When old accounts come back to haunt you

Sarah Brown — Thu, 31 Oct 2019

If you’re reading this, you probably take your online security seriously — but was your past self as diligent? Most of us have been guilty at some point of reusing passwords or not making our passwords strong enough. But if you haven’t corrected those mistakes, your past just may come back to haunt you.

We’re going to help you clear out those virtual cobwebs and set you up to defend against any ghosts that may be trying to haunt your old accounts.

Here’s what you need to watch out for, and how to make sure all your accounts belong to the land of the living.

Ghost accounts

The Internet moves fast, and in our enthusiasm to try the latest and greatest, we often leave old sites behind. You might not ever have intended to “quit” Myspace or Ello exactly; you probably visited less and less over time, until it had been months, then years, since your last sign-in. Dormant accounts like these never really go anywhere — and they can come back to haunt you in a data breach.

Abandoned accounts are still full of personal and private information — everything from date of birth to credit card numbers — which leaves you vulnerable in the event of a data breach, like the one that happened to MySpace in 2013. Your email address, password, security questions, and personal identification information could be exposed and dumped on hacker forums or the dark web.

Go through and close any old accounts that you no longer use. But before you do, try to remove your address, phone number, and financial information and change it to dummy data. That way, even if the site doesn’t wholly purge old accounts, your data is safe in the event of a breach.

If you have older accounts that you don’t visit frequently but need to keep open, make sure you’ve updated your password to something strong and unique, and add it to 1Password anyway. You might not visit the site often, but if you store it in 1Password, Watchtower will alert you if the site is ever breached.

Resurrected email addresses

Abandoned email accounts have the potential to cause even more issues. If an old email address that you never check is listed as a recovery email for any of your current accounts, anyone with access to that email address could take full control of your other accounts by requesting a password reset.

And, if that old email account is listed as the recovery address for your current email account, the situation becomes even more serious, and could result in somebody taking complete control of your online life — from hijacking your social profiles and payment sites, to impersonating you to people you know.

This is a nightmare scenario, but it’s easily avoided. To keep your information safe, treat old email accounts with the same care that you’d treat your active ones — use a strong, unique password and two-factor authentication.

Somebody’s watching me

If you’ve ever received an email with your own password in the subject line, you’ll know these scams can be terrifying: the sender claims they’ve hacked your webcam, and have video evidence of you engaging in some rather…private acts. All you have to do, the scammer says, is send them some bitcoin, and they’ll go away. If you refuse, they’ll share the videos with everyone on your contact list.

This is known as a sextortion email, or email blackmail scam. Often, the scammer obtained that password from an old data breach from a completely different site. But, if you’re using that same password on your email account, it can cause a moment of panic.

You can safely ignore emails like this, but they serve as a good reminder to check Watchtower for any compromised passwords. If you find a password has been included in a data breach, and you’ve reused the same password on multiple sites, you’ll need to change it everywhere. This stops anybody from using that password to access your other accounts — or fooling you into thinking they can.

The doppelgänger

An attack or breach on one service may seem bad enough, but when a breach is announced that affects you, it’s worth keeping a close watch on your other accounts — especially if you’re in the public eye, or have a large social media presence.

Credentials obtained from one data breach can be used to attempt to log in to other services, and data from one breach can be combined with data from other breaches, potentially giving attackers enough information to impersonate you online.

Fun-size Halloween security tips

Use strong, unique passwords for every account
Delete old accounts where you can, and use strong passwords when you can’t
Use 1Password to generate random answers to your security questions
Turn on two-factor authentication where available
Never invite a vampire to your 1Password Families account, even as a guest 🧛‍

Have any password horror stories of your own? Share them with @1Password on Twitter! 👻

Get started with 1Password Families

Protect your personal information and passwords from things that go bump in the night. Try 1Password Families free for 30 days.

Start your free trial

1Password and Mozilla at The Glass Room exhibition

Cat Friend — Tue, 22 Oct 2019

Last week I was in San Francisco to attend the opening of The Glass Room, a pop-up event brought to you by Mozilla and 1Password. It’s designed to generate a global conversation about privacy and personal data, and invites us to explore how technology is shaping our lives and our interactions with the world.

Our belief in your right to privacy informs every decision we make at 1Password, from how we design our product to what events we get behind. We’re delighted to support an exhibition whose mission aligns so closely with ours, and help more people make informed decisions about their privacy and personal data.

Several fascinating pieces explore different aspects of technology and digital information. The space is divided into five thematic areas, all designed to shine a light on different aspects of digital technology: Deeply Personal, Invisible Labor, Trust in Us, Big Mother, and Open the Box. There’s even the Data Detox Bar, where you can find advice on how to take action to create a healthier digital life.

One of my favorite pieces allowed me to explore infographics that looked into the political spending on Facebook. Clearly a contentious subject, it tells a story of who may be targeting you, what messages they are using, and the scale they are doing it on. Seeing targeting this personalized makes you question quite a bit of the content you see on social media, and how it may be manipulating you.

Another exhibit I found interesting was what seemed from a distance to be an innocuous map. But, as I moved closer, it displayed my phone and all the data it was sharing with a rogue Wi-Fi antenna. And it wasn’t just my phone — it revealed all the devices in the area that were attempting to connect to what looked like free Wi-Fi.

There are over 50 pieces exploring privacy and how it affects everyday life. Technology is so prevalent in our lives, and it’s vital that we have an understanding of what information is out there and how it’s being used. If you’re in the Bay Area, stop by The Glass Room in San Francisco right on Market Street before the exhibit closes on November 3rd.

Mozilla has selected 1Password X as a Recommended Extension for Firefox

Andrew Beyer — Tue, 08 Oct 2019

Mozilla’s Recommended Extensions program rigorously vets Firefox extensions for quality and security. Out of thousands of extensions, fewer than 100 have been chosen, so we’re incredibly proud that 1Password X meets their high standards.

Third-party developers build extensions to add features and customise how your browser works. There are extensions for everything from ad blockers to coupon codes, translation to social sharing, and more. 1Password X brings the full functionality of 1Password into your browser, making it easy for you to sign in to sites, use suggested passwords, and find what you need in your account.

However, not all extensions are created equal. Downloading the wrong extension can pose a serious threat to your privacy and security. App add-ons and extensions require you to grant permission to read and even change your data on the websites that you visit, which gives them quite a bit of power.

With that level of access, a malicious extension that’s been granted access to your full browser could steal your data, track your movements, or capture and store your passwords — all without you even noticing.

In an effort to help discover and defend against rogue extensions, Mozilla launched their new Recommended Extensions initiative. The program was created to “foster a curated list of extensions that meet [their] highest standards of security, utility, and user experience.” Firefox users can feel good about installing these extensions because they know their information will be safe.

All Mozilla Recommend Extensions, including 1Password X, go through a standard, rigorous review process on AMO. When they invited us to join the program, we were asked to undergo an additional review by Mozilla’s editorial staff. This review was primarily concerned with the following:

Is the extension really good at what it does?
Does the extension offer an exceptional user experience?
Is the extension relevant to a general audience?
Is the extension safe?

We’re committed to keeping the quality of the 1Password X experience high, and pride ourselves on the level of security we offer. All the information you store in 1Password, no matter what app, extension, or browser you use, is encrypted and can only be accessed from a device you’ve already approved. Your data is yours, and only you have the keys to unlock it.

Sign up for 30 days free!

Want to try 1Password X in Firefox? Start your 1Password membership today and get your first 30 days free.

Try 1Password FREE

The Climate Fixathon: using tech to fight climate change

Cat Friend — Thu, 03 Oct 2019

At 1Password, we aim to make the online world a better, safer place. But climate change is the biggest threat to the future of our planet, and we want to make a difference there too. That’s why we chose to sponsor the Climate Fixathon.

The Climate Fixathon is the world’s first online hackathon for makers to help fix the climate. If you’re not familiar, a hackathon is a coding competition, usually held over a set period. People come together to test their skills to solve a particular problem or just create something great. The Climate Fixathon is a 4-week competition, held entirely online.

As someone who cares deeply about our planet, (last year, I embarked on a 24-day expedition for marine conservation) I was thrilled to be one of the judges. Reviewing and testing the 43 projects from across the globe was eye-opening. It was exciting to see the tech community come together to create websites, apps, and services that aim to help restore a safe climate for our planet. Technology is a powerful force for doing good.

There were three categories: Awareness, Action, and Facilitation. On offer was $1,500 for the winning team of each category. As you’d expect, the standard of entries was incredibly high across the board, but there were a few that impressed me in particular.

HQ→CO2 was chosen as the project that best raises awareness of climate breakdown. The website juxtaposes random pairs of images: the headquarters of high-emissions fossil fuel companies with places around the world affected by global warming. It was thought-provoking to see how the HQ pictures appear static and unchanging, while the picture alongside shows dynamic ecological breakdown.

Also recognised by the judges was Climate 365, an email service that repeatedly contacts those in power urging them to take action against climate change. Their tool for digital protest won the prize for Action. The prize for Facilitation was awarded to Trip to Carbon, a carbon footprint calculator with simple API that can be integrated into new and existing websites and products to raise awareness of climate change.

Another favourite of mine was the Arctic Calculator. You enter the distance travelled and it gives you the area of the Arctic circle you’re responsible for melting. Certainly difficult to ignore. Shift was another great website that everyone can use to make a difference. It tells when grid production in your area is at its least carbon-intense, so that you can time your household electricity consumption, like putting the washing machine on.

All exciting and impactful projects that are sure to inspire change. It’s certainly sparked some food for thought about how we do things at 1Password.

To learn more about all of the entries, visit the Climate Fixathon website. Perhaps it will inspire a project of your own! You can also find out more about my motivations for taking part in my judge’s interview.

Behind the scenes of Random but Memorable

Anna Eastick — Mon, 30 Sep 2019

It’s Random but Memorable’s first birthday, and while we’re already into the third season of our security advice podcast, it feels like just yesterday we released the first episode.

“Random but memorable” is good advice for creating a strong Master Password, but it also applies to the discussions Matt Davey, Michael Fey (Roo), and I have on the show. Each episode blends informative discussions with humor as we talk about what’s new in the world of security.

In this post, we’re giving you a peek behind the curtain at how our podcast comes together.

Planning and research

You can’t just wing it when recording a podcast. That’s how you get long tangents about where to find the best tacos in Toronto. Which, while informative, isn’t exactly the breaking security news we want to cover. That’s why we have a list of items we need to complete before we can sit down and record.

Each episode focuses on a single theme or security topic. Since our goal is to help our audience make the best security choices, we keep an eye on the hot topics in security and privacy. This not only gives our guests an idea of what to talk about, but it also helps keep Matt and Roo on task during the conversation.

Once we’ve selected a theme, we research the latest stories for our Watchtower Weekly segment and decide which hack we’ll be revisiting that episode.

Getting the perfect guest

We’ve been lucky to have a wide range of insightful and fun guests join us for the podcast, including Troy Hunt, Bruce Schneier, and Dr. Jessica Barker. We look for guests who are experts in their fields, have valuable insight to offer, or have knowledge of a specific topic we think our audience might find interesting.

We like to keep things informal, but we also want our guests to feel comfortable and prepared when they record their part. We send them a list of questions before recording, as well as a Random but Memorable guest checklist to give them hints and tips so recording goes as smoothly as possible.

Recording the show

With our hosts located in different cities and time zones, scheduling can be tricky. We use a Zoom audio conference to bridge the distance and record each episode. Each host records the session locally to capture the best sound.

Since a podcast relies on good audio, one of the most important things we’ve learned is how crucial it is to invest in a quality microphone. Matt and I both use Rode mics, while Roo favors an Audio Technica ATR2100.

Getting it ready to release

Editing the podcast is the most critical – and often challenging – part of the process. This is where I take a 90-minute recording and condense it down to a neat and clean 30-minute show.

I go through the content our hosts and guests have recorded and cut any content that’s not relevant, like unnecessary umms and aaahs that are inevitable during the course of a conversation. I also keep an ear out for any foul language slip-ups that need bleeping to keep the show family-friendly.

It’s also my responsibility to create the show notes that we share alongside the audio of each episode. These comprehensive notes are great for skimming over and referencing after listening. We often cover so much content in a single episode that this document can reach a double-digit page count.

Sending it out into the world

Once the final edit has been cut, we’re ready to release! New episodes are available every other Tuesday on all major podcast channels and apps. You can listen and subscribe to Random but Memorable on Overcast, Pocket Casts, or iTunes.

For listeners who don’t subscribe, links to new episodes are posted on all our social media channels. Sometimes we even do a giveaway, so be sure to follow on Facebook and Twitter!

Once the episode has gone live, we’re straight onto the next one, and the whole process starts over again!

If you’d like us to answer your question on the show, tweet us @1Password using the hashtag #ask1Password.

If you love listening, please rate us or leave us a review on iTunes. Your feedback and suggestions mean the world to us.

1Password 7.4 on iOS 13: Dark Mode, Documents, and Voice Control

Michael Fey — Thu, 19 Sep 2019

Hello and happy iOS release day, everyone! We’ve been excited for this release since iOS 13 was first announced at WWDC. Now that it’s finally here, we’re excited to share 1Password 7.4 for iOS with you.

There’s a bunch of stuff I’m pumped to tell you about, so let’s dive in and take a look.

Dark Mode for iOS

Ever since Apple rolled out Dark Mode for macOS at WWDC 2018 I’ve been waiting for them to bring it to iOS. Whether I’m checking my emails first thing after waking up, or looking something up online before turning in for the night, being blasted in the face by a bright screen has never been a positive experience. Dark Mode on iOS solved this problem for me, though, and I couldn’t be happier. I’ve been using iOS 13 exclusively in Dark Mode for a while now, and I love it.

We began the work to bring Dark Mode to 1Password for iOS in June and we’re really excited to show it off to you today.

We’ve also added a special dark app icon that I think looks right at home in the dock on my iPhone.

Use your voice

One of the most impressive and exciting parts of iOS 13 is the addition of Voice Control, and 1Password makes full use of it. This new feature opens up a world of possibility for users who may not have the ability to interact with their iOS device using their hands.

With Voice Control you won’t have to lift a finger to search, open, edit, or share items from within 1Password. Control every aspect of your iOS device, including opening and navigating 1Password, just by using some simple, predictable voice commands.

Documents, documents, documents

Ever since we added the ability to create Documents using the camera roll, we have seen requests to expand our capabilities. Today, I’m pleased to say, we’re answering that feedback. Starting in 1Password 7.4 you can create Documents from the camera roll, use the camera directly, or pick a file from the Files app. That last one is particularly exciting as it means you’ll be able to bring in files from any app that makes its files available to the Files app — like Dropbox, Google Drive, and more.

We’ve also added the ability to use the new document scanner in iOS 13 to create PDFs from your paperwork, complete with optical character recognition text summaries! It’s a fantastic way to scan and store your sensitive information securely and make it available to all your devices.

In closing

iOS 13 from Apple and 1Password 7.4 are both available today, so fire up your updaters and check out all the cool new features. While you wait, you can read our full set of release notes or pop on over to the App Store and leave us a review.

Thank you to everyone who provided feedback about this release. 1Password wouldn’t be the app it is today without your involvement. Cheers!

Get to know 1Password Advanced Protection with our next webinar

Sarah Brown — Wed, 18 Sep 2019

We’ve just launched 1Password Advanced Protection, a suite of powerful new security tools for 1Password Business, and we’re excited to show you what it can do.

Join us on September 24th or October 8th at 2 p.m. EDT, when we’ll show you how to create security policies, prevent threats, and monitor your team’s access in 1Password Business.

In this live webinar, you’ll learn how to:

Set a Master Password policy
Turn on two-factor authentication for the team
Create and manage firewall rules
Monitor your team’s sign-in attempts
Set and manage software update requirements

We’ll also have time for a Q&A session at the end to answer all your questions about Advanced Protection.

Join the webinar on either September 24th or October 8th at 2 p.m. It’s free, and it’s a great way to get to know Advanced Protection.

Introducing 1Password Advanced Protection: powerful security tools for business

Jeff Shiner — Tue, 17 Sep 2019

Today, I’m excited to announce the release of 1Password Advanced Protection, a suite of powerful new security tools for 1Password Business.

With 1Password Advanced Protection, administrators have the power to create security policies, prevent threats, and monitor their team’s access. We’ve got five features to cover, so let’s get started.

Master Password policy

Employee passwords are the biggest point of failure for most companies. With the Master Password policy, administrators can enforce stricter Master Password requirements to match their internal security policies.

You can increase the minimum length, and require uppercase or lowercase letters, numbers, or symbols. When you update your policy, everyone on your team needs to meet those requirements when they create a new Master Password.

Two-factor authentication

Ever since we released two-factor authentication, administrators have asked us for the ability to manage it for their entire team. So we made it happen.

Choose which second factors your team can use when they sign in on a new device: an authenticator app, security keys, or Duo. Then enforce two-factor authentication for your entire team to make sure no one slips through the cracks.

Firewall rules

If you’ve ever wanted to restrict where your team can access 1Password, you’ll love this. You can create firewall rules to allow, report, or deny sign-in attempts from certain locations or IP addresses.

Whether you want to limit access to the office or block access from high-risk countries, you can create firewall rules to help you. You can even block VPNs and Tor to prevent anonymous IP access.

Modern app requirements

For the latest features and security fixes, we know how important it is to keep your software up to date. With modern app requirements, you can make sure your employees are on the same page.

Find out who uses outdated 1Password apps, and require everyone to keep 1Password up to date. If anyone uses an older version of 1Password, they’ll be prompted to update to the latest release.

The final feature ties everything together. For more insight into account activity, the sign-in attempts report gives you a clear overview of recently reported, blocked, and failed sign-in attempts.

Review the time, location, IP address, and device of each sign-in attempt, and use the interactive map to view attempts from a specific location. Find out why they failed – whether they used the wrong credentials, two-factor authentication failed, or were blocked by your firewall rules – so you can assess how effective your policies are and adjust them to protect your team.

Get started with 1Password Advanced Protection

1Password Advanced Protection is now available for all 1Password Business customers. If you use 1Password Teams, it’s easy to upgrade to a business account.

There’s lots to explore. Visit our support site to learn about 1Password Advanced Protection in 1Password Business.

Join our webinar

We’re hosting webinars on September 24 and October 8 to help you get the most out of 1Password Advanced Protection. We’ll even have one of our lead developers on hand to answer all your technical questions. Head over to our blog post for more information and to register.

1Password Advanced Protection

With 1Password Advanced Protection, it’s easy to customize and enforce your security policies. 1Password Business customers can start fortifying their defenses today.

Get Started

Trust, browsing, and privacy with Daniel Davis from DuckDuckGo

Sarah Brown — Fri, 30 Aug 2019

The next video in our Essentials of Business Security series is ready to watch! Cat talks with Daniel Davis from DuckDuckGo about how to make digital privacy a priority.

DuckDuckGo began as a privacy-focused search engine. Today, it offers a browser extension and mobile app to prevent you from being tracked as you browse the web.

Here are four key points from our chat with Daniel that will help to keep your business data safe and private.

Make privacy a priority

Customers and employees want to know that their personal information is safe in your hands and on your servers. And as more companies go above and beyond to protect their customers’ privacy, competitive pressure is building for others to keep pace.

With data leaks and breaches becoming more frequent, you need to show that privacy is a priority for your business. To do this, put together a privacy policy that is comprehensive, clear, and easily accessible. Be open and transparent with customers about exactly what information you’re storing, and how and where you store it.

Evaluate new tools

Before you purchase or implement any new software, read the privacy policy carefully. If you’re in Europe, any software that processes or stores your data must be GDPR compliant. If you’re in the United States, software should comply with your state’s privacy laws.

Build it into your business

Almost weekly, a new privacy scandal hits the headlines. As a result, more people are aware of the risks to their data and are looking for ways to protect it. You can help by building privacy into the way your business operates.

Make sure privacy tools like safe search, browser extensions, and mobile apps are simple to use and fit your employees’ needs. Anything that is too complicated, or that disrupts their workflow, is likely to be ignored.

Take care of the data

When handling your customers’ personal information, be clear about exactly what you’re collecting and why you’re collecting it. Never keep data that you don’t need, because if you don’t have it, you can’t lose it or be tricked into giving it away.

Trust is the most valuable thing your customers can give you, so be transparent and keep them informed about any changes to your policies.

What’s up next

If you enjoyed our chat with Daniel, sign up for the webinar mailing list to receive notifications of future webinars.

Tracking, blocking, and safeguarding with Bennett Cyphers from Privacy Badger

Sarah Brown — Thu, 15 Aug 2019

A brand new video in our Essentials of Business Security series is now live! This time, Cat talks with Bennett Cyphers from Privacy Badger about tracking, blocking extensions, and what you can do to safeguard your data while browsing the Internet.

Created by the Electronic Frontier Foundation, Privacy Badger is a browser extension designed to block advertisers and other third-party trackers from monitoring your web activity. It works in the background while you browse, automatically analyzing and blocking any code that seems to track you across multiple websites.

Ad companies like Google and Facebook not only track you on their pages; they also use invisible pixels and cookies to follow your journey across the Internet.

While we know it’s not realistic for most people to quit Google and Facebook altogether, here are five other things you can do to protect your privacy online.

Switch to a privacy-focused browser

Google Chrome may be a popular browser, but it collects quite a bit of data about you.

While there isn’t a single best browser option, both Mozilla’s Firefox and Brave are excellent choices for protecting your privacy and security.

Firefox offers robust privacy features and can be customized to fit your individual security needs. Additionally, you have the option to enable several useful browser extensions that can enhance your privacy and security.

Brave is built on Chromium and is privacy-focused by default. We recently took Brave out for a spin and were impressed by its speed and built-in security features.

Use a blocking extension

Browser extensions that block ads and trackers work behind the scenes to stop third-party code from capturing your personal information. Some only block cookies and others work as a full ad blocker.

Privacy Badger is an extension that automatically analyzes and blocks any tracker or ad that violates the principle of user consent. Rather than working off an existing list of trackers and cookies to block, it learns as you browse.

Change your search engine

Google has earned its reputation as a robust search engine, but it comes with a price. To give you a personalized experience, Google tracks and stores an incredible amount of your personal information.

And it’s not just Google. Most big search engines are essentially data collectors for advertising companies, who use the information to create targeted ads. Thankfully, there are several privacy-focused search engines you can use as an alternative:

Use an encrypted messaging service

Unfortunately, many of the most popular messaging apps — like Facebook Messenger, Skype, and Snapchat — don’t offer end-to-end encryption. This means your private information is at risk of being exposed to the companies behind the apps, and anybody they share it with.

To keep your conversations away from prying eyes, it’s a good idea to use an encrypted messaging service. Apps like Apple’s iMessage and Signal offer end-to-end encryption to keep your conversations private and secure.

We need strong privacy laws to protect people

Data breaches can happen to anyone, which is why we need to have strong privacy laws in place to protect people. The EU’s General Data Protection Regulation (GDPR) is a step in the right direction, as it’s designed to protect and empower all EU citizens when it comes to their data privacy.

However, there’s more that can be done to protect your privacy online. Reach out to your politicians and local representatives to let them know how much online privacy matters to you. Use your votes to show them that you want your data kept private.

Introducing the 1Password SCIM bridge

Connor Hicks — Thu, 08 Aug 2019

I’m thrilled to announce the first major release of the 1Password SCIM bridge! The SCIM bridge is the best way to automate provisioning of your team in 1Password Business.

We’ve spent the past year making it easier to roll out 1Password to your company. The 1Password SCIM bridge is available today, and it’s compatible with the most popular enterprise identity providers: Azure Active Directory and Okta. It’s available for one-click deployment on the Google Cloud Platform Marketplace, or it can be installed more traditionally using Docker, Kubernetes, or Terraform.

The SCIM bridge makes it easy to manage your team because it brings 1Password into the workflows you already know and love. It allows you to control your 1Password account from your existing systems, so you can use the enterprise identity provider that your team is already familiar with. Your administrators can remain hands-off and manage your team from one central place to invite employees, grant them access to the correct groups, and deprovision them when they leave. Watch this video to see how the SCIM bridge syncs Okta with 1Password.

“At Okta, we securely connect our customers to the technologies they need for their businesses. We’re excited to partner with 1Password to do just that for our joint customers. With the 1Password SCIM bridge, 1Password customers leverage Okta’s full provisioning capabilities and can automate many common administrative tasks, enabling them to increase efficiency throughout their organizations.” — Chuck Fontana VP, Okta Integrations & Strategic Partnerships

To make sure everyone in your company can always access what they need, the SCIM bridge automatically syncs your identity provider’s groups with the groups in your 1Password account. Create custom groups in 1Password that you can manage directly from your identity provider to grant access to vaults.

The SCIM bridge is designed with a robust and security-focused architecture. It runs within your cloud provider or existing infrastructure and connects to your identity provider using the industry-standard SCIM protocol. Because the SCIM bridge runs within a system under your control, your account’s encryption keys also stay under your control – right where they belong.

If you use 1Password Business at your company, take advantage of the power that the SCIM bridge has to offer, including automatic confirmation of new users. For more information, contact the 1Password Business team. Or get started on your own.

Keep students safe with 1Password Families

Sarah Brown — Tue, 06 Aug 2019

Summer may still be in full swing, but school is just around the corner. If you’re sending your child off to college for the first time, take the opportunity before they leave to instill the security habits that will keep them safe in college and beyond.

With a 1Password Families membership, you can give your loved ones the tools to protect themselves – without taking away their independence.

Get the basics right

Start teaching your child good password management skills by adding them to your family account. If you have an individual account, you can upgrade it on 1Password.com.

1Password keeps your family safe online by helping everybody create and use strong, unique passwords for all their accounts. And, because it makes it quicker and easier to sign in to apps and websites, they’ll actually want to use it.

Students starting college need to sign up for a lot of new services, like school emails and online shopping accounts. It’s a lot to take in all at once. This is the perfect time to teach them how important it is to use a strong, unique password for every site.

Store everything important

Students are handed a lot of new information and documents in their first week of college. If they store them in 1Password, they’ll know just where to look when they need them.

From software licenses to purchase receipts, and school files to credit cards, anything that’s worth keeping safe and private is best kept in 1Password. Students can keep copies of their driver’s license and passport in case of emergencies, and any critical medical documents or private notes they might need.

1Password syncs seamlessly between devices, so your child can access their school files and emails from their iPad at school, and again from their desktop computer when they’re home for the holidays.

1Password is the easiest and safest way to share passwords, credit cards, and anything else that’s too important to email. So when your child needs your credit card number to order books for next semester, it’s easy to share it with them – just add it to your shared vault.

Your shared vault can also be used to store your family’s Netflix password, insurance cards, and anything else your child may need access to while they’re away from home. You can add new items as needed, update existing ones, or remove outdated information and it will update automatically for everyone in your family.

Keep personal things private

Not everything needs to be shared with the whole family, and it’s a good bet that most students won’t want their parents to have access to their social media accounts. In addition to shared family vaults, everybody in your family gets their own private vault so they can keep passwords, personal documents, and private notes safe from prying eyes.

Defend against breaches

As a parent, it’s your job to protect your child, but you can’t be with them every moment of every day. Watchtower, included with every 1Password membership, can give you peace of mind when it comes to their online safety. Watchtower will alert them if any of the websites they use are compromised, or if any of their passwords are included in a data breach, so they can keep their accounts safe.

Sign up for 30 days free!

Give your child the tools they need to keep themselves safe online. Sign up now and try 1Password free for 30 days.

Try 1Password Families free

There's never been a better time to upgrade to 1Password 7

Swapna Krishna — Wed, 31 Jul 2019

1Password 7 was released over a year ago, and thanks to all the new features we’ve added since, there’s never been a better time to upgrade. Let’s take a look at what you get with the latest and greatest version of 1Password.

1Password mini

1Password mini has a beautiful new design in 1Password 7. Every pixel has been reimagined to give you more information and control, so you can keep all your passwords, credit cards, and other important items right at your fingertips. It still works in your favorite browsers, and now you can fill in apps with drag and drop. The new 1Password mini is available in 1Password 7 for both Mac and Windows.

Watchtower and security

Data breaches happen all the time. If you use 1Password 7, Watchtower alerts you if any of your passwords have been compromised and need to be changed. It also keeps track of expiring items (like credit cards or passports) and warns you of unsecured websites.

Watchtower now integrates with twofactorauth.org, so you’ll know when you aren’t using two-factor authentication on a site that supports it.

Dark Mode

1Password 7 for Mac supports Dark Mode, and because 1Password 7 populates icons to make it easy to find the login you’re looking for, you’re in for a real treat. The colorful icons really pop against the dark background. You can download the latest version of 1Password for Mac now.

Preparing for Safari 13

If you’re still using 1Password 6 with Safari, you’ll need to either upgrade to 1Password 7 before macOS Catalina comes out later this year or switch to another browser. Regardless, there’s a lot to love about the latest and greatest 1Password release. Learn more about upgrading.

Faster and more streamlined

In 1Password 7, both the Windows and Mac apps were completely rebuilt to give you the most powerful and streamlined 1Password experience ever. We also redesigned the sidebar to show you all of your accounts and vaults with a single glance.

Organization and productivity

1Password 7 is perfect for organization junkies. From customized keyboard shortcuts to support for nested tags, you can make 1Password 7 work the way you need it to.

Upgrade now

If you have a 1Password membership, 1Password 7 is included in your subscription. You can download it for Windows and Mac.

Sign up for 30 days free!

Start your 1Password membership today and discover what's new in the best version of 1Password yet.

Try 1Password free

1Password 7.2 for Android: the Dark Theme Rises

Michael Verde — Mon, 22 Jul 2019

Thought I’d go with the obvious Star Wars reference? I have to admit it was tempting, but villains monopolize the dark side in that universe. Heroes can have a dark side too, as evidenced by our friend the Dark Knight, and Dark Theme is definitely the hero feature of this release!

Without further ado, and only a few more pop-culture references, let’s get into what’s new in 1Password for Android 7.2.

Dark Theme

The new feature I’m most excited about in 1Password also happens to be my favourite new feature in Android Q. When it launches later this summer, Android Q will bring support for a system-wide Dark Theme. And 1Password will be ready and waiting with our new gothic stylings.

I only work in black…and sometimes very, very dark grey.

While we did darken things dramatically, we didn’t quite limit our palate to Bat-approved colours. Instead, we used the contrast provided by a dark background to really make important elements pop. Look for bold shots of 1Password blue to tell you where the action is.

What if your device isn’t running Android Q?

This is the best part. Even old versions of Android support Dark Theme in 1Password, all the way back to Lollipop. On Android Q, 1Password will match your choice in the system setting by default, while earlier OS versions will default to Dark Theme when Battery Saver is enabled. In either case, you can override this behaviour with a quick visit to the display settings in 1Password.

Enhanced Autofill functionality

Not only does Dark Theme dazzle throughout the app, but it also asserts its sense of style in Autofill. Of course, you’re probably more interested in how well Autofill works, rather than how great it looks. To that end, we’ve added a couple of exciting improvements to help you out.

Now, you can create new Login items using Autofill without having to double back to 1Password. Whether you’re signing in to an app or browser, Autofill prompts you with the option to create a new Login item. If you’re signing up for a new account, you can use the password generator.

If that isn’t enough, we’ve enhanced Autofill to support more apps and websites with split-screen logins. Signing in is quicker and easier than ever.

Manage trashed items on the go

If you accidentally move an item to the trash, there’s no need to rush back to your computer. Simply navigate to your trashed items and restore the item with a single tap. On the other hand, if you’re confident that you don’t need the item, just empty the trash to purge it from your device.

Honorable mentions

We’ve covered some of the biggest changes to 1Password 7.2, but there’s lots more to explore:

Add/remove additional website fields from logins
View password history for Login and Password items
Use 1Password in desktop mode with Samsung DeX
Dozens of additional features, improvements, and fixes

Rolling out

1Password 7.2 for Android is a free update for all 1Password customers. We’ve started rolling it out on Google Play, so keep an eye out for the update notification. Once installed, you can enjoy all the great new features and improvements that I’ve waxed poetic about.

This update was a labour of love, and we hope that you love it as much as we do. Be sure to let us know about your favourite features on Google Play, Twitter, or the 1Password Forums.

Testing out Brave with 1Password X

Emily Marchant — Fri, 05 Jul 2019

As people grow more cautious of online tracking and data collection, space is opening up for privacy-conscious browsers like Brave, a relative newcomer that’s enjoying some time in the spotlight. To see what all the fuss is about, I’ve been giving Brave a spin.

A quick introduction to Brave

Developed by Brendan Eich, co-founder of Mozilla, Brave is a privacy-focused browser built on open-source Chromium.

The backbone of Brave is the same as Chrome, so it shares a lot of its plus points: it has the same clean look, you can install extensions from the Chrome Store, and it syncs across devices. Brave supports Windows, macOS, Linux, Android, and iOS.

Getting started

Getting Brave set up is easy. When you launch the browser for the first time, a welcome tour helps you import any bookmarks and settings from your old browser.

You can install 1Password X straight from the Google Chrome Store. Remember, when you sign in to 1Password.com for the first time in Brave, you’ll need your Secret Key, so get that ready.

Minimizing disruption

One of the reasons people stick with browsers like Chrome is their dependence on the browser’s password-saving feature. While convenient, browser password managers aren’t always the strongest choice when it comes to protecting your privacy. Tying your passwords to a particular browser makes it difficult to up and leave, too.

That’s where using a dedicated password manager makes a big difference. You can access all your passwords in any browser, so you’re not tied in.

1Password, breaker of chains

Because 1Password is compatible with so many browsers, it’s easy to try something new without disrupting your workflow. If a browser isn’t the right fit, you can switch back without losing access to your data.

I, of course, use 1Password. So when I tried Brave, all my passwords, credit cards and everything else were ready to use straight away. If you don’t use 1Password already, it’s straightforward to import your passwords from Chrome to 1Password. Once you’ve done it, you’re free.

Remember browser security basics

After you set up 1Password in Brave, it’s worth familiarizing yourself with the browser’s security settings. Take a little time to get the basics set up:

Deselect the option to import browsing history and saved passwords during setup
Either turn off cookies, cache, and browser history or clear them regularly
Disable the in-browser password manager
Disable Autofill
Use incognito/private mode on public computers. You can set incognito/private mode as default in Brave too.

What’s Brave like?

Brave claims to be significantly faster than Safari or Chrome, and while I don’t have any independent data to back that up, it was certainly quick.

There’s a whole host of privacy features to explore too. Built into the browser you’ll find ad and tracker shields, Tor integration, fingerprint blocking, HTTPS Everywhere, and more. Counters on the browser’s homepage add up how much time you’ve saved through blocking ads and trackers, which is a nice touch.

The verdict

Choosing a browser really comes down to personal preference. It’s a case of weighing up convenience with the features that matter to you.

Brave looks and feels a lot like Chrome, so if you’re looking for a less intrusive alternative to Google’s browser, Brave might be right for you. It gives Firefox and Safari a run for their money when it comes to security, and it’s far from slow.

There’s a lot to like about Brave — its speed, focus on privacy, and built-in security features. And because I use 1Password, I could try it out easily without any interruption to my work.

Sign up for 30 days free!

To take 1Password X for a spin and see if it fits your workflow, sign up for a free 30-day trial of 1Password today.

Try 1Password FREE

Phishing, fraud, and threat reduction: advice from Alex Rosier

Sarah Brown — Tue, 02 Jul 2019

The third webinar in our Essentials of Business Security series is now available! In this video, Matt talks with Alex Rosier from ProtonMail about phishing, fraud, and how you can reduce the threats to your business.

ProtonMail is five years old, and Alex has been involved since the early days. He started out doing anything and everything that was needed but now focuses on working with businesses of all sizes.

To help keep your business safe from phishing attacks, we’ve put together five key points from their chat.

Your email is at risk

Despite the rise in popularity of Slack and other messages programs, email remains the largest communication model for businesses. The data you send over email is more vulnerable than you may think. Even internal emails can be intercepted and exposed if the right malware has been put into place.

Even internal emails can be intercepted and exposed if the right malware has been put into place, but if you and the recipient of your email use an encrypted email server like ProtonMail, it makes it more difficult for third parties to read or tamper with your messages and the information they contain.

Information is more public than you realize

Nothing is as secret or as private as you’d like to believe. Everything from your phone number to your social security number may be available to anyone who knows where to look. If a cybercriminal already has the right kind of information about you, it can be easy for them to convince you to hand over even more without realizing what you’re doing.

Anything you share online can potentially be used against you in an attempt to steal your information, so even if you’re job hunting and expecting an email from a recruiter, think twice before you send sensitive or confidential data over.

Phishing over email

It’s possible to get almost any information you need by asking the right person the right questions or getting the right person to click the wrong link. Often, a target may be phished for details regarding a password or login information for a simple, non-critical system. However, if that target re-used their password on more critical systems, their access has now been compromised and data can be accessed by the wrong people.

Phishing emails usually appear to come from trusted sources, making them blend in with your inbox. Luckily there are some easy ways to recognize a phishing email to help you notice and take action when something is off.

Test your security

Pen testing within your organization can help you to locate your unique vulnerabilities. Finding these holes and sealing them up before the bad guys can exploit them will ensure that your data stays safe and secure.

If your IT department needs assistance putting together a pen test, there are companies that can help. Kevin Mitnick’s Global Ghost Team, Mitnick Security, provides one way to locate these holes.

Educate your team

Education is undeniably the best protection you have against phishing, which is why it’s been a common theme in our webinar series. Your employees may be well-intentioned, but everyone from the CEO down needs the right tools and information to protect themselves and your business.

Taking the time to educate your team on how to spot phishing attempts is a necessary investment.

What’s up next

If you enjoyed this chat with Alex, sign up to find out about our upcoming webinars. They’re the best way to learn what’s possible with 1Password.

Safari 13 is awesome, but 1Password 6 users need to upgrade to enjoy it

Michael Fey — Fri, 28 Jun 2019

On Monday, Apple released the macOS Catalina public beta that includes a preview of Safari 13, which is set for release this fall. We’ve discovered there’s lots to love about Safari 13, but we’ve also learned that it will no longer work for customers using 1Password 6.

Those already using 1Password 7 are all set: 1Password 7 is ready for Safari 13, so you won’t miss a beat.

If you’re still using 1Password 6 in Safari, you don’t have to do anything immediately, but you’ll need to take action soon to prevent interruptions to your workflow when Safari 13 arrives.

1Password 7 supports Safari 13

The best way to experience Safari 13 is by using 1Password 7.

1Password 7 is included with every 1Password membership, and contains a ton of new features to help you organise and secure your life. A few highlights:

Watchtower can now tell you when items you’ve saved in 1Password – like credit cards, driver licenses and passports – are about to expire. Plus, it can tell you what sites support two-factor authentication, and whether or not you’ve enabled it.
1Password mini is smarter, faster, and more helpful than ever. It suggests passwords for the apps on your Mac, not just when you’re browsing the web.
Everything has been entirely redesigned since 1Password 6, and that doesn’t just mean it looks fresh. The new sidebar makes it easier to switch between vaults and investigate security issues with your logins, and items now display the most important information front and center.

With a whole bunch of new ways to organize your life, 1Password 7 is the perfect companion to the speedy and secure Safari 13. 🙂

For those with a 1Password 6 license, we’re offering you your first 3 months of 1Password Families for free so you can test-drive a 1Password membership before Safari 13 lands on your Mac this fall.

Soldiering on with 1Password 6

1Password 6 will continue to work with other browsers. Safari lovers like myself won’t want to hear this one, but if you’re stuck and really can’t upgrade, you can still use 1Password 6 in Chrome, Firefox, Opera, and Vivaldi.

What’s changing

In previous versions of Safari, extensions were installed via the Safari Extensions Gallery. In Safari 13, the Safari Extensions Gallery is being replaced with Safari App Extensions.

It’s great Apple is doing this as Safari App Extensions are faster, lighter and more secure. They run through native Mac apps, meaning they put much less strain on memory and CPU performance. Plus, they’re less vulnerable to security exploits like man-in-the-middle attacks. And, as the extensions are bundled right in with the apps you download, you don’t have to worry about compatibility issues, or downloading the wrong extension by mistake.

1Password 6 was retired over a year ago and, as an older app, it still relies on an extension from the Safari Extensions Gallery. Safari 13 offers a better browsing experience all round, but to embrace the new, we have to let go of the old.

In addition to its inclusion in macOS Catalina, we expect Safari 13 to also be released as an update for everyone using macOS High Sierra and Mojave, so we’d recommend making plans now as this is very likely to affect you.

We’ll be discussing this change over on our forum, so be sure to join us if you’d like to learn more!

Why I switched to 1Password X

Sarah Brown — Mon, 24 Jun 2019

I’ve used 1Password far longer than I’ve worked here, but until I came on board I only used the Mac and mobile apps. Although I knew that there was a browser-based option, I didn’t give it much thought until I was poking around during my new-hire training.

Honestly, what took me so long? Within a few weeks of discovering that 1Password X existed, it became the primary way I use 1Password on my computer.

1Password X is a full-featured version of 1Password that runs entirely within a browser. It runs on my Linux machine just as smoothly as it does my Mac. And because 1Password X connects to your 1Password account, you have access to everything you expect. That’s extremely helpful if you’re anything like a lot of us here and find yourself jumping between different computers and platforms multiple times a day.

How does it work?

Although I first discovered 1Password X on Linux, it quickly became my preferred way of using 1Password on Mac as well. I love having all my passwords stored in 1Password, and 1Password X streamlines and simplifies my workflow.

1Password X works in the background of my browser, anticipates exactly what I need, and shows the relevant options in-line – right where I need them. If I navigate to a page with a saved login, I simply click the 1Password icon and select an option to fill. It will even detect if I have more than one login for a site, like Gmail or Twitter, and all I have to do is start typing my username to find the one I want.

It makes signing up for a new website easier too. It suggests and saves a newly generated password right on the account creation page!

With 1Password working seamlessly in Chrome, it’s become such a natural part of my daily routine that I almost don’t even notice it working away.

Even more fun

I already love 1Password X, perhaps more than is socially acceptable, but the release of the May 2019 update made it even better. I’m a big fan of two-factor authentication and have it enabled for every service that offers it. The latest update of 1Password X fills one-time passwords automatically – in addition to usernames and passwords – even when the login process is split across multiple pages.

I can’t wait to see what else they’re cooking up and how those improvements will make my digital life even easier.

1Password X works in your browser

1Password X takes the experience I expect from the Mac and iOS apps I had been using and makes them even better. It’s available on Linux, Chrome OS, Mac, and Windows. And it’s easy to set up and use in your favorite browser: Chrome, Firefox, Opera, or Brave.

It’s a re-imagination of how 1Password works on the web, designed to make your life easier. And, just like all the 1Password apps, the security of 1Password X keeps your most important information safe and confidential.

1Password X is awesome and incredibly useful, but that doesn’t stop me from using 1Password.com or 1Password for Mac when I want to. I’ll sign in to my account on 1Password.com to search for something or turn on Travel Mode, and I’ll use the Mac app to manage and organize the information I have saved in 1Password. Being able to choose the best option for a specific task makes my workflow easier.

If you’re using the 1Password extension for the desktop app, try 1Password X. It’s included with your 1Password membership, and you can switch back at any time.

Sign up for 30 days free!

To take 1Password X for a spin and see if it fits your workflow, sign up for a free 30-day trial of 1Password today.

Try 1Password FREE

Smooth sailing with 1Password on the new Apple betas

Sarah Brown — Fri, 21 Jun 2019

WWDC, Apple’s annual Worldwide Developers Conference, happened in San Jose earlier this month. It’s an exciting opportunity for developers from all over the world to meet and talk with Apple engineers and for Apple to show off their upcoming software.

The conference always kicks off with a keynote, and this year it was bursting with announcements and updates. The most exciting news for our team was the announcement of brand new versions of iOS, iPadOS, and macOS! Roo has already talked about how impressed he is by Voice Control in iOS 13 and how excited he is for Dark Mode for iOS to finally arrive.

If you’re a member of the Apple Developer Program, the developer beta versions of all three pieces of software announced at WWDC are already available to download and install.

All of the software previews were absolutely stunning, and we know 1Password 7 will look amazing on all of them. But the best part? If you have 1Password 7 installed, everything should work as expected on the iOS 13, iPad OS and Catalina developer betas. You can keep using 1Password in your daily workflow without fear of any significant interruptions.

However, since everything is in closed beta, you may run into some glitches here and there with your 1Password workflow. While there were so many incredible things announced at WWDC, we’re only just scratching the surface of what we can do with them. If you come across something that doesn’t work as it should, we’d love it if you could share your feedback on the 1Password Support forum.

Currently, macOS Catalina, iOS 13, and iPadOS are limited to Apple developers, but a public beta will be available for download and testing in July with the full launch coming later this year.

If you’re using the latest beta operating systems, pair them with the current 1Password beta. We’ve made a lot of improvements already, and you’ll be the first to receive new ones.

Improve your team’s security with our next webinar

Lisa Verheul — Tue, 18 Jun 2019

As we move into the second half of 2019, it’s a great time to re-evaluate your team’s security habits. If their password management isn’t up to scratch, 1Password can help. Our next webinar will show you how to get started.

On July 16 at 2 p.m. EDT, we’re hosting a repeat of our Administrators: Get Started webinar. If you’re looking to set up 1Password for your team, have just been appointed as a team administrator, or simply need a refresher, this webinar is for you.

In this webinar, we’ll show you how to:

Invite people to your team
Share data and manage permissions
Create and manage groups

We’ll also have time for a Q&A session at the end to answer all your questions about 1Password Teams and 1Password Business.

Register for the webinar

Join the webinar on July 16 at 2 p.m. It's free, and we'd love to help you make the most of 1Password.

To receive notifications of future webinars, sign up for the mailing list.

Scams, malware, and preventative measures: advice from Michael Sherwood

Sarah Brown — Mon, 17 Jun 2019

The second webinar in our Essentials of Business Security series is now available! In this video, Matt talks with Michael Sherwood from Malwarebytes about scams, malware, and what you can do to protect your business.

Michael’s journey to Malwarebytes began with an interest in technology and an Apple IIc in ‘84. From there, he joined the US military, where in the mid-90s (the Windows NT era) he found his feet in cryptography. Today, he is VP of Enterprise Online at Malwarebytes, and we’re thrilled that he’s bringing his expert insight to our latest webinar.

To help keep your business safe from scams and malware, we’ve put together five key points from our chat for you to take away and consider.

The landscape is shifting

Michael highlights that in the past ransomware has been mostly an annoyance, rather than malicious. However, the focus has shifted: attacks have become more advanced, and it’s all about making money.

The good news is that cybersecurity solutions are keeping up and getting better at detecting scams, fraud, and phishing attempts.

Everyone is at risk

Cyber breaches and scams are on the rise. A recent global survey indicates that more than 60% of organizations were affected by a security event in the last year.

Use of ransomware is no longer only focused on attacking major organizations and corporations — it’s just as likely to hit a small business or independent shop.

If a few small shops pay up, attackers will likely widen their net and send ransomware to as many similar businesses as possible. The larger the audience, the higher the chances are that someone will fall for their scam.

The Federal Trade Commission has put out a helpful guide for small businesses on what to look out for to avoid getting scammed.

A “C” in your job title ups your risk

Owners, executives, and C-suite level employees hold the keys to the business, making them a hot target for scammers and phishers. Matt notes that when he moved to a C-level position, the number of scam and phishing emails increased.

Scammers may pose as a coworker or a colleague to bypass your defenses, in the hope that they’ll be able to trick you into giving up your credentials.

Implement the basics

Having the right security software in place is your best defense. At a minimum, you should install anti-virus and anti-malware software on all employee machines.

Additionally, research the right password manager, two-factor authentication, and email services for your business. Consider hiring an IT professional to lead your security efforts too.

Educate your team

After the tools are in place, your employees need to know how to use them. Humans can be a weak link in your security chain, but the right training increases their strength. Educating your team on security basics, best practices, and how to stop phishing attempts is one of the best investments you can make.

Annual security assessments and pen testing help you to find knowledge gaps and weaknesses in your system. From there, you can create a comprehensive training plan.

Malwarebytes also has a security blog that highlights important events in the security world. They focus on thought leadership and take the time to break down how and why breaches happen, and what you should do if you’re affected.

What’s up next

If you enjoyed this chat with Michael, sign up to find out about our upcoming webinars. They’re the best way to learn what’s possible with 1Password.

Passwords, breaches, and data dumps: business tips from Troy Hunt

Sarah Brown — Wed, 12 Jun 2019

We’ve kicked off an exciting new webinar series, Essentials of Business Security, designed to help your businesses stay safe online.

In the first installment Matt talks with Troy Hunt, a longtime friend of 1Password and the founder of Have I Been Pwned. Troy created this site to help people find out if their passwords have been leaked on the Internet, making him an expert on password-related security issues.

Matt and Troy covered four key points in the webinar that will help you protect your business and employees.

Password habits and standards have changed

Views on passwords are always changing and evolving. Requiring employees to change their passwords every 30, 60, or 90 days has been a business standard for years, but the National Counterintelligence and Security Center (NCSC) changed their stance and now advises against password rotation as a policy.

Your employees should create a strong and unique password for every account, and only change these passwords if they suspect an account has been compromised.

Educate your team

Your employees are only human, and humans will naturally try to find the shortest path to the end result. But if you help your employees create smart, easy-to-follow password and security habits from day one, they’re more likely to stick.

You want to instill a questioning nature in your employees without going overboard. Your employees should be cautious of links or files from unknown senders, aware of how and where data is stored and protected, as well as what information they can publicly share.

If your employees are empowered to make smart choices, your company’s data is more likely to be safe.

Put the right tools in place

Having the right tools in place from the beginning helps your employees create good security habits. It’s easier to help your employees start off on the right foot than it is to try to make a company-wide change further down the road after your employees have had the chance to develop their own bad habits.

At a minimum, your employees should be set up with a password manager and two-factor authentication on all accounts that offer it. A good password manager is designed to blend into your routine so seamlessly that it’s actually harder for your employees not to use it.

At 1Password, every business account comes with a free family account to help your team practice good security habits both at work and at home.

How to handle a data breach

The gold standard of breach response belongs to the Australian Red Cross Blood Service. In 2016 a text file containing sensitive donor information, including blood type and eligibility answers, was found on a public-facing site. This kind of breach could be devastating.

Within 72 hours of being notified, the Red Cross determined what happened, had their CEO give a straightforward and thorough statement, and set up a call center for inquiries. All of this, even though they determined that only two people (one being Troy) had accessed the file.

When a breach happens to your business, it’s essential that you step up and take ownership. Downplaying or brushing off the incident doesn’t give your customers confidence in your ability to protect their data going forward.

What’s up next

If you enjoyed this webinar, sign up to find out about our upcoming webinars. They’re the best way to learn what’s possible with 1Password.

Introducing support for U2F security keys

Jasper Patterson — Tue, 11 Jun 2019

You can now use U2F-compatible security keys as a second factor for your 1Password account.

Last year we added two-factor authentication to provide another layer of protection for your 1Password account. When this is enabled, you are prompted to enter your second factor any time you sign in from a new device.

Initially, that second factor was a time-based one-time password generated by an authenticator app on your phone. Today, I’m happy to announce a new option: we now offer support for Universal 2nd Factor (U2F)-compatible security keys. This is done via the new WebAuthn API, and we’re excited to be among the first services to adopt this new browser standard. WebAuthn is backwards-compatible with U2F, so all certified U2F security keys will work with our WebAuthn-enabled flow.

What is a security key?

Security keys are small physical devices that can be used as a second factor. Support is built into most web browsers and works with many online services like Google and GitHub.

“WebAuthn brings to life the concept of using an external security key across multiple devices and platforms, with no shared secrets among services. It’s exciting to see 1Password implement WebAuthn support to enable YubiKey hardware-backed authentication for their users.” — Derek Hanson, VP Solutions Architecture and Alliances at Yubico

When you’re prompted for your second factor, just tap a button on your security key and you’re in. No need to find your phone, open the authenticator app, and type out the six-digit code while trying to race the countdown.

Using your key with 1Password

Security keys are currently supported on 1Password.com in the latest versions of Chrome, Firefox, Opera, and Edge. (It’s coming to Safari 13 this fall.)

So while it works great as your second factor in those browsers, for now you’ll still need an authenticator app set up to use with the 1Password desktop and mobile apps (and any unsupported browsers).

You can add your security keys now by heading over to the 1Password web app and visiting our new Two-Factor Authentication page.

Your Master Password, which is used for the encryption of your data, still remains the most important thing protecting your 1Password account. Adding a second factor does not mean you can get away with a weaker Master Password.

Where to buy a security key

If you’re interested in getting a security key, you can buy a YubiKey from the Yubico Store, Feitian keys from Amazon, or Titan keys from the Google Store. Any device that supports the U2F standard will work.

How it works under the hood

WebAuthn is a pretty neat implementation based on public key crypto, and resolves security vulnerabilities like phishing. Our server generates a random token and asks your browser to get it cryptographically signed by your security key. The browser also includes the current domain (and some other data) as part of the payload that is signed. This signed response gets sent back to our server, which will decode it; make sure the token, domain, and other data match what we expect; and finally verify the signature using the device’s public key.

Voice Control in iOS 13 is amazing and 1Password is ready

Michael Fey — Thu, 06 Jun 2019

One of the most impressive parts of Apple’s enormous WWDC Keynote on Monday was the announcement of Voice Control for iOS 13.

This brand new feature is a complete game changer for users who may not have the ability to interact with their iOS device using their hands and fingers. Using simple, predictable voice commands you can control every aspect of your iOS device. We pride ourselves on providing a 1Password experience that works for all our customers and when it came time to add Voice Control support to our iOS app all that prior work paid huge dividends.

Check this out:

So many incredible things have been announced at WWDC this year and we’re only starting to scratch the surface of the things we can do. I can’t wait for you to try out Voice Control on IOS 13 when it launches this fall!

1Password for iOS shines in the dark on iOS 13

Michael Fey — Wed, 05 Jun 2019

For those of us on the Apple team, it’s our favorite time of year: Apple’s Worldwide Developer Conference (WWDC for short, or Dub Dub if you want to go even shorter).

This year Apple announced a plethora of promising updates for all their platforms. There was multi-user support on tvOS and HomePod, game-changing security announcements like Sign In with Apple, iPad officially branching off from iPhone with iPadOS, Project Catalyst, and that oh-so-incredible Mac Pro. We also got something I’ve been anticipating for quite some time: Dark Mode for iOS.

Challenge accepted

Each year we watch the WWDC keynote with bated breath, waiting for the announcement that will dictate our workload for the next 3 months. We also take it as a personal challenge to see how quickly we can add Apple’s newest technologies to 1Password. This year is no different and I’m happy to report that our track record continues:

See you in the fall

As always, you can expect to see 1Password ready for Dark Mode when iOS 13 launches this fall.

Bruce Schneier on bridging the gap between policy and tech

Michael Fey — Thu, 30 May 2019

Last week on Random But Memorable, renowned security technologist Bruce Schneier joined me to discuss surveillance capitalism and internet security policy. Read the interview, or listen to the full podcast.

Michael: Bruce, you don’t need an introduction, but I’m going to give you the opportunity to give one anyway. Welcome to the show.

Bruce: Hi. People might not know that I now teach internet security policy at the Harvard Kennedy School. I’m trying to teach a little bit of tech to policy students, and internet policy to techies. I’m trying to bridge the gap between policy and tech. Our serious problems are how do we govern tech, and what is the governance of tech. We need people who can speak both languages.

Michael: So often these days we have rules and laws being put in place that aren’t necessarily based in reality or practical matter.

Bruce: Did you watch the Facebook hearings? If legislators ask questions like “How does Facebook make money?” we’re not going to get good internet security policy.

Michael: It seems like every company these days is creating and selling data and metadata about us. Then other companies are buying it up, or it’s being made public through accidental breaches. Do you think this notion of companies trading and being careless with our data makes us more careless as consumers?

Bruce: Shoshana Zuboff calls this “surveillance capitalism.” It’s a new way businesses are monetizing information about us. It’s both companies that do it as a primary revenue source – the Facebooks and Googles, and all the other companies that sell you appliances, toys, and other services. They realize they have a data revenue stream. It is everywhere. It seems like the new form of capitalism.

I’m not sure it makes us more careless. I think a lot of us are resigned to it. Companies go out of their way to make it not salient, so we don’t think about it. Certainly, when we think about it, we’re concerned. It seems like from surveys, it’s less that we care less or are careless. It’s that we think it’s inevitable and don’t see viable alternatives.

If I tell people, “If you want to protect your privacy, you should not have an email address, carry a cell phone, or use a credit card,” that’s fundamentally dumb advice. You can’t live in the 21st century, first-world countries without engaging in those technologies. So people are deleting their Facebook accounts more and more, but for a lot of people, they need to be on Facebook for socialization. A lot of people are resigned to it. That’s where I look at government as the missing link, because it’s not going to be consumer rebellions that change surveillance capitalism. It’ll be rules and laws.

Michael: I don’t think people deleting their Facebook accounts in 2019 is necessarily going to hurt Facebook’s bottom line.

Bruce: Especially if they use Instagram instead.

Michael: I would think most people don’t even realize that Instagram is owned by Facebook.

Bruce: Facebook doesn’t keep it a secret, but they don’t advertise it. I think they’re playing that game.

Michael: Do you think it’s possible to opt out of this type of life?

Bruce: You can build a cabin in the woods, be off the grid, and not have any communications. It’s possible. It’s just not reasonable to expect.

If you were interviewing me five or ten years ago, we would talk about protecting your data on your computer, and how you could have better security. But now our data isn’t even on our computers. Our mail is on Google’s computers. Our photos are on someone else’s site. When these security breaches happen, they don’t happen to us. They happen to companies like Marriott, and our information is lost or stolen, and there’s nothing we can do about it.

Even if you try to opt out, your data is not under your control anymore. That makes it even harder. My email is not on Google’s servers, but probably about half of my email is, because everybody else’s email is on Google’s servers. So here I am opting out from Gmail, but I’m not really opting out because I can’t.

Michael: And we’re beyond opting out of social media. You can not be on Twitter, Facebook, or Instagram, but these breaches go well beyond that data that you would voluntarily share.

Bruce: Social media is really how we interact with our colleagues. I am not on Facebook, and I notice the lapse socially. I occasionally find businesses who don’t have a website – just a Facebook page. There is a cost for not being on these platforms. Sometimes you’re willing to pay it, and sometimes you’re not.

Michael: If you look at 1Password, we handle people’s data like nuclear waste. We limit who touches it, and we only ask for what we need. We treat our customers’ data with as much care as humanly possible. But this is not the trend.

Bruce: No, because it’s expensive. Password management is inherently, “We want to be more secure because it’s the things that secure other things.” But you move to other data, and you’re not going to make those kinds of tradeoffs.

You can go further. I have a password manager, and I deliberately don’t let anybody put anything in the cloud ever. But I’m sacrificing a feature, because if your data is in the cloud, you can sync over different devices. We’re all making these tradeoffs of usability versus security.

Michael: Where do you draw that distinction?

Bruce: You draw it where you make it. A typical business is going to draw the line where it makes financial sense. Let’s use your typical retailer as an example. If they are not going to lose customers because of bad security, they’re not going to worry about it too much.

Yahoo is pretty famous for skimping on security because it didn’t matter to them financially, but if you look at a program that advertises security, it’s going to be more of a reputational thing. For a bank, security is going to be money. They’re going to spend more to protect the money they would lose otherwise. Everybody is making their tradeoffs based on usability, profits, and regulations.

Michael: Do you think there’s a way to set a new baseline in people’s mindsets for what security should be when it comes to handling personal data?

Bruce: Maybe, but it’s pretty opaque. You could call Facebook and ask, “How do you handle my data,” and they’re not going to tell you. None of these companies will, because they don’t want to make that public.

I don’t see a consumer-led push to increase security, just like you don’t have consumer-led pushes to increase safety in pretty much anything. It is a government-led push because that’s where you have the information to make intelligent decisions that ratchet up safety. I think you might have a generic, “We want more security for our data,” that will lead to government regulation. We saw that in Europe with GDPR. The government set the rules because there was the political will to do that.

Michael: You can debate the merits of having government involved in setting those types of laws.

Bruce: You can, but I’m not sure what the alternative is. The alternative is nothing. The alternative is what we have today in the U.S. – an absolute free for all.

Michael: What do you think are some of the best ways to improve password habits?

Bruce: We know that people are terrible at choosing passwords. We’re at the point where pretty much anything you can remember can be hacked, so we want people to choose unmemorable passwords. I think a password manager is essential because we need some system that will remember them for you.

There is also a system for choosing unbreakable passwords that you can remember. Basically, I tell people to craft a sentence and use it as a way to generate the password. Take the first letter of every word, and then add some number and letter substitutions, extra punctuation, or weird capitalization. You remember the sentence— it’s something memorable from your life that’s personal. I suggest a sentence that you’d be embarrassed to write down, because they are easier to remember, and you’re less likely to write it down. Then you remember the production rule of how to turn that sentence into the password. Use that for high-value passwords, like the password for your password manager.

Also, turn on two-factor authentication whenever you can and it matters. Anything where there’s money, your reputation, or personal information involved, you want to turn those features on.

Michael: One last thing to wrap it up here. What do you think we need to see as a societal change in regards to security or privacy? What’s something you’re hoping we see in our lifetime?

Bruce: The thing that is missing for security and privacy writ large, whether it’s our data privacy, internet of things security, or our national cybersecurity is involvement of government. That is who has abdicated their role. This will only work if everybody is working together, pushing against each other to figure out optimal strategies. We have corporations running the show, so it’s optimized for profit and not security. If you want to fix that, you have to bring government back.

I think it’s inevitable. Governments regulate dangerous things. Once the internet starts killing people, government will be involved, but it really shouldn’t take that. We’re starting to see some movement in that direction, most notably in Europe, but the U.S. is so anti-government involvement that we are hurting ourselves and producing very suboptimal solutions.

Michael: And that brings us back to where we started, which is your efforts to educate future policymakers.

Bruce: And to convince technologists to become part of policy. It’s not just a matter of making sure legislators and regulators understand tech. It’s getting people who do understand tech to take a couple of years in their career and work on policy, advise, speak, or write. There are lots of ways we can engage, and we’re just not doing it.

Taking a peek at Microsoft Edge for Mac

Sarah Brown — Wed, 29 May 2019

Although Microsoft Edge has been out for Windows for a few years, the beta version for Mac was only released in May. Microsoft Edge has been my go-to browser on the rare occasion I use a Windows PC, so I was excited to get a peek at how the browser, and 1Password, would work on my Mac.

Solid as a rock

This new version of Microsoft Edge is built on Chromium, the same base that Chrome uses, making it more stable and reliable than the Internet Explorer of my early internet days. While it’s still only in beta, it feels speedy enough that it could easily fit into my day-to-day workflow without slowing me down or dragging my tasks out.

And the best part is that on my Mac, Microsoft Edge not only looks like a native Mac application but it functions like one, too. All my go-to keyboard shortcuts work exactly as I expect them to, which means I don’t have to move my mouse to open 1Password! With just a tap of the keys, I’m able to sign in and access my saved information.

Keep it secret, keep it safe

It can be challenging to know and track how different companies use the data I share. I love that Microsoft Edge pulls all my privacy and ad-tracking settings into a single location: the privacy dashboard. I’m able to change the privacy and sharing settings as well as manage browsing data, clear search history, and even edit location data.

I know my passwords are safe in 1Password, but having this level of control over my browser data gives me even more peace of mind.

Join the dark side

I’m a huge fan of Dark Mode on my Mac, and I love how sleek it makes the Microsoft Edge browser look. And it doesn’t hurt that Dark Mode really makes the 1Password icon pop in the toolbar.

Of course, if you’re more on the traditional side, the browser and icon look just as good in light mode too.

Right at your fingertips

Just like on Chrome, all the power of 1Password is right there in the toolbar. 1Password X automatically syncs everything to my 1Password account, so I can switch between browsers, operating systems, and devices without missing a beat or forgetting a login.

1Password X makes helpful suggestions as I browse the web, allowing me to painlessly sign in to accounts or fill credit card and billing information. If I need to create a new account, it pops up the password generator so I can create a complex and unique password. All with just a few simple keystrokes.

If you’re using the Microsoft Edge beta for Mac, you can add 1Password X from the Chrome store, just make sure you’ve turned on the feature to allow extensions from other stores.

1Password 7.3 for Mac - Our Life in Miniature

Michael Fey — Tue, 28 May 2019

For the last several months the design and development team at 1Password has been hard at work on a major renovation to the smallest part of everyone’s favorite password manager: 1Password mini.

Since we launched 1Password 7 last May, we’ve received more feedback about that incarnation of 1Password mini than any other part of our version 7 update. Given that it was such a significant departure from its predecessor, we anticipated this feedback. Instead of snapping into reaction mode, we took a wait-and-see approach; change is hard, and we didn’t want to jump to the wrong conclusions. Over time, we built up a wish list of improvements we wanted to bring to 1Password mini and we set off on our journey.

Core competencies

Before a single mockup or wireframe was created, we took a step back to define exactly what 1Password mini needed to do well:

Show items that match the frontmost app or website
Fill your passwords, credit cards, and address information into a web page
Generate new passwords quickly and easily

The mini’s primary goal is to get your information out of 1Password and into the places where you need it with a strong focus on filling your passwords, credit cards, and address information into web pages. Additionally, it needs to be clear how to perform every action.

“Mini is for filling” quickly became our mantra during this redesign, and each decision was made in service of that mission.

A big piece of what makes 1Password mini successful when it comes to filling your information is our “filling brain”. Powered by machine learning that takes place locally on your device, 1Password analyzes the web page and suggests the items you’re most likely to need on that page. What this means is that when you’re on a shopping cart page buying that bespoke artisanal handmade teak wood lute, 1Password mini will have your credit cards ready and waiting for you.

Complex passwords made easy

Using a strong, unique password for every account is the best thing you can do for your personal internet hygiene. 1Password mini makes creating these passwords incredibly easy. Simply hit the New Password button, adjust the length of the password as needed, and save & copy the password.

To get back to your previously generated passwords, just click the menu button above the item list and select Passwords. All of your passwords are there, conveniently sorted in reverse chronological order:

Speedy search

While filling into web pages and creating new passwords might be what you do the most, all your items are available in 1Password mini, and they’re only a keystroke away. Simply start typing the name of any item and our speedy search will bring it right up:

Drag and drop wonderland

1Password has wonderful support for the native apps on your computer, making it easy to sign in to your accounts with Slack, Discord, Omni, and many more. 1Password mini makes this even easier with some lovely drag and drop support:

Wrapping it up

1Password 7.3 is available today as a free update for all 1Password 7 customers. If you’re still using 1Password 6, you can download and install 1Password 7 from our website here: 1Password.com/downloads

If you’d like to chat with us about this update (or tell us about your new lute) you can do so on our discussion forum.

From the Founders' Desk: Thoughts on Mental Health

Sara Teare — Wed, 15 May 2019

With several countries observing a mental health awareness week in May, now is a great time to think about how we care for ourselves and others. We are all worthy of support, encouragement, and happiness. Sometimes feeling okay is easier said than done, but by carving out a bit of time each day to focus on mental and physical health, we can work towards that reality together.

Here at 1Password, a huge part of our culture is being positive and working to bring the wow factor to our customers — but to do that, we need to take time to recharge ourselves too. That’s why we encourage folks to get active during the day, and spend time doing things they love. Whether we’re coding amazing new features or helping answer questions from awesome users, it’s a pretty sedentary job. Having activities outside of work — like going to the gym, yoga, a darts league, or squash — gets you moving, helps the body stay active, and feeds the brain. :)

We also do a few things within 1Password to help keep people feeling connected. Sharing news of engagements, losses, small victories, and other personal stories helps to make us family. When one person celebrates, we all cheer, and when someone is suffering, we all offer support. Finding a group of folks that you can both work and share your life with is something special, and I’m proud to be a part of it.

I was recently asked if we had ever considered hiring someone with a mental illness. The idea that mental health could be just a checkbox on a list of qualities we look for in a candidate amazed me. A diverse team is never made up of check marks, but of real people doing their best to share their passions and talents with the world.

I found this article online and have shared it with our team before, and I want to share it with you all too, because we all have moments when things don’t feel awesome and we need to reach out. Everything Is Awful and I’m Not Okay is a short list of great suggestions that can help get you through that moment.

So on those days when you need to “fake it to make it,” find joy in something small. Pay a kindness forward — buy someone a coffee, compliment a stranger. Smile, laugh, and remember that you are not alone.

1Password X: May 2019 update

Dave Teare — Wed, 08 May 2019

Welcome to the May update of 1Password X! They say April showers bring May flowers, and boy howdy do we have some incredible flowers to share with you today. 🌹🌷

From a freshly redesigned pop-up, to drag and drop support, to some incredible speed boosts, 1Password X is ~~lit AF~~ better than ever.

All new pop-up design

The 1Password X pop-up has been completely recreated to use a two column layout. With one less column, things are now simpler, more responsive, and allow you to see your item details right away. Along with smart suggestions, you can quickly find your logins, credit cards, and identities when you need them.

Search feels more natural in the new design and is faster than ever. Start typing and 1Password will do the rest. After you find the login you’re looking for, press Enter, and 1Password will open the website and automatically fill your information.

If you need to manually type a password on another device, use Large Type to make it as easy as possible. And you’re not limited to just passwords – you can now use Large Type for all of your item fields.

Watchtower alerts look great in the new design as well. Immediately see if your items have a compromised website or vulnerable password, and discover sites where you can enable two-factor authentication (2FA).

With a single click, you can use 1Password as an authenticator for sites that support two-factor authentication. When you see the QR code, click the icon, and 1Password will automatically scan it for you, add it to your item, and copy the current one-time password to your clipboard.

The coolest part of all is the next time you sign in, 1Password will fill your one-time password automatically. You don’t need to lift a finger:

Detach the pop-up

You can now open the pop-up in its own window by clicking the icon. This is great when you need to keep an item open so you can refer back to it. It’s also the perfect companion to our new drag-and-drop feature!

Drag anything from 1Password X and drop it onto any app, browser, or otherwise. It feels great and is much faster than copy and paste. 😍

Speed, speed, speed!

A ton of performance and speed enhancements have made their way into this release.

Scrolling the item list in the pop-up is now (vegan) buttery smooth without any stuttering or reloading. Windows and Linux users will especially enjoy this update as the scrollbars now behave how you expect.

With our move to WebAssembly, page filling and analysis now runs at least twice as fast as before, and those websites with a large number of fields are up to 13x faster in Chrome and up to 39x faster in Firefox! It’s blazing fast. 🔥

Last but not least, there are keyboard shortcuts for everything imaginable in the pop-up. Keyboard warriors rejoice!

Get yours today

If you already use 1Password X, you already have this update. Enjoy! 😘

If you’re new to 1Password X, you can download and install it from the Chrome Web Store (supports Chrome, Chromium, Brave, Vivaldi, Opera, and Microsoft Edge) or the Firefox Add-ons Gallery.

You can also join our beta family to be the first to enjoy new features as we add them. The next step in our adventure is integrating with the desktop apps. Integration with Touch ID is available in the beta today, and support for Windows Hello will be landing soon.

I hope you enjoy 1Password X as much as we enjoyed creating it for you. 🤗❤️

CSX: The internal tool that gives our support team superpowers

Oliver Dunk — Tue, 07 May 2019

Since 1Password was founded in 2005, customer support has been at the heart of everything we do. I’ve been working with a small team to build CSX, a Chrome extension that makes providing support as easy as 1Password makes managing your passwords.

Why do we need a tool like CSX?

As 1Password grows, so do the number of customers we talk to. To make sure we have time to give every reply the thought it deserves, we wanted to automate the repetitive, more administrative parts of the process.

For example, we’ll often get an email that mentions a forum thread or Twitter conversation. Finding that discussion is a repetitive, time-consuming endeavor, and it would be much better if we could spend that time crafting our reply.

To give one more example, we have a collection of “Charms”, which let a new team member know how to write the perfect response for every situation. These are new to us and we’ll likely write about them in the future, but suffice it to say, they help us ensure that every customer gets the same special treatment. It’s easy to forget to look for these, especially since the collection changes over time. It would be great if our tools could do the searching on a team member’s behalf.

These are just some of the reasons why building a tool like CSX was important to us. I could go on, but I’d much rather show you the result!

Meet CSX

Here’s CSX’s main widget, helpfully displayed beside an email. Immediately, you can see that we’ve identified the most relevant customer to the conversation, and surfaced information that might help us craft the perfect response. Let’s talk about each of these in more detail…

Accounts

CSX is authenticated with 1Password.com, and is able to retrieve service data about a customer’s accounts. What’s shown is a summary of the most important details - the region they’re in, how recently they’ve accessed 1Password on a device, and how they’re paying for the service.

With this information, we’ll notice if you’re paying with an Apple Subscription, and change our billing advice accordingly. Or that you signed up on 1Password.eu, which explains why you can’t sign in on 1Password.com.

Order Information

Through integrations with third-party APIs, we look for licences you might have on our old WebStore or on FastSpring, which we use for 1Password 7. This helps us identify which version of 1Password you’re licensed to use, and gives us more information about your purchase if we need it.

Other Context

CSX also shows if you’re active on the 1Password Support forum, or if you have other conversations open in Cerb, our email tool. This helps us choose where to put our response, and ensures that we only respond in one place.

Charms

This one is exciting! Charms are essentially guides for writing the perfect answer to a customer with a particular question. We show relevant Charms based on the “Bucket” your email is routed to, using our own API that exposes Charms to the extension.

Slack

Being a remote company, Slack is vital for internal communication. Through integration with the Slack API, CSX can search for discussions about a particular question, and surface them in a widget just under the main one. This means we won’t waste time asking the same question twice. Notice that we also show who’s replied - this can indicate at a glance if we have an authoritative answer, or if there’s just been a small amount of discussion.

We also allow our team to ask questions directly from CSX. Based on the bucket your email was routed to, we’ll pick the best Slack channel for your question. Every message is handcrafted by CSX to show relevant context, leading to answers in the quickest time possible.

Filling Issues

If there’s one thing that Dave – the Heart & Soul of 1Password – loves to say, it’s that filling is our bread and butter. We want to help our team take action whenever you tell us that filling isn’t perfect. Links that you send us are highlighted if there are known problems, and if there aren’t any, filing the issue for investigation can be done with a click.

Twitter

Twitter is a popular way to reach out to us, and I understand why. I love being able to speak to a company quickly, without needing to dig out their email address or open my email client. That said, email is better for some discussions. In the past, when we asked a customer to email us, we lost everything that had been said so far. To fix that, we made CSX add a “Move to Cerb” button to our Twitter client. This creates a new conversation in Cerb with details about our chat on Twitter, so we don’t have to search for a needle in the Twitter haystack.

Our Forums

CSX isn’t limited to email. Our forum is a hotspot for questions, too, so we find the email associated with a thread’s author and use that to show as much information as we can. Since this is a public discussion, we have to be more careful about what we share. That said, the context can still be useful if we don’t quite understand something you’ve said.

What’s next?

I honestly couldn’t say! Ultimately, we’ll pick whatever benefits our customers the most. Our thoughts on what that is may change as we explore all the ideas we have.

World Press Freedom Day: 1Password for Journalism

Swapna Krishna — Fri, 03 May 2019

It’s not an easy time to be a journalist, which is why we want to recognize World Press Freedom Day. On this crucial day, we celebrate the freedom of the press, defend and support the independence of journalists, and honor those who have lost their lives while reporting a story.

Journalists are increasingly under attack, thanks to the proliferation of fake news and direct attacks from celebrities and those in power. What’s more, dwindling salaries and budgets for newspapers, websites, and magazines translate to fewer resources to tell important and necessary stories. Journalists are being laid off in huge numbers at a time that a free and independent media is more crucial than ever.

Introducing 1Password for Journalism

We know just how vital journalists are to the fabric of our society and how stretched their resources can be. Journalists often put their reputations and their lives on the line to report stories. This means that they are often targets for doxxing, harassment, hacking, and other security nightmares.

With website data breaches and leaks containing users’ passwords happening regularly to even the largest tech companies in the world, it’s more important than ever to have strong, unique passwords per website. Usernames and passwords are being sold between hackers and are used for social engineering. While this is catastrophic for anyone, it is especially critical for journalists, to protect their sources and do their work in a safe environment. — Arne Grauls, European Journalism Centre

This is why we offer 1Password for Journalism, which is a 1Password membership for reporters that is completely free. Journalists can sign up by entering their name and work email on our 1Password for Journalism page; we’ll be in touch to confirm any necessary details to get your press status added. And if you’re a freelance journalist without an organizational email? Don’t worry, we’ve got you covered. Just enter the email address you use for work and we’ll follow up to qualify.

1Password for Journalism

Apply for a free 1Password for Journalism membership today to keep your passwords and sensitive information secure.

Get started

How 1Password can help

1Password helps you stay secure online by managing all your passwords and syncing them seamlessly between your devices. But it can do much, much more than that. Your vault can hold files, notes, and contacts you want to store securely; what’s more, all of your data is end-to-end encrypted.

You can also take advantage of 1Password’s Travel Mode feature through your free 1Password for Journalism membership. Before you cross borders, you can mark vaults that are safe for travel. When you activate Travel Mode, the vaults which were not flagged as safe will be removed from your device. Once you turn Travel Mode off and connect to the internet, your vaults will be restored.

Travel Mode, along with features like Watchtower, which alerts you if your passwords have been compromised in a data breach, are just a few ways that 1Password can help journalists stay safe online. If you haven’t signed up for your free 1Password for Journalism membership, take a few minutes on this World Press Freedom Day to let us help you become more secure in your online life.

1Password wins a Webby!

Sarah Brown — Tue, 23 Apr 2019

We are thrilled to announce that 1Password has won its first Webby award!

The Webbys, hailed as the “Internet’s highest honor” by The New York Times, are presented anually by the International Academy of Digital Arts and Sciences (IADAS) and have been around since the mid ’90s.

We’re delighted that 1Password has been chosen by the Academy as the 2019 winner for Services & Utilities in the Apps, Mobile, and Voice category, as well as being named an honoree in Web Services for the 23rd annual Webby Awards.

We take great pride in providing the best user experience not just on iOS but across all of our platforms, and we’re excited to be recognized for it.

We’d also like to thank everybody who voted for us in the People’s Voice component of the award. Your support means a lot to us!

Award-winning password management

1Password makes it easy to keep your online accounts safe. Try our award-winning app today for free, and find out how simple secure password management can be.

Try free for 30 days

Introducing the Essentials of Business Security: a new webinar event

Matt Davey — Wed, 17 Apr 2019

Are you doing enough to keep your business secure? We’re hosting a series of webinars with prominent security experts to help you learn the essentials of keeping your business safe online.

Covering everything from ransomware to password breaches, each of these 30-minute webinars will teach you something new about the threats you face and the actions you can take to stay secure.

Troy Hunt from Have I Been Pwned on Thursday April 25th, 2019

10am BST / 5am EST Troy Hunt is joining us for a security chat about password breaches, data dumps, and encouraging your team to use unique passwords.

Troy Hunt is a security researcher and founder of Have I Been Pwned. You can learn more about Troy and his work at troyhunt.com.

Michael Sherwood from Malwarebytes on Thursday May 2nd, 2019

5pm BST / 11am EST Michael Sherwood, VP of Enterprise Online at Malwarebytes, is joining us to talk scams, malware, and preventative measures.

Malwarebytes proactively protects people and businesses against dangerous threats such as malware, ransomware, and exploits that escape detection by traditional antivirus solutions. Find out more at malwarebytes.com.

Alex Rosier from ProtonMail on Thursday May 23rd, 2019

6pm BST / 12pm EST Alex Rosier is the Head of Business Development at ProtonMail. We’ll be discussing phishing, fraud, and methods to reduce targets within your business.

ProtonMail is a private, end-to-end encrypted email provider. Find out more at protonmail.com.

Sign up to the webinar mailing list

Get emails about upcoming webinars, including information about how to attend the Essentials of Business Security series.

Setting up 1Password at work? Our webinar can help you onboard your team

Lisa Verheul — Tue, 09 Apr 2019

Rolling out new business software can be a challenge. Getting everything set up is one thing, but training your team to use it can be time-consuming if you don’t have the right resources. Our webinar takes the guesswork out of onboarding.

At 1Password, we want to give you the tools you need for a successful deployment. If you’re an administrator looking for the best way to train your staff, we’re here to do some of the heavy lifting for you.

On May 7 at 2 p.m. EST, we’re hosting a webinar for team and business customers. This webinar is perfect for team members who are just getting started with 1Password or need a refresher.

In this webinar, we’ll show you how to:

Use 1Password.com to view and edit your passwords and other important information
Set up the 1Password apps and 1Password X
Save, fill, and change your passwords to make them more secure

We’ll also have time for a Q&A session at the end to answer all your burning questions about 1Password.

Register for the webinar

Join the webinar on May 7 at 2 p.m. It's free, and we'd love to help you make the most of 1Password.

To receive notifications of future webinars, sign up to the mailing list.

Introducing the 1Password Internet Password Book (April Fools'!)

Sarah Brown — Mon, 01 Apr 2019

Don’t worry, we haven’t completely lost our minds over here — it’s just April Fool’s day!

At 1Password we take privacy and security very seriously, and we think everybody else should too. That’s why we would never really suggest ditching your password manager for a cute password book you keep on your desk.

And while writing down lots of unique passwords is admittedly safer than reusing the same password for everything, it still isn’t anywhere near as safe as using a password manager, and it certainly isn’t as convenient.

Password books can get lost, damaged, or accessed by other people — and, worse, they encourage people to use weak, easy-to-type passwords (because if you’re manually typing things in, you don’t want to spend forever doing it). Our password generator creates passwords like =Rw}U5Wx}cHxc)2g6-^Z#7. Imagine writing dozens of passwords like that in a notebook, and copying them out each time you need to use them. You probably wouldn’t, right?

Getting started with 1Password is the best decision you can make for your online security. By removing the burden of remembering or copying out login information, it makes it really easy to use extremely secure passwords. 1Password keeps your information secure and private — as well as helping you to identify weak, reused, or compromised passwords thanks to Watchtower.

With 1Password, your Master Password is the only password you need to remember. You can forget the rest. Make them long, random, and secure. They’re all safe inside 1Password, ready for you to fill with a click.

Make your life easier and your passwords safer by signing up for a free trial of 1Password today.

Try 1Password for free

Get 30 days free

Why you should change your Facebook password

Sarah Brown — Thu, 21 Mar 2019

Today, Facebook revealed that 200–600 million user passwords had been stored in a plain text file on an internal server. This left the affected users vulnerable and searchable by more than 20,000 employees – with around 2000 taking advantage of this. However, Facebook did state that no passwords were shared or leaked externally.

Any affected users will be directly notified, and Facebook is not advising anyone to change their password. But, given the number of employees who accessed those passwords, we’d urge you to err on the side of caution and change yours just in case.

Instances like this, where passwords are stored and accessible in plain text, are a good example why you should use a unique password for each site. Having a unique password means that the bad practices of one company don’t lead to your account being compromised on other sites where you use the same password.

To keep your passwords truly secure, change them any time you suspect they’ve been compromised. We know it can be time-consuming to keep track of every website you visit and any security issues they might have, but that’s where Watchtower steps up. Watchtower integrates with Pwned Passwords, a service that allows you to check if your passwords have been leaked on the Internet. 1Password will stay on top of things and alert you to compromised logins and breaches so you know when to change your password.

Keep your accounts and passwords secure by signing up for 1Password Families.

Sign up for 6 months free!

Try 1Password Families today and get your first 6 months free.

Try 1Password FREE

AGConf[9]: Adventures on the high seas

Sarah Brown — Wed, 06 Mar 2019

One of the challenges as a remote company is that we’re scattered all across the world, which makes it difficult to meet in person. That’s why all of us at 1Password eagerly look forward to our annual meetup, AGConf, which is held each winter on a cruise ship in the Caribbean.

We met up in Fort Lauderdale, Florida. Many of us were escaping cold and snow back home, and what better way to soak up the sun than to spend a week aboard Royal Caribbean’s Independence of the Seas — with stops in Nassau, Haiti, and Jamaica?

Pre-cruise hangouts

With people coming in from overseas, one even as far as New Zealand, a lot of folks like to get to Florida a day early. It helps them adjust to the time zone and get a good night’s sleep on land before venturing onto the boat.

One group met up to get dinner and drinks at a tiki bar, another group went out in search of excellent Cuban sandwiches, and a lot of people just hung out in small groups in their hotel lobbies. It was a great way to meet up with old friends, and for the newbies to ease into the madness before it kicked up a notch the next day.

1Password continues to grow

Since I only joined 1Password last August, this was my first AGConf, and I was very excited to meet people in person and put faces to the names I’d been talking to over Slack for months. And while it may have been my first meetup, it was clear from looking at last year’s photos just how much we’d grown since AGConf[8]!

There were so many of us that we took over a large portion of the top deck when we gathered there after boarding. We all wore our 1Password shirts so it was easy to spot everyone. As the ship pulled away from the port, we spread out on lounge chairs to chat, grabbed drinks at the bar, and snagged hugs from friends old and new.

After everyone had found their way to the group, we gathered together to take our first full team photo on the ship’s helipad, crowding together to fit everyone in the frame.

Getting work done

While we were all excited to hop off the ship and explore the various ports, our first priority was still you, our customers. Every morning after breakfast, a number of ‘Bits would gather together in the dining room to get you the answers you were looking for. It was fun to just yell our questions across the room and get a response from the right team. We were able to mingle across teams, learning more about the different parts of our company.

Some days at sea were also spent in the dining room, splitting time between responding to customers and listening to some inspirational and informative talks. We heard from our CEO Jeff Shiner, founders Dave and Sara, and of course our head of security Jeff Goldberg. We celebrated our successes from 2018 and discussed what’s on the horizon for 2019. We even recorded an episode of Random but Memorable right there on the ship! It was encouraging and exciting to hear about the great stuff we have planned and what we’ll be doing to reach our goals.

Fun off and on the ship

When we’d wrap up with work for the day, there were plenty of other adventures to be had. We got dressed in our fanciest clothes for formal night. There were quite a few ‘Bits that discovered a love – and talent – for karaoke, hitting up the open mic sessions nearly every time they were available. Quite a few people brought games, and we spent some late nights in an empty conference room playing Resistance, Unstable Unicorns, Codewords, and more. No matter where you found yourself, there was sure to be plenty of laughter.

Sara and Maria also managed to book us time in the onboard escape room and laser tag area, which were both huge hits. In the escape room on the top deck, ‘Bits worked together to solve puzzles and beat the clock to break free. Meanwhile, on the bottom deck, a group of us battled hard at laser tag, creeping around the course and trying to catch the opposing team off-guard.

Itching for some sun after a few months of northern winter, I was hoping to spend some time wandering Nassau and Jamaica, soaking up the sun. Unfortunately, mother nature had other plans for us. Both days in port ended in sudden downpours, drenching everyone who ventured off the ship.

However, luck was our side when we got to Labadee, Haiti! It was sunny and the temperature was perfect, which worked out great as this was our beach day. We grabbed fancy coconut and pineapple drinks before settling into cabanas, just steps away from crystal blue water. It was a wonderfully fun and relaxing day.

While in Labadee, some of the more adventurous ‘Bits headed out to zipline down the mountain and out across the water. I prefer to keep my feet firmly on solid ground, but it’s clear from this video that those who were brave enough had a spectacular view and an incredible time.

Time to say goodbye

All too soon, the week came to a close and it was time for us to say goodbye. We met up in the same room we had our welcome party in, but this time there was more mingling, more laughter, and more inside jokes. After a week of sharing karaoke, games, support requests, and rain-soaked adventures, we’d bonded, and I was a little sad to be heading home the next day. Sara, Dave, Jeff, and Roustem all stood up and said a few words, thanking us for our work and sharing in the fun we’d had all week.

This was a perfect way to end my first AGConf, I’m already looking forward to next year and AGConf[10]!

Come find us at RSA Conference 2019

Jason Richards — Fri, 01 Mar 2019

From March 4-8, RSA Conference 2019 will bring around 50,000 security professionals together in San Francisco to learn, share, and discuss the future of the industry. We’re all about improvement at 1Password, so we’re going to be there along with some of the leading lights in information security.

Come and say hi

The 1Password Business and Security teams will be attending because we want to make sure that we remain at the forefront of the latest developments in the cybersecurity world. At 1Password, we firmly believe that the sharing of ideas is how we all get better at what we do, and I know our teams can’t wait to get started.

If you’re making the pilgrimage to RSA Conference 2019, keep an eye out for your friends from 1Password at booth 2456. We love to meet our customers and we’ll have stickers and other goodies to hand out as well.

Enjoy everything RSA Conference has to offer

There’s so much going on at RSA Conference 2019, and if you’re anything like me, you might not know where to begin. To help, I’ve chosen one event from each day that I think you’ll love.

If you check out just some of these events, I think you’ll have a great time in San Francisco.

Monday, Mar 04

04:30 P.M. - 06:00 P.M. | Moscone South 303

Women’s Leadership Celebration Reception — WLC-REC
Diversity is important in all walks of life, and an event “celebrating the contributions and rich history of women in science and technology” sounds like a great way to kick off the week.

Tuesday, Mar 05

11:00 A.M. - 11:50 A.M. | Moscone West 2018

Hacking the Human: Special Edition — HT-T06
No matter how great technology becomes, it can only take us part of the way to a secure internet. Helping humans remain vigilant is key to completing that journey.

Wednesday, Mar 06

07:00 A.M. - 07:50 A.M. | Moscone West 3018 Table P

Smart Connected Devices and Security — BOF3-W01P
Smart homes and devices are upon us, and that’s great. But it also brings new considerations that need to be made, and I look forward to discussing them at RSA Conference 2019.

Thursday, Mar 07

08:00 A.M. - 08:50 A.M. | Moscone South 203

Software Bill of Materials: Progress toward Transparency of Third-Party Code — PDAC-R02
Understanding what the software bill of materials offers us, and what challenges it presents makes for a fascinating discussion.

Friday, Mar 08

08:30 A.M. - 09:20 A.M. | Moscone South 205

Threat Modeling in 2019 — ASD-F01
The world is changing at a breakneck pace. Threat modelling needs to change with it, and this is a great chance to learn about emergent cybersecurity threats.

We’ll see you there

Meeting our customers is one of the most rewarding parts of being in the 1Password family. We can’t wait to see you in San Francisco and chat about 1Password and cybersecurity. Track us down at booth 2456 and remember to ask for a sticker.

Get more from 1Password Business with our next webinar

Lisa Verheul — Tue, 26 Feb 2019

After you’ve set up 1Password for your business, it’s time to take things to the next level. Our new webinar will show you that the next step is just as simple as the first.

On March 26 at 2 p.m. EST, we’re hosting a webinar to help you get more from 1Password Business. Whether you need help choosing a plan, are upgrading from 1Password Teams, or simply want to learn more about the 1Password Business features, this webinar is for you.

In this webinar, we’ll show you how to:

Organize your team with custom groups and roles
Manage access with vault permissions
Audit your team with reports and the Activity Log

We’ll also have time for a Q&A session at the end to answer all your questions about 1Password Business.

Register for the webinar

Join the webinar on March 26 at 2 p.m. EST. It's free, and we'd love to help you make the most of 1Password Business.

To receive notifications of future webinars, sign up for the mailing list.

Connection, culture, and cruising in the Caribbean

Sarah Brown — Wed, 20 Feb 2019

1Password is a fully remote company with people scattered across the globe — from New Zealand to Germany to our home in Canada.

Late last month, we all met up for AGConf, our annual company gathering. It’s a chance to meet new friends, reunite with old ones, and discuss the coming year’s plans while cruising around the Caribbean.

But our week at sea isn’t just for sunbathing — it’s also how we connect on a personal level with those we work with. Instead of gathering in chat rooms and on conference calls, we’re able to spend time talking in person over food, drinks, games, and even while relaxing in a hot tub.

Friends and partners are welcome too, and our new Chief Customer Advocate Lynette Kontny brought her husband Nathan along. He used the opportunity to cut some footage for his daily vlog. Nathan Kontny’s YouTube channel tackles important issues pertaining to business, family, and psychology in an engaging and thought-provoking way.

The installment Nathan released after the cruise, “Slack’s Great. But We’re Terrible At It,” tackles both how we approach culture as a remote company and how we can connect as a team even when we’re spread out all over.

It’s often said that if you have to explain what your culture is, you don’t have one, and it seems to be true: no one sat down with Nathan to explain our culture, but he was able to pick up on it just by spending time around us for a week.

In this vlog Nathan focused on remote work and how workers communicate — too often ineffectively — when they aren’t in the same physical space. And what we’re doing differently to create a culture that’s allowing us to succeed.

1Password 7.1 for Android - Super Awesome Edition

Oliver Haslam — Tue, 12 Feb 2019

Our Android team has been working hard to make sure 1Password for Android sticks to its 2019 resolutions. We couldn’t be happier that after many hours in the gym, it’s now bigger and better than ever. I think you’re going to love 1Password 7.1 for Android.

For this update, our Android team resolved to make it even easier for new 1Password customers to get started. That informed much of their work, and I’m sure you’ll agree when I say they absolutely met their goals. With a slicker sign-up process and easier Emergency Kit creation, you can be up and running much faster.

A lot of work has gone into this update, and as ever, you can see everything that’s changed by reading the release notes. There’s a lot to whet the appetite in there, and I wanted to pick out a few of the biggest changes that we’re really proud to bring to 1Password for Android.

Start your 1Password membership with Google Play

If you install 1Password from the Google Play Store, you probably want your membership to be taken care of there, too. By bringing 1Password memberships to the Google Play Store, we’ve made it quicker and easier to get started when you first install 1Password.

Try it out

Signing up for a 1Password membership has never been easier, and the process even fits into a GIF!

Speaking of the sign-up process, wouldn’t it be great if you could generate and save your Emergency Kit right after you create your account? It really would, so we’ve flicked the switch and now you don’t have to go back and generate it afterwards.

Generating an Emergency Kit during sign-up means there’s less chance you could find yourself without one when you need it most.

Tag all the things

For many people, tags are crucial for organizing their passwords, and with 1Password 7.1 for Android, you can tag all the things right from your phone or tablet. You can now create, edit, rename, and remove tags, and you can even nest tags to take your password organization to the next level.

That’s great news for the tag-ninjas among you, and managing passwords on Android devices has never been so much fun. I know I can’t wait to get tagging!

Enjoy one-time passwords without the hassle

We feel strongly about the importance of one-time passwords, but we also know that entering a password and then switching to another app to get a code is no fun. With 1Password 7.1 for Android, that frustration is a thing of the past.

Now, when you Autofill a password, the one-time password for that account will be automatically copied to your clipboard. Just paste it into the web page or app, and you’re good to go. After 30 seconds, the code is removed from your clipboard.

Some honorable mentions

There’s a ton of work gone into this release, and I wanted to highlight some of the great changes that have been made. Other notable improvements include:

Category names and item templates are now localized for those with 1Password.com accounts.
Autofill now automatically syncs the latest changes from your other devices. You don’t need to open 1Password to sync.
You can now use Autofill to sign in to websites in the stable version of Firefox.
It’s now easier than ever to move items between vaults.

Coming to an Android device near you

We’re rolling out 1Password 7.1 for Android this week as a free update for all 1Password customers. Once it’s available for your device, you can download the new update from Google Play to enjoy all of the fantastic improvements I’ve mentioned above.

I hope you love using 1Password 7.1 for Android as much as our Android team loved building it for you. As always, we would love to hear your feedback on the 1Password Support forum.

Enjoy!

SMS phishing - a cautionary tale

Will Moore — Thu, 07 Feb 2019

Scams that try to extract personal information via phishing sites, phone calls, or SMS are on the rise. It’s something we covered in detail in What is phishing, and how can you protect yourself?

As someone who works for 1Password, security is a big focus of mine. I’m happy to admit that this job has made me far more paranoid than I used to be, and naturally I use 1Password to make sure all my passwords are strong, unique, and have never been included in any breach. I’ve read our internal security guide many times over, and I took part in a company-wide security training session just recently at our annual company get-together.

You’d think all this preparation would keep me safe from phishing – but last week, I was nearly caught by an SMS phishing attempt. If I can be caught out, so can you, and so I write this post in the hope that my experience will encourage others to be cautious.

The perfect time and place

In January, the 1Password team got together in Florida for our annual AGConf, and I was waiting in Miami airport for my flight home when the perfect storm of events began to occur.

I went to the store for some water and a packet of cinnamon Altoids (you can’t get them in 🇨🇦) and weirdly my Scotiabank Amex card was declined. I tried my MasterCard and same thing – no dice.

Resigning myself to being dehydrated and not having spicy cinnamon candy for the journey, I gave up and boarded my flight, planning on calling my bank when I got home.

I reconnected my cell phone when I landed in Toronto and the usual flood of notifications came in. One of these was an SMS from my bank.

In my tired state I clicked the link without thinking. My card had been blocked, so a message was expected – the timing was perfect. As I hit the website on my phone, I remembered the security training we’d completed the week before and began to question what I was seeing.

I went back to the SMS. Let’s list the errors there:

Last time I checked, Scotiabank wasn’t spelled with a 0 (SC0TIABANK)
My “client card”? That’s a weird way of saying it…
4536 is quoted. The first 4 numbers of a card are public knowledge.
Hang on a minute… scotiabank.ca is a subdomain, not the actual domain!

There were even more clues on the webpage:

The biggest one is the lack of padlock in the address bar. This indicates that the site isn’t using SSL to encrypt the connection – that’s a big no-no for a bank.
That Online Security Guarantee is very badly designed. Not sure the real Scotiabank would let that slide.

I closed the page, thankful that I hadn’t provided any personal information, but concerned that I’d so nearly given someone access to all my bank accounts.

Lesson learned

Everyone is vulnerable – whether you’re an expert or have no security background at all. If the conditions are right, you can be caught out.

I was just the right level of distracted and tired that I nearly fell for this, and by total chance the timing of the message was perfect for my circumstance. Suffice it to say, I will be even more paranoid from now on, and I hope you will be too!

If you’re using 1Password already and want to improve your personal security, running a Watchtower report is a great place to start. You can also keep your credit cards in 1Password, and a great tip that I got from a colleague is to add the emergency number on the back of the card to the item in 1Password – that way, if your card is lost, you can still easily cancel it.

Not using 1Password yet?

Increase your personal security by starting a 1Password membership today.

Get 30 days FREE

773 million records added to Watchtower after Collection #1 data breach

Matt Davey — Wed, 16 Jan 2019

Earlier today, security researcher Troy Hunt announced the Collection #1 data breach and updated Have I Been Pwned with over 773 million new compromised logins. These are now available in Watchtower, so you can check if you’ve been affected by the breach right from 1Password.

What is the Collection #1 data breach?

Collection #1 consists of over 1 billion username and password combinations, taken from individual data breaches on thousands of different websites. The data has been circulating on the dark web and hacker forums and is the single largest breach to ever be added to Have I Been Pwned and Watchtower.

Collection #1 contains:

1,160,253,228 unique combinations of email address and password
773,138,449 unique email addresses
21,222,975 unique passwords

Around 140 million email addresses in this breach had never appeared in Have I Been Pwned before.

What do attackers want with this data?

Attackers use bots to try passwords stolen from breaches on many other websites with the aim of gaining access to those accounts. This is known as credential stuffing and is why password reuse is such a security risk. When one account is breached, hackers have access to any other account that uses the same email address and password combination.

1Password’s integration with Have I Been Pwned makes it simple for people to check to see if they are at risk. — Jeff Shiner, CEO

What should I do now?

To see if you’ve been affected by the Collection #1 data breach, sign in to your account on 1Password.com, select your vault, and click Watchtower in the sidebar.

Watchtower automatically checks the logins you store in 1Password and tells you which passwords have been compromised, which have been used elsewhere, and which aren’t very strong.

If you’re affected by this breach, change your password on any affected site to something strong and unique.

Sign up for 30 days free!

If you don't have a 1Password membership, start a free 30-day trial to get started.

Get secured today

Good password security: the perfect New Year’s resolution for your business and employees

Matt Davey — Wed, 09 Jan 2019

The New Year’s resolutions we stick to have a few things in common: they’re realistic, focused, and have clear benefits. That’s why improving company-wide password habits is a great resolution for 2019.

According to the most recent data from Verizon, over 70% of employees reuse passwords at work. The report also finds a staggering 81% of hacking-related breaches used stolen or weak passwords. A security breach of your own wouldn’t be a great start to the year, especially if you know it could have been avoided.

1Password Business makes improving password habits an easy resolution for you and your employees to keep, both at work and at home. You get a password solution for your entire business — complete with advanced access controls and Watchtower breach monitoring — that’s compliant to the most stringent industry standards.

When your employees are practicing good password habits at home, they are infinitely more likely to practice them at work. The beginning of the year is the perfect time to roll out a password manager out — many employees will already be in the right mindset for making changes, committing to new things, and improving their day-to-day lives.

With your 1Password Business account, every employee gets a free 1Password Families membership.

Using 1Password will quickly become second nature — and unlike most New Year’s resolutions, this one will actually save you time, even from the start.

Sign up for 30 days free!

If you're not already set up with 1Password Business, you can get started for free today

Try 1Password FREE

If you’re already using 1Password Business and want to remind employees about their free family accounts, we have some great materials for you to send around:

…and if your company is anything like ours, it’s not an all email without a GIF.

1Password 7.3 for Windows - More polished than ever

Oliver Haslam — Wed, 09 Jan 2019

When we said this release was just around the corner, we weren’t kidding! After some great work by the team over the last few weeks, 1Password 7.3 for Windows is ready, and you can download it now. There’s a lot to enjoy with this release, and we hope you love it as much as we do.

With 1Password 7.3 for Windows, our teams have made some huge changes to the way the app looks and works. We’ve taken the 1Password that you all know and love and then supercharged it. With this update installed, you’re getting the best version of 1Password that Windows has ever seen.

There’s so much to share that we’re just going to jump right in, and as ever the full rundown of what has changed under the hood can be found in our release notes.

Watchtower and security

Security is always at the forefront of everything we do at 1Password, and we never miss an opportunity to make it easier for you to stay secure, too. To that end we’ve added support for Secure Desktop, giving you the option of unlocking 1Password in an isolated desktop environment. That isolation ensures that no other apps can run alongside it, preventing key loggers from capturing anything you type.

We’ve made changes to how Watchtower banners keep you safe, too. 1Password now ranks Watchtower banners by their severity, helping those items at the greatest risk stand out from the crowd. Banners can now also be collapsed, making items easier to read and use.

Security never looked so good

We think that a great-looking app is one you’ll keep coming back to, and 1Password is no different. We’ve made changes throughout this release to make 1Password look better than ever. Everything is more colorful, more sleek, and more polished to help make passwords fun. You’ll notice that passwords now have colorful characters to help differentiate them, and right beside your password is a new, more color-filled password strength indicator. Fantastic passwords are green, and poor passwords are red – who doesn’t love a traffic light system?

Continuing the polishing process, 1Password 7.3 will identify the type of credit card based on just the first few numbers you enter. That means not only can we format those numbers for easier reading, but the default card images used are now more representative of the real-world card, too. Amex cards now look like real Amex cards and Visa cards now look like Visa cards, making it easier than ever to identify a card at a glance.

Rounding things out, 1Password templates now speak your language for all item types. No matter the template, no matter the item.

The (keyboard) shortcut to our heart

When you’re in the thick of things, keyboard shortcuts are the way to reduce friction. We wanted to make 1Password available when you need it without it getting in your way, so we’ve revamped keyboard shortcuts with 1Password 7.3. Those who like to take full control can now customize their shortcuts, or even disable them. We’ve made shortcuts even more reliable for our international users, too.

1Password Mini has now gained support for the Quick Copy menu, and can be accessed via the shortcut (Control + Shift + C). Once open, the menu offers up options to copy an item’s username, password, or even one-time password for those website that support them.

And much, much more

There is of course much more to look forward to with 1Password 7.3, including a brand new installer. 1Password is now even more responsive when starting, which means using the app is now slicker than ever before. Couple that with more than 100 additional improvements that have been made and we think you’ll agree that this is a huge update.

You can download the monster 1Password 7.3 update and take it for a spin right now and please do let us know how you find it over in the 1Password for Windows support forum.

Introducing 1Password 7.3 Beta for Windows

Oliver Haslam — Thu, 20 Dec 2018

1Password 7.3 for Windows is around the corner, and you can help us get it ready. There’s lots to look forward to, and we’re sure you’ll agree that this is the best 1Password that Windows has ever seen.

We’ve been working on this update for some time, and we want to make sure that it’s as awesome as can be. That means we’re still a few weeks away from the release of 1Password 7.3 for Windows, but if you want to test the waters and help us create something awesome, you can download the latest beta release right now.

Whenever you download 1Password 7.3 for Windows — beta or otherwise — you’re going to see plenty changes this time around. They all build on the strong foundations that 1Password 7 gave us earlier this year, and we wanted to give you a quick sneak-peak of what you can expect.

We think that you’re going to love 1Password 7.3 for Windows, and here’s why.

1Password gains its own desktop

Now 1Password is even safer with the addition of “Unlock using Secure Desktop.” 1Password can now be unlocked in its own secure desktop, with no other apps active alongside it. This helps to prevent keyloggers from capturing anything you type.

A whole new installer

We’ve greased just the right wheels to make sure no one ever sees “File in use” again. Our new installer gives us more flexibility when it comes to how 1Password is installed and will prevent any false positives from security solutions, too.

Templates now speak your language

1Password 7.3 for Windows uses localizations for all item templates. That means that all of your item templates will be in your own language, including all new items you create.

Improved stability and performance

Sometimes it’s the intangibles that make all the difference, and performance is a great example of that. Everyone wants their apps to be responsive and immediately available. We couldn’t agree more, and now 1Password 7.3 for Windows is faster and more stable than ever.

Watchtower is now stronger, taller, and more watchful

Watchtower is often the unsung hero of 1Password, but it gets the love it deserves in this release. Now, 1Password ranks Watchtower banners by their severity, meaning those items at the greatest risk will now be easier to spot, helping you see the wood through the trees.

Faster and more reliable sync for standalone vaults

Great news, with 1Password 7.3 for Windows, sync is now faster, smarter, and improved on all fronts. It’s plain sailing from here on out for all of you rocking standalone vaults.

Tweaks as far as the eye can see

This is just the tip of the 1Password iceberg, and there are many more improvements that have gone into this release, with even more to come. 1Password 7.3 for Windows is a huge update for us, and you can check out the full release notes for all the details. The overarching theme is a simple one — 1Password 7.3 for Windows is the same 1Password you know and love, but so much better.

Get it now

Just like any other big software update, we need your help to make sure that 1Password 7.3 for Windows is as great as it can be. You can download the beta and put it through its paces. If you run into anything we should know about, hit us up in the 1Password Support forum. We’d love to hear your feedback!

Improve your team’s security in 2019 with our next webinar

Lisa Verheul — Tue, 18 Dec 2018

Start 2019 with the goal of improving your team’s security habits. Rolling out 1Password is one of the best ways to achieve that result. Our next webinar will help you get started.

On January 15 at 2 p.m. EST, we’re hosting a webinar to help administrators get started with 1Password. If you’re looking to set up 1Password for your team, have just been appointed as a team administrator, or simply need a refresher, this webinar is for you.

In this webinar, we’ll show you how to:

Invite people to your team
Share data and manage permissions
Create and manage groups

We’ll also have time for a Q&A session at the end to answer all your questions about 1Password Teams and 1Password Business.

Register for the webinar

Join the webinar on January 15 at 2 p.m. It's free, and we'd love to help you make the most of 1Password.

To receive notifications of future webinars, sign up for the mailing list.

Does Australia's access and assistance law impact 1Password?

Jeffrey Goldberg — Tue, 11 Dec 2018

Australia recently passed the so-called Assistance and Access Act. This law (correctly) has many digital security and privacy experts worried. We’d like to offer some preliminary remarks on how it may impact the privacy and security of 1Password customers and how it may affect the way we work.

Even at this early stage we can remind everyone that we do not currently, and will not introduce back doors into our products, and we will continue to operate in a way that would make it difficult for a back door to be inserted.

Our remarks on the Assistance and Access Act (discussed under the hashtag #aaBill) must be preliminary at this point. There is a great deal of vagueness in the law in its current form, and we do not know how it will be interpreted and used when it goes into effect into effect. Nonetheless there are a number of things that we can clearly (re)state now.

We don’t like back doors

A back door is a deliberate and hidden weakness in a system that is designed to allow certain people to bypass the security of the system. We have argued on multiple occasions that not only do back doors weaken security for everyone, but that a system in which a back door can (easily) be inserted is inherently weaker than a system in which a back door cannot (easily) be inserted.

This fact plays an important role in the design of 1Password and in how we build it. It is not that we are particularly worried about government-compelled back doors in practice. Instead, it is just a consequence of good security practices. The goal is not to specifically deny government lawful access; instead the goal is to protect people from criminal access, malicious insiders, accidental information disclosure, and a host of other things people have the right to be protected from. We are not trying to protect criminals from prosecution; we are trying to protect our customers from criminals.

It is impossible to offer 100% guarantees against insider attacks, but as we wrote five years ago (and recently updated), we do a number of things that make it substantially harder for back doors to be inserted into 1Password without detection. There is always room for improvement, and that improvement is an ongoing process.

Compelled insider attackers

Correction 14 December, 2018: My commentary below appears to be based on a misunderstanding of the law. The law, as passed, does not appear to authorize the government to compel an employee to surreptitiously work against our interests and without our knowledge. As always, the precise interpretation of the law will be determined by practice and courts, and so no one truly knows what it will mean. However, my error was large enough that it does need correction. Stilgherrian has written a good discussion clarifying #aaBill.

One of the most disturbing things about the Assistance and Access Act is that it apparently ~~authorizes the Australian government to compel someone subject to its laws to surreptitiously take actions that harm our customers’ privacy and security without revealing that to us.~~ Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to?

We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws. Our existing security and privacy design and internal controls may well be sufficient without adding additional controls on our people in Australia. Nor do we yet know to what extent we should consider Australian nationality in hiring decisions. It may be a long time before any such internal policies and practices go into place, if they ever do, but these are discussions we have been forced to have.

Despite those considerations and discussions, our primary response and tactic is to continue to make it hard for anyone, whether inside or outside of 1Password, to harm customers’ security and privacy. That is what we do to protect our customers from any adversary, and that is what we will continue to do.

Cyber Hotel Business Hack

Sarah Brown — Mon, 10 Dec 2018

Random but Memorable is back with an episode full of a new Watchtower Weekly, customer questions, and even a chat with Charles Arthur, author of Cyber Wars: Hacks that Shocked the Business World.

Watchtower Weekly talked briefly about the Marriott breach, which potentially impacts nearly 500 million Marriott and Starwood customers. Data exposure can always leave you vulnerable, so it’s a good idea to take Marriott up on their offer for a free year of WebWatcher to monitor your information. They also brought up a rather embarrassing incident for Tesla in which a disgruntled customer complaining to their customer support forum got more than he bargained for. Instead of just an answer, a support agent ended up giving him administrative permissions for the entire forum! That’s right, he was granted full access to the entire forum. There’s going above and beyond to help your users and then there’s giving them the ability to not only edit and delete any post but also gave him access to full profile information for every single user. Including Elon Musk.

And according to this week’s guest, that sort of thing isn’t as uncommon as you’d like to believe. Matt and Roo talked to Charles about the research he did for his book, which included studying a number of older hacks against large companies and organizations.

With how fast technology moves I would think studying older hacks wouldn’t be useful, so I was surprised to learn that’s not exactly the case. Older hacks have a lot to teach people, both in how to prevent hackers from accessing your information as well as what sort of information and organizations may be most vulnerable.

Charles covered the Sony Pictures hack from 2014 which I was familiar with and I remember the impact it had on Hollywood when that hack exposed pay gap information between lead actors and actresses. I was fascinated to hear Charles talk about these corporate hacks can expose how complacent companies can be with their security. As companies like Sony grow, new security requirements come into play that can be difficult to implement. And as they are primarily an entertainment company, it may come as no surprise that security was not their first instinct. But what was surprising to me is that they’d already been attacked at least once before on the PlayStation side of the business, but hadn’t learned their lesson.

The best part? It turns out that the November 2014 leak revealed a deep structural failure at Sony. There was a file with plain text passwords simply labeled “passwords”. Doesn’t take much digging to crack that code.

These stories really do feel like modern-day parables for businesses, showing how even companies that have been hacked can fool themselves into thinking everything is okay. When in reality they are just as vulnerable. And while those parables may be applicable to a larger scale business, I know that I often fall into that trap myself.

This week’s user question was a great one and one I’m ashamed I haven’t asked before: if you give a PDF app access to your cloud drive, would they be able to rifle through everything else stored there? The short, but scary answer is, yes. So it’s a good idea to be very careful about what applications you give permissions to and to do your research before blindly clicking “allow access”. Which means I have some research to do before de-authorizing some third-party applications.

As always, they ended the episode trying to see who could most accurately pronounce a place sent in by Twitter user @toonetown: Tooele. Who was closest? You’ll have to listen to find out!

If you’d like to see your question answered on the show you can tweet us @1Password using the #ask1Password hashtag.

If you haven’t been listening to the podcast, you don’t know what you’re missing! Check out the current episode here and subscribe in Overcast, Pocket Casts, or iTunes to make sure you don’t miss a single episode.

Better, faster, stronger - our new blog and how we made it

Jasper Patterson — Tue, 04 Dec 2018

Welcome to our new blog! It’s been re-built, re-designed, and moved to a new home on 1Password.com. It’s the fastest and most efficient experience we can give readers and we really love it. Learn how we built it as a static, serverless site with Hugo and AWS.

Our blog has seen many homes over the years, going all the way back to the original one nearly 13 years ago (which is impressively still live on the internet today).

You may have already noticed the new blog you’re reading on now as it’s been around for a couple months, but today, we’re happy to officially announce it! As well as the retirement of our previous one at blog.agilebits.com. Be sure to subscribe via RSS and follow us on Twitter or Facebook to stay up to date with our news, announcements, security tips, and all things 1Password.

The previous blog was built with WordPress, which served us well for the past decade, but we figured we could do better and build something more lightweight, fast, and secure. And of course there’s also new gorgeous design that not only matches the style of our other sites but looks all around amazing. I mean, look at that header artwork at the top of all the posts!

Building a strong foundation with Hugo

We love using static sites for their performance, security, and simplicity. The entire site’s content is created at build time. No server logic, no databases, just plain old HTML files.

We chose Hugo a while ago for our main 1Password.com site, so migrating our blog to it as well was a natural fit. The builds are quick, and it’s easy to use, for both our developers and content writers. Each blog post is simply a Markdown file and it all lives in a GitLab project. Merge requests make for a perfect way to do content reviews.

Hugo is very active project too – we’ve been taking advantage of several of their recently added features like built-in SCSS processing, and asset fingerprinting which is useful for cache busting.

Faster performance ⚡

Building something that loads super fast was essential to us. This is an area our previous WordPress blog certainly fell short on:

Having a fully static site without the overhead of dynamically generating pages is a great start. Plus it allows 100% of the content that is loaded to be served by a content delivery network (CDN) which uses local caches near you to minimize network delays.

Keeping the page size small is critical as well. Our home page now weighs just 800kb and uses less than 20 network requests, with much better results:

These tests were performed with Google’s new Lighthouse audit tool, which is a great way to see how your site is doing. It points out modern best practices you might not be following, such as image optimzation, and minifying your CSS and JavaScript. If you run a website, I’d highly recommend giving your site a test, you’ll almost certainly learn some good tips.

Stronger Security 🔒

Security is at the top of our minds in everything we do, and our blog is no exception.

Using a first-party solution that’s fully in our control is imperative, in addition to adhering to the same front-end security best practices we use with everything on 1Password.com, such as having a strict Content Security Policy. It’s also extremely important to us for changes be made in a trackable and reviewable manner (with Git), along with having a locked down deployment process.

Going back to the benefits of static sites, there’s a lot less that can go wrong with static HTML files versus a complex platform like Wordpress.

Serverless Infrastructure 🏗

The blog runs on a serverless setup with Amazon Web Services (AWS) taking advantage of several of their services.

It starts with S3, short for Simple Storage Service, which is cloud file storage – this is where all the Hugo generated content lives. It’s a perfect place for storing static resources and is very reliable with almost no downtime.

On top of that is CloudFront, a content delivery network (CDN) that speeds up the serving of our content through a global network of edge locations. When you load the site, you’ll get routed to an edge location near you which provides the lowest delay. It also handles extras like the custom domain, TLS, HTTP/2, and GZIP, all with no additional configuration.

We also use Lambda@Edge, this is a newer AWS service that allows small snippets of code to run at the edge locations in response to CloudFront requests. When we tried to build a similar static site setup a few years ago, we were left wanting a few little features server-side features like the ability to add HTTP headers and perform redirects/rewrites. The introduction of Lambda@Edge has solved that for us, allowing a static, serverless site but still lending a few pieces of functionality that would normally only be available with a traditional server.

In addition to CloudFront providing support for HTTPS, AWS Certificate Manager makes issuing and managing your TLS certificate effortless, and it seamlessly integrates with CloudFront. HTTPS is the future of the web – every site should support it (even your blog). And if you’re using AWS, there’s really no excuse as they make it incredibly easy, and free.

We manage all this with Terraform, which is a tool for writing infrastructure setup as code. We’ve talked previously about how we already use this for our 1Password.com service, I’ll let you check out that post if you’d like to learn more. For this project, Terraform made it simple to create an identical internal testing site for previewing posts before we publish them.

Deployment 🚀

The final step was setting up automatic building and deployment of all this. We decided on GitLab CI, which is built right into GitLab projects.

To run the CI build, you’ll need a Docker container with your dependencies installed, such as Hugo, Terraform, AWS CLI, and Node. The same container also works perfectly for those who want to build it locally, all you need to install is Docker Desktop.

Then it’s as simple as adding a few commands to the GitLab CI config file. From there, it builds the site with Hugo, runs some linters to make sure all content is as good as it can be, syncs the static files to S3, applies Terraform changes if needed, and creates a CloudFront invalidation.

This happens with every commit – it deploys to our internal preview site, and then to production on every merge to master.

Beyond the blog

We’re really happy with how this turned out and are now using this exact setup across many of our web properties, including the main 1Password.com site and even Watchtower. If working on this kind of stuff interests you, we’re currently hiring a front-end web developer.

Rolling out 1Password: tips for onboarding your team

Sarah Brown — Mon, 03 Dec 2018

1Password Business has everything you need to encourage good password hygiene, manage access to data, and respond quickly to compromised accounts – all while saving time and boosting productivity.

Rolling out new software or processes can be a challenge, even when the change is for the best. Your employees will already have tactics for managing passwords, and no matter how ineffective or insecure they are, it can be difficult to break old habits.

To ensure that your rollout is a success, you’ll need to have a plan before inviting people to your team. We’ve got you covered.

Choose owners and administrators wisely

Every team includes two important groups: owners and administrators. Only owners and administrators can recover account access for people who forget their Master Passwords, so it’s a good idea to have at least two account owners. If you ever lose access to your own account, a second account owner can help you get back in. Inviting another account owner to your team is the first step in implementing a recovery plan.

After you’ve added another owner, you can add additional administrators to help with account recovery and other management tasks. They can recover accounts but not manage your subscription or delete the team. They can be the go-to people for employees that have questions about getting started.

Make sure all owners and administrators understand their responsibilities and will help people adopt and embrace 1Password. After they’re in place and ready to help with the rollout, you can start onboarding the rest of your team.

Start with a small pilot group

Roll out 1Password to a pilot group first. This will allow you to train a handful of people who can assist with the company rollout. It also gives you a chance to develop and fine-tune your 1Password workflow without overwhelming the entire team.

Your pilot group should include people from different areas of the company. If some of your employees already use 1Password, it’s a good idea to involve them at this stage. We know it can be a challenge to get buy-in for new software, so having 1Password advocates in different departments will help.

Once they’re up and running, these employees will be excited to show others how they use 1Password to save time and secure their data.

Help your team learn

Your small pilot group can now become your advocates! This group will encourage their team members to adopt 1Password and field any questions they have. The 1Password Support site has resources that will help them quickly become experts:

Then you can organize drop-in sessions or times when people can visit IT for training or assistance.

When your employees understand how 1Password fits into their workflow, adoption rates will soar and they’ll wonder how they ever managed passwords without it. After all, 1Password exists to make their lives easier, not harder.

Let your vaults grow

The best way to use 1Password is to add information as you go. There’s no need to overwhelm your team by making them do it all at once. For example, 1Password will offer to save passwords when you sign in to websites during the course of a day, so you don’t need to add them manually.

Your employees can use their Private vault to store their own work logins and the Shared vault for information required by the whole team. They can even use vaults to store and share documents – it’s much safer than email.

It won’t take long until your team outgrows the Shared vault. That’s a good thing. Additional vaults help you organize your data and control what each employee has access to. You can create new vaults and share them with specific people. You might create vaults based on projects, office locations, departments, functions, and even access levels. There’s no limit to the number of vaults you can create, so get creative – and productive.

Team up, group together

With 1Password Business, you can create custom groups to help you organize your team and the vaults they have access to. You can also delegate administrative roles, like the ability to recover accounts or invite people to your team.

Custom groups are all about flexibility: there are no limits to the size of a group, the number of groups you create, or how many each person can belong to. You can even appoint group managers, enabling your team to run itself.

If you’re not sure where to start, use your company structure for inspiration. Like vaults, you may want to create groups based on projects, departments, locations, functions, or access levels.

Listen to your team

Like any new tool, there’s bound to be a learning curve. But it shouldn’t be a steep one. If you support your team and listen to their feedback, you can create an even better experience for everyone involved.

Custom reporting and audits with 1Password Business

See who accessed which passwords and when. A security dashboard keeps the information you need right at your fingertips.

Try 1Password FREE

Setting up 1Password at work? Our webinar can help

Lisa Verheul — Wed, 28 Nov 2018

On December 4 at 2 p.m. EST, we’re hosting our first webinar for team and business customers. This webinar is perfect for team members who are just getting started with 1Password or need a refresher.

In this webinar, we’ll show you how to:

Use 1Password.com to view and edit your passwords and other important information
Set up the 1Password apps
Save, fill, and change your passwords to make them more secure

We’ll also have time for a Q&A session at the end to answer all your burning questions about 1Password.

Register for the webinar

Join the webinar on December 4 at 2 p.m. It's free, and we'd love to help you make the most of 1Password.

To receive notifications of future webinars, sign up to the mailing list.

Special Thanksgiving presents from 1Password

Dave Teare — Tue, 20 Nov 2018

The trees are turning colours and the smell of pumpkin pie is in the air. That can only mean one thing: Thanksgiving is almost here!

I love this time of year for so many reasons but my favourite is being reminded of all the incredible things I have in my life. From a wonderful family to great friends to working at my dream job, I have a lot to be thankful for.

All of this wouldn’t be possible without awesome customers like you. Thank you for supporting us all these years! 😘

Give a free year of 1Password

This year I am giving you a gift for those special people in your life: give them the gift of security with a free year of 1Password and show them that you care.

If you purchased 1Password 7 or have an active subscription into 2019, simply click this link to send your gift:

Send your gift now

Gifts can be sent to direct family members, extended family, friends, or someone who is doing good things in your community. Showing them that you care is sure to bring a smile to their faces.

Thank you again for supporting us all these years. We literally wouldn’t be here without you. ❤️

P.S. One can never be too thankful, regardless of where you live. As a Canadian I personally enjoy celebrating twice a year as it gives me an extra opportunity to reflect on what I’m most thankful for in life. That and the extra pumpkin pie. 🙂

Apps Love 1Password

Oliver Haslam — Sun, 18 Nov 2018

People love using 1Password with their favorite apps. Other developers have integrated 1Password into their own apps because they were eager to offer their customers the very best experience. As developers ourselves, and people who use those apps, we can’t thank them enough for their work.

Changes to the way iOS and Android handle password management and filling have given 1Password an opportunity to make password filling better than ever. It’s never been easier to use strong, secure passwords for every website and app you use. With support for Authentication Services and Password AutoFill in iOS 12 and the Autofill API in Android 8 (Oreo), 1Password is ready for the next step in our journey. And things will get even better as developers fully support all the new tools on offer.

I’ve been using the latest autofill features on iOS and Android, and they’re brilliant. Entering passwords on a phone has never been easier. In fact, it’s downright fun. I’m a little bit in love with the work developers have already done to make our lives easier, and I’m so happy that everyone can now enjoy these features, too.

Developers, developers, developers!

Even though Apple and Google have improved things with recent software updates to iOS and Android, there’s still work to be done by developers to make sure the experience is as great as possible. Adding support for the latest frameworks to your app means it will work great with 1Password, delighting your customers along the way.

If you’re a developer, it’s trivial to add support to your app:

Your customers will thank you, and so will we. Some trailblazing apps are already fully compliant with the new frameworks, and we want to highlight some of them.

Tell us about your app

We’re starting off with three apps for both iOS and Android today, but we’ll be sharing more in the future.

If you’re a developer, we’d love to know when your app is updated with support for the latest autofill features!

Tell us about your app

iOS apps with enhanced autofill

Signing in to an app that’s optimized for autofill takes a simple tap. You don’t have to hunt for the right password. It’s ready and waiting for you when you need it.

Evernote

They say that an elephant never forgets, and with Evernote neither will you. With notes that can effortlessly sync across multiple devices and platforms, if you need to remember or reference it later, Evernote is a great home for it whether you’re working alone or as part of a team.

Fandango

Who doesn’t love going to the movies? Fandango takes the pain out of booking movie tickets, showing the latest showtimes, Rotten Tomatoes scores, and even showing trailers, so you can be sure you’re picking the right movie to watch.

Chase Mobile

Mobile banking is the only way to manage money in an always-connected world, and with the Chase Mobile app customers can pay bills, check balances, and transfer money securely from anywhere.

Android apps with enhanced autofill

These are just some of the apps that don’t just look great but take password filling to the next level, too. No more searching for the right password. The apps know which one to suggest.

Expedia

With everything you need to be able to book your next vacation, Expedia can take the stress out of planning it all. Whether you’re booking a hotel, a rental car, or a train ride everything can be found under the one roof with Expedia.

Starbucks

We’re big coffee lovers at 1Password, and we know many of you are, too. With the Starbucks app, your next cup of coffee is easy to find thanks to its store locator. You can manage your Starbucks cards and pay in-store all from within the app.

Trello

Staying organized is no mean feat in an ever increasingly hectic world. Trello makes it look easy, whether you’re working with a team or just planning your grocery shopping. It’s never been easier to stay organized while on the go.

Try 1Password for yourself

The real winners here are the people using your app. To find out why 1Password customers are so passionate about seeing support for enhanced autofill in all the apps they use, try 1Password free for 30 days. You’ll have plenty of time to optimize your app for autofill and test it for yourself, and we think you’ll like it enough to stick around. ❤️

Let's all go to the park - introducing 1Password Park

Sara Teare — Thu, 15 Nov 2018

1Password was born and raised in Canada, with an amazing team of people working around the world to continue development and provide support to all our customers.

Last Christmas, we wanted to help provide food security to those in need, and donated $50,000 to Food Banks throughout Ontario, where our Founders are based. We’ve been fortunate to be able to help others in our community, and found a new way to continue helping.

Several years ago, Dave Teare began coaching in his hometown, with the St. Thomas Soccer Club. When the City of St. Thomas decided to build a new outdoor soccer space to ensure there would be fields for kids to play on, we knew it was something we wanted to be involved with.

We’re super excited to announce that in the spring of 2019, kids from all over will be able to enjoy 1Password Park - a 65 acre outdoor complex featuring soccer fields, an artificial turf football field, a playground with a splash pad and walking trails. 1Password Park will be an awesome place to play and enjoy time with family and friends!

In addition to announcing the naming of 1Password Park, we’re also excited to be announcing a new office in St. Thomas as well. If you’re interested in joining the 1Password team at our new location, helping to make 1Password even greater for the millions of users who love 1Password, you can apply by emailing Rob, our Customer Care Coordinator.

See you on the fields! 👋 ❤️

Immutable Australian Future Wave

Sarah Brown — Fri, 09 Nov 2018

In September, Matt and Michael Fey (Roo) launched Random but Memorable, a security advice podcast. If you haven’t been listening to the podcast, you don’t know what you’re missing! Find out more about previous episodes.

This week’s episode kicked off with a reminder to listeners that we recently launched 1Password for Democracy, which gives free 1Password memberships to people running for office, ensuring elections run fairly, or just protecting people’s rights.

Watchtower Weekly reminded me that not only does Google Plus still exist, but that it used to be called Google Wave. News broke last month that the social network is finally shutting down amidst security concerns. Security is hard to master, even for large companies with lots of resources. I was interested to hear Matt and Roo discuss the different ways that they maintain their security online, including only using trusted sources like PayPal or Apple Pay, rather than entering credit card numbers into random websites. It’s something I could be better at, and I appreciated the reminder.

My favorite part of each podcast is always hearing directly from our customers. I love to learn how different people are using 1Password and what areas they’ve love to see us improve, change, or grow. This week’s question was about archiving old information like expired login, passport, and credit card items. Like Roo, I tend to be a bit of a pack rat, but I don’t want old information cluttering up my main vault. The trick is to create a separate vault for all your archived items and remove it from All Vaults. I’ll be doing this myself when I get around to my annual fall cleaning.

The bulk of the episode featured a chat with our friend Troy Hunt of Have I Been Pwned who is always entertaining and informative. Troy talks about password security in a way that’s accessible to people at all levels. He’s passionate about what he does, and he wants to help people make the right choices to keep their data safe. And this week I also learned that password reuse was actually the catalyst for Troy starting Have I Been Pwned!

Their conversation focused on how the view towards passwords and authentication has changed over the years. Authentication isn’t always black and white. There are gradients, and you have to account for the human element. Troy offers some excellent insight into how this impacts password security and how things don’t always go as planned when there are real people involved.

To get your question on the show, send @1Password a tweet using the #ask1Password hashtag.

Subscribe in Overcast, Pocket Casts, or iTunes, and please rate and review us on iTunes.

From dark to light and back again

Will Moore — Thu, 08 Nov 2018

We’ve had a lightbulb moment and added Dark Mode to our blog. It makes it more readable, more enjoyable, and more fun than ever before. Read on to find out how we did it and how you can add it to your own website.

Dark Mode in Mojave is great for apps, but until now websites didn’t have a way to participate in the fun. Apple just gave us a gift with their latest update to Safari Technology Preview, and we’ve been having fun exploring the new possibilities.

Welcome to the dark side 🌗

Today I’m happy to say that the 1Password blog is now 100% compatible with Dark Mode, and the experience is fantastic. 🎉

Although the Safari app itself has supported Dark Mode ever since macOS Mojave debuted, websites had no way to know when their content was being presented in Dark Mode. You saw the same color scheme on each website, no matter which mode your Mac was in.

Safari Technology Preview 68 changed this by adding support for the prefers-color-scheme media query. It’s exactly what websites need to support Dark Mode. Images appear brighter and more vivid, and reading one of Jeff Goldberg’s security lessons is easier on the eyes by far. 👀

Right now, Dark Mode is only available on macOS Mojave, but because the media query is part of WebKit, we’re hopeful that it will come to other platforms in time. To check it out yourself, install Safari Technology Preview, or just sit tight. This new feature will be available in Safari proper sometime soon. If you do install Safari Technology Preview, switch to Dark Mode while viewing this blog post for an extra visual treat.

Add support for Dark Mode to your site

Although Apple gives you the basic information you need to add support for Dark Mode to your site, it’s not a complete picture. So we wanted to share how we did it. Feel free to use any of the code snippets below.

At a basic level, Dark Mode can be accessed through a CSS media query:

@media screen and (prefers-color-scheme: dark) {}

We then decided to convert this into a Sass mixin to make things a little neater:

@mixin dark-mode($background: null, $color: null) {
@media screen and (prefers-color-scheme: dark) {
@if ($background != null and $color != null) {
background-color: $background;
color: $color;
}
@else if ($background != null and $color == null) {
background-color: $background;
}
@else if ($color != null and $background == null) {
color: $color;
}
@else {
@content;
}
}
}

Because we were mainly changing background color and font color, we thought it made sense to have these as variables to pass in on a single line to the mixin. This works in an “and/or” manner, but it also works if neither are passed in. This allows us to set any CSS properties we need to. The different ways to call the mixin are like so:

@include dark-mode($background: #000, $color: #fff);
@include dark-mode($color: #fff);
@include dark-mode($background: #000);
@include dark-mode() {
background-color: #000;
opacity: 0.5;
border: 1px solid #fff;
}

We’d love to hear from you to find out if the above was helpful to you. If you make use of any of the code snippets and want to show off, ping @1Password on Twitter. Cheers! 👋

Hello Brooklyn, Hello 1Password: Apple’s special event wrap-up

Michael Fey — Tue, 30 Oct 2018

Today’s Apple Event in NYC was one of my favorites in years. From the new Macs, to the new iPads, to 1Password making an awesome cameo on stage it had everything I could want in an Apple keynote.

Full disclosure before we go any further in today’s post, folks: I am tapping into a deep vein of long-running Apple fanboyism. If you’d rather not hear me gush about all the stuff that was announced at the Brooklyn Academy of Music, here’s the gist: 1Password on stage, woo! Brand new iPad Pros with Face ID, incredible! New MacBook Airs (with Touch ID) and Mac minis, fantastic!

Speaking of that cameo, we were super surprised and honored to show up on the screen behind Laura. Touch ID on the Mac is one of my favorite features and having Apple use 1Password to show it off to the world was just terrific. 🙏

Brand New Macs

Now I don’t care to engage in hyperbole, and the word “finally” is usually uttered in a wry tone, but seeing new a whole new model of Mac mini finally announced today was so great. We love these little Macs here at 1Password, especially on the development team where they make great build and test servers. You can bet we’ll be adding one or two of these to our arsenal to supplement the iMac we currently use to distribute 1Password for Mac and iOS.

It was also great to see the all new MacBook Air with Touch ID and Retina display! While I’ve never actually owned an Air, any time I’ve used a friend’s I’ve always been blown away by how thin they are. Seeing Touch ID show up in another Mac in Apple’s lineup is super cool, too. It makes using 1Password such a breeze and anything that makes it easier for folks to sign in to their online accounts without typing a password gets a 👍 from me.

All New iPad Pros

I am a huge fan of the iPad Pro. My current second generation iPad Pro 12.9” (which I call Big Bertha) is one of my favorite Apple devices I’ve ever owned. The giant screen and speedy processor work so well for photo editing that I’ve completely replaced my MacBook Pro as my photography production rig. Today’s announcement of the all new iPad Pro takes what was already a fantastic device and raises it to a whole new level. Face ID is a natural progression for this product. We’ll know more very soon, but if I had to imagine it I’m guessing this is what 1Password’s lock screen will soon look like on iPad:

Wrapping it Up

I warned you at the beginning that there was going to be a bit of gushing today. We love Apple here at 1Password and it’s always inspiring to watch them unveil great new products. Seeing how they push the envelope of what is possible with hardware makes us want to create even greater software. How about you, what was your favorite part of today’s event? Have you ordered any shiny new hardware? I warmed up my credit card this afternoon with a new 12.9” iPad Pro + Smart Keyboard Folio. Next Wednesday cannot come soon enough.

Introducing 1Password for Democracy

Matt Davey — Tue, 23 Oct 2018

The last couple of years have been politically turbulent, whatever your views, and whichever country you find yourself in. Among all the debate, data breaches, and upheaval, one thing that’s consistently important is the need to keep information secure, and in the right hands.

We want to help you do that. Whether you’re running for office, ensuring elections run fairly, or protecting people’s rights, we’d like to offer you a completely free 1Password account to thank you for the essential work you do for society.

1Password can help keep your information secure by generating and storing a strong unique password for everything you do. Our business accounts allow you to securely share passwords with others on your team, add temporary guests to your account, and improve the password habits of everybody in your organisation. In addition, tools like Travel Mode can help you keep your information private when crossing borders, by temporarily removing it from your devices.

Strong passwords won’t solve everything, but maybe we can help

Privacy, democracy, and free speech are incredibly important, and if you’re fighting for any of those things, we want to support you in the best way we can: by helping you stay safe online.

“We founded 1Password with the goal of protecting peoples’ right to privacy - the right to have their personal information kept away from those that would seek to do harm with it.

I am proud that 1Password can be there for those fighting for democratic rights, and that we can help to mitigate some of the risk that comes with protecting privileged information.” — Roustem Karimov - Founder of 1Password

Apply for your free 1Password account

If you’re fighting to protect democracy and people’s rights, apply for your free 1Password account today. Eligibility is assessed case by case, but we can’t wait to hear from you.

Random but Memorable: the security advice podcast from 1Password

Matt Davey — Tue, 23 Oct 2018

Last month, we launched Random but Memorable, a bi-monthly security advice podcast. Random but Memorable is named after your Master Password, but is also very appropriate for the show. The “memorable” part mainly comes from my co-host Michael Fey (Roo) not reading the show notes until we start recording, and the “random” part is a direct result of this.

In our first episode, Correct Battery Horse Pilot we talk about our iOS 12 and Mojave beta releases, and discuss the security news of the week. We experimented with a few ending segments of lighthearted banter but settled on trying to pronounce odd-looking place names, starting with the British city of Loughbrough.

The second instalment is called Machine Factor Toaster Data and introduces our first guest, Mitchell Cohen, who works on 1Password X. We discuss what 1Password X is and how it uses machine learning in a privacy-conscious way.

The third episode, Nickelback Apologist Math Bounty is my favourite so far. In it, we answer some questions from users about the password generator, and then talk to Jeffrey Goldberg our Chief Defender Against the Dark Arts about how the security behind 1Password works.

The fourth episode, Localised Banana-Pants Hack Guide is out today with guest Glenn Fleishman, writer of Practical Guides, and includes us ruining the best placement of all time.

A new episode launches every two weeks to discuss what’s new in 1Password and the wider world of security.

If you’d like us to answer your question on the show, tweet us @1Password using the hashtag #ask1Password.

Subscribe in Overcast, Pocket Casts, or iTunes and please rate and review us on iTunes!

1Password 7.2 for Mac: Welcome to the dark side

Michael Fey — Wed, 10 Oct 2018

It’s fall and you know what that means: new Apple operating systems! When Apple announced macOS Mojave with Dark Mode back in June, we knew we wanted to be there on day one with an update to 1Password that looked great in the dark. So we hiked up our programmer pants and got to work.

1Password has a dark side

As soon as Tim Cook left the stage at the Worldwide Developers Conference keynote we hustled back to our hotel and got to work on some mockups for what a Dark Mode version of 1Password might look like. We started, naturally, with the lock screen:

Of course we didn’t stop there. Once you unlock 1Password, you’ll be greeted with a user interface that is right at home in Dark Mode. I love how website icons pop against the dark background, making it easier than ever to spot the login you’re looking for.

Safari support, baked right in

1Password has had the ability to work within Safari for years, making it super easy to fill your usernames and passwords directly into websites. With 1Password 7.2 we’ve built the Safari extension right into the app, meaning you’ll never have to install a separate browser extension again!

The new Safari 1Password extension also brings with it loads of security improvements. By using the new Safari App Extension feature provided by Apple, 1Password has even more protections against man-in-the-middle attacks and other exploits of that nature.

Mojave, mo’ secure

The latest incarnation of macOS didn’t just come with a new pretty face; Apple also added some incredibly powerful security improvements for third party developers to take advantage of. We’re always keen to jump on anything that helps improve the security of our customers, so 1Password now runs within a hardened runtime. This “hardened runtime” ensures that 1Password cannot be manipulated or modified by other apps or processes running on your computer.

1Password 7.2 also makes use of Apple’s new notary service: 1Password is now fully notarized, which means Apple has verified it as being free of malware. 👍

You’ll also notice that 1Password 7.2 no longer automatically submits passwords once they have been filled. This was a difficult decision to make, but we made it for a few reasons that we wanted to share:

Sometimes a website doesn’t behave as 1Password might expect, resulting in passwords being filled sub-optimally, or fields being left blank. If 1Password were to automatically submit forms in these cases, users are left with an experience that we don’t feel reflects how we want 1Password to work and can lead to confusion.
The mechanism by which 1Password was performing autosubmit is no longer supported in macOS Mojave. As yet another step towards a more secure environment, apps that can virtually type the ‘Return’ key on the keyboard have been significantly restricted.
1Password automatically leaves focus on the password field so there’s no need to click the submit button. Just press the Enter key and you’re all set. Alongside the Command-\ fill keyboard shortcut, it works quite well.

We feel strongly that removing the ability to automatically submit passwords is the right call. I’ll be fully transparent, it’s taken some getting used to, but now that it’s part of my workflow… autosubmit? I don’t miss it.

How do I get it?

We’re glad you asked! You can download the latest version of 1Password for Mac here:

Download 1Password for Mac

1Password 7.2 is included free for everyone with a 1Password membership, as well as those who own a 1Password 7 license. Simply unlock 1Password after downloading and you’re good to go.

If you’ve downloaded 1Password 7 from the Mac App Store, you can update to the latest version from the “Updates” tab over there, too.

We hope you enjoy using this new, altogether faster, more secure and, of course, darker version of 1Password for Mac. We sure enjoyed working on it!

California Password Law

Sarah Brown — Fri, 05 Oct 2018

California just became the first state to put a cybersecurity law on the books for any internet-connected devices that are made or sold in the state. This new legislation goes into effect January 2020 and is designed to protect consumers by setting higher security standards for smart devices.

To comply with this new law, companies will either need to set a unique password for the device at the time of manufacture or prompt people to set a new password during the initial device setup.

This is a big step in the right direction for safety and privacy. Too often, people in a rush to get up and running will leave the default password in place rather than taking the time to set a strong password. Unfortunately, the default passwords are trivial to crack.

As well as putting our privacy at risk, default passwords make it possible for hackers to take control of thousands of devices at once and use them to bring down other services. Twitter, Spotify, and Reddit have all been attacked in this way.

Although smart devices make our lives easier, they can also make us more vulnerable. Banning default passwords will certainly help with security, but it isn’t enough on its own. People are still likely to pick insecure, easy-to-remember passwords when setting up a new device. It’s important to use strong, unique passwords everywhere – from your Twitter account to your espresso machine, and without a password manager, that’s just not practical.

“People are often too relaxed about the security of their home network, and leaving the default password on smart devices is far too common,” says Jeff Shiner, 1Password CEO. “While requiring users to create new passwords on launch is a great first step, manufacturers still have a greater responsibility to ensure software is frequently updated and patched against security threats.”

While this current law only applies to California, the benefits will be felt nationwide for any devices manufactured within the state. And it’s likely only a matter of time before other laws start to pop up in other states.

A journey into the new Mac App Store

Lily Bradic — Wed, 03 Oct 2018

macOS Mojave launched last week, and while Dark Mode was the feature I’d been most eager to test-drive, the redesigned Mac App Store quickly proved to be a dark horse itself. Here’s what I’ve been loving about the new Mac App Store, and what the 1Password team think you’ll love too. ❤️

The first voyage

The Mac App Store has never been somewhere I’ve gone to browse, exactly — I’d usually open it with the intent of downloading a specific app. I wasn’t really expecting this to change, and the first time I opened it after upgrading to Mojave I was too struck by how incredible it looked in Dark Mode to notice much else.

But after my initial “ooh, Dark Mode!” reaction subsided, I realised it wasn’t just the contrast between the dark backdrop and the rich illustrations that was impressive, but the design of the Mac App Store itself. For the first time ever, the App Store feels like one of the beautifully designed apps you’d go there to purchase — as well as a platform for discovering them.

Discovering the new Mac App Store

Apple have recreated the Mac App Store from the ground up, and it’s a pleasure to use. There’s a joy in simply browsing: with the all-new Discover tab, Apple has introduced fascinating stories, in-depth interviews and weekly picks. These editorial features bring everything together, creating an ecosystem that celebrates the best of what app developers have to offer.

This new iteration builds on the Featured tab and Editors’ Choice picks, but the experience feels a lot more user-oriented, with apps clustered together around objectives you might have — like increasing your writing productivity or streamlining your workflow. The write-ups add a human touch, and it’s one we’ve never really had before.

Exploring the new Mac App Store feels like an adventure, and it inspires you to make the most of what your Mac is capable of doing.

Your guide to the stars 🚀

I think this last week in Dark Mode has started to affect my brain, because I’m seeing everything as an interplanetary adventure — bright app icons scattered across the dark expanse of space.

The editorial features and tutorials are amazing at helping you find your way round, and it’s absolutely worth checking back regularly to see what new guides and collections have been added.

The Create, Work, Play and Develop tabs provide some great recommendations and showcase some of the best apps on offer. Of course, 1Password 7 for Mac is right at home in the new App Store and it’s looking pretty stunning in Dark Mode, even if we do say so ourselves.

And as a fully remote team, we’re grateful for how much Slack can simplify communication, but the notifications can get a bit out of hand — so the App Store’s new feature on keeping notifications in check is pretty interesting.

I’m a newly converted Things 3 user — the keyboard shortcuts are life-changing, and it’s such a pleasure to use — so I really appreciate the pro tips here, too (and I have to mention that Things also looks incredible in Dark Mode).

And this Firewatch story is even tempting me to break my self-imposed “no games on the MacBook because they’ll distract you” rule….

We’d love to hear your favorite features in the new App Store. Join the conversation on Twitter — and don’t forget to check out 1Password in Dark Mode. 😉

Customers love Password AutoFill on iOS and so will you

Will Moore — Tue, 02 Oct 2018

It’s been a couple of weeks since iOS 12 was released into the wild, and we have loved playing with all the new features it has to offer. Screen Time has shown many of us that we perhaps spend a little too much time on our iPhones, but one thing that has definitely sped up our mobile interactions is Password AutoFill.

To recap, Password AutoFill opened up the filling technology included with iOS to third-party developers, meaning that we could make filling your passwords even easier.

When iOS 12 was announced back in June, we were there in the audience of WWDC, and were thrilled to learn that we could now integrate 1Password directly into iOS. As soon as the keynote was finished, our developers jumped to work, and by dinner we already had a working demo.

Skip forward three months and that demo has turned into a fully fledged feature, ready to transform how password filling works on iPhone and iPad.

Love and praise from 1Password users

As soon as our customers began to update their devices, they got in touch to let us know how much they loved the feature.

Absolutely love the new @1Password integration on iOS12. Seamless
— Dean Whittaker 👨‍👩‍👧👨🏻‍💻🔴🎮🦈 (@DeaNHtiD99) September 18, 2018

@1Password just want to say thanks for an absolute gem of an update! Auto fill works great with iOS 12. You guys rock!
— JP Terblanche (@terblanchejp) September 18, 2018

Adding @1Password as custom provider for password #autofill is the best enhancement since inventing the smartphone #ios12
— Andreas Kühn (@andreas__k) September 18, 2018

We were, and continue to be, humbled by these comments. Hearing that a feature that we work on is as loved as we hope it will be, makes building 1Password the best job in the world.

Are you using Password AutoFill?

As you can see from the above, we think Password AutoFill is a pretty big deal, and we want everyone to use and enjoy it. Setting it up is super simple, just follow these instructions:

On the Home screen, tap Settings.
Tap Passwords & Accounts > AutoFill Passwords.
Turn on AutoFill Passwords.
Select 1Password.

From now on, you’ll be able to fill and save passwords, without ever opening the 1Password app.

To stop iCloud Keychain from asking to save your passwords, deselect iCloud Keychain. Then you’ll always know passwords are saved in 1Password, without any confusion.

Setting it up is just the start and if you’d like to read more on how Password AutoFill and 1Password work together on your iPhone and iPad, do take a look at our walkthrough article.

Give it a go, and you’ll quickly see why Password AutoFill has become my favourite way to use 1Password on iOS. 🙂

1Password.com is now available in multiple languages

Chris Meek — Wed, 12 Sep 2018

Over the past year alone, we’ve seen a 172% increase in non-English-speaking visitors to 1Password.com. We want everyone to feel completely at home using 1Password, so today we’re excited to announce an important step toward a truly global service.

For the first time ever, all of 1Password – the apps and 1Password.com – is available in 11 languages:

English
Français
Deutsch
Italiano
日本語
한국어
Português
Русский
Español
简化字
繁體字

Whether you’re using 1Password on your own, with your family, or for business, you’ll find that everything has been translated: pricing pages, account-related emails – everything in your account on 1Password.com. View every button, field name, email, and vault item in the language you choose.

Many of the most popular articles on our support website have already been translated, and we continue to translate more every day. Our in-house customer support team is also multilingual, spread around the world, and growing fast. We’re here to help you every day of the week.

When you sign up, you’ll get to pick your language right from the start, and you can always change it later.

With an increasing number of businesses operating across multiple countries, it’s important to us that employees and team members everywhere can use 1Password in their native language. The easier it is for people to manage their security online, the more likely they are to make safe decisions, and that’s good news for everyone.

1Password X 1.10: Large Type, Watchtower, and easy two-factor authentication

Mitch Cohen — Thu, 06 Sep 2018

New goodies abound, plus a treat for Linux users.

1Password X is a 1Password experience that works entirely within your web browser, independent of a desktop app. It brings all the power of 1Password to Chrome and Firefox, and it works great on Linux, Mac, Windows, and Chrome OS.

What’s new in version 1.10

It’s been an incredibly busy summer for the 1Password X team, starting with our Independence Update in July. September brings some of our biggest features yet — and we mean that literally.

Large Type

Large Type is a beloved feature in the 1Password apps, and it’s made its way to 1Password X in style. Now you can make any of your passwords big and bold, so they’re easy to copy and read. Beautiful, eh??

Watchtower

Watchtower helps you proactively identify breached passwords, so you can update them and stay secure. The Watchtower interface was completely redesigned for 1Password 7 for Mac, and we knew we had to include it in 1Password X as well. Watchtower integrates with the haveibeenpwned.com service to let you know if any of your passwords has been exposed in a data breach.

Easy two-factor authentication (2FA)

1Password X already filled authentication codes automatically, but now it can save them, too. You can scan QR codes directly from the 1Password X pop-up to add one-time passwords to your logins. It’s the easiest way to use 1Password as an authenticator for sites that use two-factor authentication.

1Password X ❤️ Linux

1Password X is a wonderful experience on your Mac or Windows PC, but we’re especially proud of how well it works on Linux. To celebrate the release of version 1.10, we’ve launched a new 1Password on Linux showcase which covers all the ways to enjoy your favourite password manager on your favourite OS. 😉

We often hear from Linux users who are just finding out about 1Password X and our other offerings for Linux. If you use Linux on some computers but are on the fence about committing, then you’ll love our new promotion. Sign up for a 1Password membership with promo code SUDOSEC, you’ll get 91 days free to discover how 1Password X can fit into your workflow.

If your Linux box looks more like a Chromebook, don’t forget that 1Password X also plays well with Chrome OS.

Get 1Password X 1.10

Read the full changelog to see everything that’s new in 1Password X. If you already have 1Password X installed, you’ll get the latest update automatically. If you haven’t tried it yet and you have a 1Password account, there’s never been a better time to try it out:

Give it a go, and I think you’ll quickly see why 1Password X has become my favourite way to use 1Password on the web. 🙂

Email Blackmail Scams Getting You Down? Stay Safe in Your Very Own Watchtower!

Oliver Haslam — Tue, 04 Sep 2018

Nobody likes to receive spam emails, and while most are nothing more than irritating, every so often there is one that’s frightening. We’re all familiar with the infamous Nigerian Prince who is just looking for somewhere to park his money, but what if you receive something altogether more sinister? An email that claims to know personal information about you and goes on to threaten oblivion if you don’t do as instructed? Email-based blackmail scams are on the rise, and we don’t see much sign of the trend coming to an end.

In part, this is thanks to data breaches at firms like Ashley Madison and Yahoo. In the case of Ashley Madison, the very nature of the data source coupled with the identities of those who used the service — and subsequently had their data stolen — meant for some very uncomfortable conversations. It also meant a rise in the number of fake blackmail attempts making their way to people’s inboxes, which inevitably leads to panic.

Thankfully, as is so often the case with these things, an analytical approach can save the day.

But, why me?

First of all, we need to work out why you of all people are receiving the scam email in the first place.

The chances are pretty good that your email address was part of a previous data breach, of which there are unfortunately too many to get into here. What we do know is that large companies, whether they are retailers or online services, have been big targets for hackers in recent years, with customer data being stolen.

This does at least give us an idea where to start: you know a scammer has your email address, and they may also have given you “proof” that they have access to more information — or even worse, your computer.

That’s very unlikely to be the case, but we need to be sure. This is also where 1Password and specifically Watchtower has your back.

Time to confirm the story

At this point we know that someone has your email address and, potentially, a password. You may not even recognise the password that the scammer claims to know, but thanks to 1Password and Watchtower, you don’t need to rely on memory.

With data breaches becoming more common, a security researcher by the name of Troy Hunt set up the Pwned Passwords database. This database contains passwords and email addresses that have been “Pwned,” which means they have been stolen following a security breach and have subsequently found their way into the wild west of the Internet. That’s not great, but with Watchtower integrating with the database, 1Password knows when a password has been compromised and, as a result, can warn you.

If the scammer claims to know your password, and shares proof of that, we’d suggest checking whether that password appears in Watchtower. If it does, change the password for all logins that might have used it. While you’re here, change any other passwords that you’ve reused, too. While this won’t prevent any nasty blackmail emails landing in your Inbox and demanding Bitcoin in the future, it will mean you can be confident in ignoring them. Remember, unique, strong passwords are the name of the game here. Let’s not make life easy for hackers by only making them hack one website to gain access to multiple.

Belt and braces

1Password also offers Breach Reports as part of our commitment to keeping your passwords and data safe. The Breach Report, available on 1Password.com, will not only identify accounts you’ve saved in 1Password that may have been breached, but any breached account using your registered email address, even if you haven’t saved it in 1Password yet.

If your search for the password this scammer claims to have doesn’t turn up results, you may have used it for an old account you’ve since forgotten about. Your Breach Report will let you know about these accounts so that you can change the password, add the account to 1Password for the future, or delete the account if it’s no longer in use.

A sigh of relief

Ultimately, if anyone emails you and threatens to “dish the dirt” or claims to have access to your computer, they’re likely being economical with the truth. They clearly have an email address, and they may even have an old password. But that’s fine, because you just checked whether that password is in use and, thanks to Watchtower, you changed the password for any logins that may have used it.

Now you can sit back, relax, and wait for the next Prince to offer you a few million dollars. Don’t be a stranger, either. Be sure to check Watchtower and the Breach Report regularly to stay on top of any further password breaches that may crop up.

1Password 7 for Android: The Best Ever

Michael Verde — Wed, 22 Aug 2018

We recently launched massive updates to 1Password on both Mac and Windows. Today, I’m thrilled to reveal that 1Password is getting a bold new update on the Android platform as well.

1Password 7 blends the best features of 1Password with the unique style of Android to deliver the best possible experience for managing your vaults on the go. We started with a design overhaul of the screens you use the most and then packed in some great new functionality to make it easier to access and update your data. On top of the added convenience, we’ve also made it easier to up your security game with some fantastic features I know you’re going to love.

Lock it down

Let’s start by diving into the first thing that you’ll notice after updating to 1Password 7: the fresh new design. You’ll be greeted with a shiny new lock screen standing guard over your data.

Not only does this new design pay homage to the strength of the protections around your data, but it also includes a delightful animation for those times when you mistype your Master Password. Just try not to get too distracted playing around with it! 😉

See more, do more

After you’ve unlocked 1Password, your items will meet your eye in a cleaner format that’s designed to make it easier to find what you’re looking for at a glance.

And this beauty comes with power, as you can now perform actions on more than one item at once. Starting with a long press, you can select multiple items from your list and mark them as favourite, copy them to another vault, or delete them.

When it’s time to switch to a different view of your items, the new bottom navigation makes it quicker and easier than ever. Favourites, Categories, and Tags are all within a single tap’s reach.

If you’re rocking multiple vaults with your 1Password membership, you can easily see which vault you currently have selected with the vault indicator at the top left.

Tapping on that icon reveals the updated vault switcher, allowing you to quickly switch between vaults with only a couple of taps.

It’s all in the details

When you decide to view one of your items, you’ll see that we’re presenting those details in a whole new light too! We’ve updated the item detail view to highlight the most important details of your item, while organizing any additional information in an easily readable format.

Of course, we went way beyond skin-deep changes too. You can switch into edit mode and customize your item to include additional sections and fields. This is great for adding security questions and other important details that you need to remember. Better yet, you can now use the built-in QR code scanner to add one-time passwords to your Logins to enhance the security of your accounts.

Staying alert

I’m thrilled to say that Watchtower is now an integral part of 1Password 7 on Android. Whether it’s compromised logins, vulnerable passwords, or even items that are expired or expiring soon, we’ve got you covered. A banner will display above your item details whenever there is a Watchtower alert, providing you with the necessary details and guiding you on any actions that you should take.

Smart passwords

When it comes time to choose a new password or update an existing one, the new and improved Strong Password Generator will help you create exactly the right one for your needs. The memorable password recipe is great for passwords that you’ll need to type out or read aloud over the phone. The PIN Code recipe will help you with bank cards or memberships that limit you to only using digits. And for everything else, you can choose random password to get the strongest possible password. In each case, the Strong Password Generator provides you with convenient options for tweaking the passwords as you see fit.

Document all the things

With 1Password memberships, you can use Document items to store important files for insurance, wills, taxes or anything else you might want to keep secure. 1Password 7 makes it even easier to do so by allowing you to upload files directly from your Android device. Grab a photo from your camera roll, a PDF from Google Drive, or just about anything else that you can think of.

And much more

Fresh welcome and setup screen designs
New setup flow helps you get started with Fingerprint Unlock and Autofill
Use Autofill with 1Password in the DuckDuckGo and Brave browsers
Categories are now sorted with the most commonly used categories at the top
OPVault is the default format for both Dropbox and local storage sync
Use multiple URLs with Login items for a better filling experience

How do I get it?

1Password 7 is available on Google Play as a free update for devices running Android 5 or later. If you’ve got automatic updates enabled (and we recommend that you do), you don’t need to do anything to receive this latest and greatest version of 1Password. Otherwise, head on over to Google Play and click that update button:

Download 1Password 7

Don’t worry if the update doesn’t show up right away for you. We’re rolling it out to all of our customers over the next few days.

I hope you enjoy 1Password 7 as much as we enjoyed making it for you! We couldn’t have done it without your help.

Please join us in our discussion forums or on Twitter to share your experiences with us and help craft the future of 1Password. We always love hearing from you.

A 1Password Journey Through SOC2

Pilar García — Thu, 09 Aug 2018

A while ago, we decided it was time for 1Password to become SOC2 certified… Don’t worry, we aren’t designing socks. Protecting customers’ data has always been our highest priority, and this certification is one more way we can attest to that.

SOC stands for Service and Organization Controls, a family of certifications related to others you might have heard of like ISO or FedRAMP. While there are SOC1, SOC2 and SOC3 the one relevant to 1Password is SOC2. Being SOC2 certified means that we’ve demonstrated that we follow best practices for Security and Availability.

Security in this case is not about our encryption, which we all know is the best out there. 😉 In the world of SOC2, Security ensures that we have—and follow—processes and policies that keep 1Password secure from all angles- everything from the way we train our employees to how the software is developed. Availability means -you guessed it- that 1Password will be working whenever you need it to.

Demonstrating our commitment to security and availability sounded like an easy task but as we went throughout the process we discovered there was much more to it. We created a 1Password Team account to help with the process, using it to communicate securely with the auditors and store all our documentation. The whole process took about a year and a half, and we couldn’t have done it without 1Password.

How we used 1Password to certify 1Password

There are two types of SOC2: Type 1 certifies that you have policies in place, while Type 2 verifies that you follow them. And because we always aim high, we set out to do both.

To start, we ensured that we had policies and procedures in place. For example, we’ve always had security training for 1Password employees but now we have a new policy for annual training for everyone in the company. This stage took several months, but by the end, we had quite a few documents that needed to be shared among the SOC2 team. To do this easily and securely, we used the Shared vault in our Team account.

To meet the requirements of Type 2 we had to demonstrate that we could enforce our policies during a period of six months. Thanks to our awesome employees that was never much of a challenge. Everyone received security training in January as promised. To demonstrate our compliance we produced dozens of documents- everything from spreadsheets, screenshots, PDFs, quick notes… We not only had to share these with auditors, we also had to track the changes that had been made since Type 1.

Thankfully 1Password made it easy. With a few clicks, we created an additional vault for all the new documents and shared it. As the auditors provided feedback, we were able to update those documents and keep track of previous changes using item history. Each item keeps track of who did changes and when so there was a built in audit trail.

To stay organized, we used tags that allowed us to categorize, then find, items of each kind. The tag “Updated” immediately showed us documents that had to be adjusted. With a click on the “From Auditors” tag, we could see all those items uploaded by the auditors, while “From AgileBits” gave us all those that we uploaded.

Every item in 1Password has a field for notes. These notes helped us communicate details that didn’t belong in the document or title. We recorded things like: what we last updated, related items, exceptions made in the documents, and more.

What we learned

Security in general, and SOC2 in particular, aren’t things that you do once and then forget about. We have not finished keeping 1Password secure and available because this year’s SOC2 audit is complete. The next time around, we’ll know exactly what we’re doing and 1Password will be there to help us one more time.

1Password X 1.8: The Independence Update for Chrome and Firefox

Dave Teare — Thu, 28 Jun 2018

A massive release with credit card and two-factor authentication code filling, password generator history, and a whole lot more.

What is 1Password X? It’s a 1Password experience that works entirely within your web browser, independent of a desktop app. It brings all the power of 1Password to Chrome and Firefox, and it works great on Linux, Mac, Windows, and Chrome OS.

With today’s release, we’re closer than ever to realizing our dream of independence. In fact, there’s more than enough in this release to call it 2.0, but seeing that 1Password X is evergreen software, we decided to cut out the version inflation and go with a good ‘ol name. 🙂

Just in time for Canada Day and July 4th, let me introduce you to 1Password X: The Independence Update. 🇨🇦🇺🇸🎆

Redesigned on-page experience

The signature feature of 1Password X is direct integration with webpages. It’s what people love the most, and in the Independence Update we made it even better.

1Password X is now smarter, more proactive, and more helpful. It’s powered by on-device machine learning and makes the right suggestions as you browse the web.

1Password will now help you sign up for new accounts on websites. It will offer to fill in your name and email address, and then it will suggest a strong password automatically. You can fill in an entire sign up form without typing a single letter.

Credit Cards and Addresses

1Password is now able to detect when you need to enter a credit card, address, or telephone number and will automatically suggest items from your vaults.

One-time password filling

If your logins have two-factor authentication set up, 1Password will detect when your code is required and offer to fill it for you. It’s really magical! 🧙‍♂️

Automatic multi-step filling

If a website requires you to sign in across multiple pages, you just need to fill once and 1Password will automatically take care of the rest. It will even fill two factor authentication codes without you lifting a finger. It’s extra magical! 🧙‍♀️

Guided password changes

1Password also helps you out when you need to change your password on a site: it fills your existing password, offers a new one, and then prompts you to update your login item. It’s really convenient.

Password Generator

In the Independence Update we’ve made the password generator smarter and more helpful. It now remembers the last settings you used as well as your settings per recipe, so you can customize your passwords to your heart’s content.

But the fireworks really go off when you see the new Generator History. Now whenever you fill or copy a password from the Password Generator, it will be recorded in your encrypted Generator History. This way you’ll be able to retrieve your password later, even if you didn’t save it.

Lighting up the sky 🎇

The Independence Update has over 100 new features and changes to wow and delight and amaze the crowd:

Markdown

Add rich text formatting to your notes with our new Markdown support.

Amazing icons

We’ve made a ton of changes to icons! Your credit cards will now have different icons depending on their type. You’ll see any custom icons that you have on your items. And logins without a rich icon will have a beautiful monogram of their initials that matches the beauty in 1Password 7 for Mac.

Better dark theme support

Our toolbar icon now looks great in dark browser themes and Incognito windows. And on top of that you can even choose between colour and monochrome in Settings.

And so so much more

You can read the full changelog for all the details but here are a few more of my favourites:

Added language support for Korean, Portuguese, and Traditional Chinese.
You can now select a default account for saving new items.
Your favourites now have stars next to them everywhere they appear.
Added support to fill one-time passwords that are split across multiple fields. E.g. wealthsimple.com.
Better support for Firefox fingerprinting resistance and privacy settings, including privacy.resistFingerprinting.
Your password generator settings now remain persistent over restarts.
1Password uses machine learning to fill login forms more accurately.
The inline menu appears in more fields automatically, e.g. username fields that don’t have an accompanying password field.
Added options to the inline menu to switch between item types.

The Independence Update is available today for Chrome and Firefox. If you already have 1Password X installed, you’ll get this update automatically. If you haven’t tried it yet and you have a 1Password account, there’s never been a better time to try it out:

Get 1Password X for Firefox

Get 1Password X for Chrome

Give it a go and I think you’ll quickly see why 1Password X has become my favourite way to use 1Password on the web. 🙂

Make a Pitstop in Denver and visit 1Password at GopherCon

Will Moore — Wed, 27 Jun 2018

Each year, a bunch of us make the annual pilgrimage to GopherCon, the largest and most well attended Go developer conference in the world.

We take in the sights Denver has to offer, get the best coffee around from Denver Little Owl Coffee (If you think there’s better, please tweet us 😉), and most importantly learn all about the miraculous things people are creating with Golang.

This year things will be even more special as we are the headline sponsor of GopherCon 2018!

The GopherCon organizers have some amazing things planned this year, with the racing theme in full effect. As this is our first time sponsoring, make sure you visit the 1Password Pitstop while attending the conference!

Visit the 1Password Pitstop

If you are attending GopherCon, come and get a checkup from our expert Passwordologists at the 1Password Pitstop, and find out the best ways to secure your business and family online. We also love to hear from customers already using 1Password, so do come on over and chat about your favourite 1Password productivity features.

Our Pitstop will have will have lots of surprises, and if you come by, you’ll get the chance to meet some of the amazing people behind 1Password. It’s a great opportunity to talk shop and maybe even pick up some stickers to pimp your ride and add some bling to your device!

1Password and Go

We use Go all over the place at 1Password!

Every 1Password account relies on our Go servers. Making everything work together is no easy feat and so we needed a strong (and fast!) language like Go to create the backbone that connects all our apps together. We also use Hugo for our many of our websites.

Sharing code between our six different apps across six platforms helps us provide a consistent experience and minimize bugs. Our filling engine “The Brain”, our new password generator, and a host of other features are already built in Go. Our command-line tool is also built entirely in Go.

For more sneak peaks of the exclusive 1Password GopherCon shirt and the 1Password Pitstop, follow us on Twitter. If you are in Denver between August 27th – 30th, I really hope to have the chance to meet you in person at the conference!

Watchtower: we shall fight on the breaches

Rick Fillion — Mon, 25 Jun 2018

1Password’s Watchtower service has been helping users identify accounts that have been affected by breaches for years. Today we’re proud to announce an enhancement to how 1Password finds and identifies breached accounts.

1Password can now use Have I Been Pwned to find accounts that have been compromised based on the email address associated with the account. It can even do this without needing to share your email address with anybody.

Before we dive in to learn about the details, take a look at the awesome work Matt and Jasper did to bring this to life.

Breach Report

There’s actually a fair amount to unpack here, and it’s difficult to see detail on a video, so let’s break down the breach report in screenshot form.

The Breach Report is split into three sections.

The top most section is a list of websites where an account with your email address has been identified as having been compromised, but you don’t have any information about this website in 1Password.

That’s amazingly powerful as 1Password can help you identify breaches that impact you without you having actually added information to 1Password. In this case, you’re going to want to generate a unique strong password for that website, and while you’re at it you should consider adding it to 1Password.

If it’s a website for which you have no interest in having an account, you should delete the account as opposed to ignore it. Accounts often have additional data, such as a mailing address or maybe a phone number. You should be protecting that private information, and thanks to excellent pieces of legislation like the GDPR most websites have a way to request permanent deletion of your data.

The second section lists breached websites for which you’ve got an item in 1Password, but 1Password suspects that password to be compromised. You’ll definitely want to create a new password for that website.

The last section lists breaches for which you’ve got an item in 1Password, but you’ve already updated the password so there’s nothing more to do.

How Does It Work?

The Breach Report is based on a new service provided by Have I Been Pwned which allows 1Password to query for compromised accounts based on an email address. 1Password can achieve this without needing to share the email address with Have I Been Pwned because this new service functions much like its Pwned Passwords service, and uses the same K-anonymity model. This model allows 1Password to work with Have I Been Pwned to find breaches without needing to share sensitive information with Have I Been Pwned. Let’s take a look at how that works…

Have I Been Pwned has a database with over 5 billion compromised accounts obtained from the various data breaches around the internet over the last few years. This database contains the email address associated with the account as well as a SHA-1 hash of the password that was compromised. The new service allows 1Password to look up entries in that database based on the email address.

In order to perform a lookup, 1Password takes the email address associated with your account, and hashes that using SHA-1. Sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your email address. Just like the Pwned Passwords service, this new service only requires the first few characters of the hash, six to be precise.

Similarly to Pwned Passwords, the process is completed within 1Password itself. Have I Been Pwned sends 1Password a list of possible matches based on the start of the hash that was sent, and 1Password needs to complete the search by looking for exact matches with the full hash that was created in the first step.

Bringing You More Info On Compromised Logins

When viewing items in the Compromised Logins section of Watchtower, you may notice that some of them have a slightly different banner at the top and include a “More Info” link.

Clicking it will bring up a panel with some information about the breach, letting you know what information in that account was made available.

This was made possible with the additional breach information that is provided by Have I Been Pwned.

Run, don’t walk, to change the password associated with this Login. And also change the password for any other Login item you might have that happens to share that password (you’re using strong unique passwords everywhere, right?).

Taking Watchtower Further

Have I Been Pwned allows us to push Watchtower further and do more to keep you safe online. The k-anonymity model used in both this service as well as Pwned Passwords ensures that your privacy is respected, which is incredibly important to us. We’re thrilled to be one of the first services using Have I Been Pwned in this way.

You can try it today by using Watchtower on 1Password.com, and we’re looking forward to bringing this feature to all of our apps.

Thank you Troy for building an excellent service that makes this feature possible.

WWDC18: Presents from Apple

Michael Fey — Thu, 07 Jun 2018

Hello everyone! It’s WWDC week and a large portion of the 1Password development team is here in San Jose basking in the glow of this year’s Apple’s Worldwide Developer Conference. For me it’s my first time coming to WWDC since it was last held in San Francisco two years ago, and I absolutely love it. The conference center itself is gorgeous, and the surrounding area is wonderful. Somehow I’m finding it easier to run into folks I know, and I’ve already caught up with a bunch of old friends and made a number of new ones since I’ve arrived.

WWDC is much more than a place for me to stretch the wings of my social butterfly tendencies, however; it’s all about new tech, and boy oh boy did Apple hook us up this year. Many of us are already rocking iOS 12 and macOS Mojave on our main devices and computers and they are awesome. Not only that, but 1Password is running quite happily on iOS 12 and needs just a couple small tweaks on macOS Mojave.

iOS 12 and Password Autofill

On Monday afternoon, during Apple’s Platform State of the Union I sat down with my teammate Rudy and jumped into Apple’s newly announced Password Autofill API. By the time we were ready to grab some dinner we had a tweet-worthy demo all done:

What a wonderful present for us at WWDC this year! Thank you to all our friends at Apple for this great new API. #1PasswordAutofill pic.twitter.com/jpvRVogslS
— 1Password (@1Password) June 5, 2018

This new capability is transformational in our ability to integrate with iOS. Starting in the next version of iOS, 1Password will be able to fill your credentials into every app that has opted into the Password Autofill functionality that Apple introduced with iOS 11 last year.

macOS Mojave and Dark Mode

After our incredibly successful launch of 1Password 7 a few weeks ago we’ve been waiting to see what Apple had in store for the Mac. On Monday we got our first glimpse of dark mode in macOS Mojave, which of course left our designer Dan itching to get back to his computer to start playing. Since then the mockups have been flowing like water:

Privacy and Security

Apple’s dedication to privacy and security are legendary and this year they introduced a whole host of new tools to help keep your computer safe. The biggest ones that we’re excited about are system integrity protection (SIP) for apps and notarized apps.

Apple’s documentation gives a concise definition of SIP at a high level:

System Integrity Protection is a security technology in OS X El Capitan and later that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.

SIP for apps allows us to opt in to these same protections for the 1Password app binary that resides on your computer. It gives you (and us!) peace of mind knowing that the app we built and shipped is the one running on your computer.

Notarized apps is the other thing that we’re really excited about. Apple is standing up a new service for developers where they can submit their app prior to release. The service will check the app, verify that it’s free of malware, and issue a certificate that will be “stapled” to the app. This certificate is then used by your Mac to verify that the version of 1Password you’re using has been screened and approved as being free of malware. Coupled with SIP, these two new technologies are going to be great for all apps, and 1Password in particular.

Wrapping it Up

While I can’t comment on rumor or speculation, you could use our previous track record to reasonably conclude that when iOS 12 and macOS Mojave ship later this year we’ll be there, on day one, with full support for both. In the meantime, make sure you sign up for the iOS beta, and opt-in to the betas of 1Password for Mac in Preferences:

How about you? What was your favorite announcement from WWDC this year? Sound off in the comments below, I’d love to chat about it with you.

1Password 7 for Windows: The Best Ever

Dave Teare — Tue, 29 May 2018

Hot on the heels of last week’s 1Password 7 for Mac announcement, I’m pleased as punch to unveil the best version of 1Password for Windows ever: 1Password 7 for Windows is here! 🎉 👏

This is a massive release where quite literally everything has changed. Seriously, every bit and every pixel has been recreated from scratch using the latest and greatest technologies to make 1Password the best it can be.

From an incredible new design to having all your vaults in one place to a whole new architecture, 1Password 7 is the fastest, prettiest, and most powerful version of 1Password yet. In short, it’s simply the best. A bold claim but thankfully we can back it up. 😎

All new modern design

Our design team has been working their tails off reimagining every aspect of 1Password. We wanted to make it as powerful and beautiful as the Mac app while staying true to the Windows platform.

It all added up to a breathtaking new design that you’re going to love. And it all starts with the lock screen.

The steel doors look great and also symbolize the strong encryption that protects your data. And to would-be-attackers, our encryption design is far more secure than the strongest steel.

Once you unlock 1Password with your Master Password (or Windows Hello), you’ll be delighted by the stunning new layout protected behind those doors.

Beautiful! 😍

Everything has changed and not a single element of the design has been left untouched. Yet the heart and soul of 1Password remain, so you’re able to jump right in and find everything you need.

Your items have never looked better and with full support for time-based one-time passwords, logins really shine. They look so good that you’ll find yourself happily waiting for a new 2FA code simply so you can watch the countdown animation. 🙂

You can also zoom right in on the password using Large Type. This is perfect for those times you need to type it on another device or are asked for specific characters from your password.

Our new highlight feature while searching makes finding what you’re looking for super easy. And with the addition of search power-ups like title:, tag:, and file:, it’s never been easier to discover what you’re looking for.

And when you prefer to browse, the sidebar is great for navigating between your categories and tags. Along with support for nested tags you can take things to a whole new level by organizing your organization. 😉

Oh and the sidebar gets even better as your vaults live there, too.

All your vaults, all in one place

There’s more to the sidebar than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items.

Simply click on the sidebar header and your categories will slide away, revealing your collection of vaults. Vaults allow you to group your items depending on their purpose and who needs access to them.

Vaults are so nice that you’ll find yourself adding lots of them. Between my AgileBits business and Teare family accounts, I now have over 50 vaults. Being able to switch between vaults and accounts makes it super simple to stay focused on the task at hand.

Together with a 1Password Families or 1Password Business account, vaults can be used to securely share passwords with your family and colleagues. Simply sign in to 1Password.com and choose who you want to share with and 1Password will do the rest.

My favourite part of sharing passwords this way is the ability to control everyone’s permissions, including making passwords read-only. For those with edit access, changes they make will be seen by everyone else right away.

1Password mini is always by your side

The new awesome carries over into 1Password mini as well, yielding a more powerful and beautiful experience. When you’re on a website and need to login, 1Password mini makes it super easy.

Selecting a login will automatically fill your username and password for you. And if you have two-factor enabled, the one-time password will be automatically copied to your clipboard so you have everything you need right at your Ctrl-V fingertips.

1Password mini will also help you create new logins as well. When you sign up for a new service or log in for the first time, 1Password mini will jump in and offer to save it for you.

In addition to naming your new login and assigning tags, you can also choose which vault to save it to. This is great for keeping things organized as well as choosing who to share with.

And if a website has been breached, mini will alert you so you know that you need to update the password.

Oh and then there’s also Open and Fill which automatically opens websites and fills passwords for you. When combined with the search and organization features of 1Password mini, it’s perfect for bookmarking your favourite sites.

Designed for everybody

We wanted to create 1Password 7 for everybody and be as inclusive as possible. That started with allowing you to sync your vaults yourself as well as using 1Password accounts on 1Password.com, 1Password.ca, and 1Password.eu.

1Password also speaks your language and has been localized to Français, Deutsch, Italiano, 日本語, 한국어, Português, Pyсский, 简体中文, 繁體中文, and Español.

Being able to use 1Password in your language is great and it’s even better on High-DPI displays. 1Password 7 has full support for HiDPI in Windows 10 so it looks incredible on 4K monitors and other high density screens.

And for those of you who rely on assistive technologies, rest assured that 1Password 7 is fully accessible with out-of-the-box support for screen readers like Narrator.

Why hello there, Windows Hello

We also added support for Windows Hello so you can unlock 1Password using your fingerprint or simply your smile. This works great in the main app as well as in mini.

I love the “looking for you” animation with the eye looking back and forth, and can’t help but grin when I’m greeted with a smiling face along with the “Hello, dave!” message. 🙂

As for security, your data is protected by your Master Password as always. To keep things as secure as possible, the first time you unlock you will need to provide your Master Password and then Windows Hello will be able to unlock 1Password thereafter.

Strong foundations

1Password 7 is a completely new modern app built from the ground up to use the latest and greatest technologies available. This gave us a strong foundation and allowed us to push the envelope to make 1Password the best it could be.

In addition to fundamental enhancements like HiDPI and Unicode support, 1Password 7 comes with a whole new database layer that enabled us to make everything much, much, much faster.

And if you’re moving over to our new 1Password memberships, syncing your data is more secure than ever. With the addition of a Secret Key, Secure Remote Password, and Galois/Counter Mode, your data has never been safer. Oh, and to top things off, the speed and reliability is simply unparalleled.

All of these changes combine into the fastest, most secure, and best looking 1Password experience on Windows ever! Long story short: you’re in for an amazing treat! 🍪

How do I get it?

To start enjoying the best version of 1Password ever built, grab it here:

Download 1Password 7

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many PCs as you have. 1Password 7 for Mac is a separate purchase.

I hope you enjoy 1Password 7 as much as we enjoyed making it for you. We couldn’t have done it without your help. ❤

Please join us in our discussion forums or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘

1Password 7 for Mac: The Best Ever

Dave Teare — Tue, 22 May 2018

Today is a momentous day! It’s time to take the wraps off something incredible that changes the world as we know it: 1Password 7 for Mac is here! 🎉🙌

There’s a ton of amazing features packed into this release and I couldn’t stop myself from writing a lot about them. If you’d like to start rocking right away, feel free to jump ahead and download 1Password 7 now. For everyone else, it’s my distinct pleasure to share with you the awesome that is 1Password 7.

Marvellous mini

1Password mini is how most of us use 1Password on a daily basis and for version 7 we wanted to make that experience the best it could be.

1Password mini has been completely reimagined and comes with so many features that we needed to give it its own window. When you bring up mini you’ll find it waiting for you with an incredibly powerful and beautiful new look.

While in your browser, mini will automatically suggest the items you’re most likely to need. Select the login you want to sign in with and 1Password will do the rest.

And mini doesn’t limit itself to just browsers. With our new app integration we’ll automatically suggest logins for the current app you’re using. Along with support for drag and drop, this is a real game changer.

You can also make edits, move items between vaults, and even add documents – all without ever leaving mini. Soon you’ll wonder how you ever lived without it. 🙂

Beautiful, bold design

The beauty you’ll find in mini continues throughout the rest of 1Password as well. It all starts with the newly designed lock screen and it looks incredible, especially with Touch ID.

As great as those vault doors look, they pale in comparison to what lies secured behind them.

The first thing that grabs you is the stunning new sidebar. It draws you in with its bold dark theme and delights you with its simplicity.

The new sidebar looks great without being overpowering and the high contrast between it and your content allows your eyes to focus on what’s most important: your items.

Detailing your items

Your items are able to join in on the fun as well with a new design and some lovely new touches. Each of your items now prominently show which vault they belong to and have their most important information highlighted.

If you caught yourself yelling What Are Those?! when looking at the formatted notes field, you’re not alone. You can now give your notes richly formatted text using Markdown! 🎉

Along with the improved layout and typography, we’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely Courier Prime).

Alan Dague-Greene is the creative genius behind this font and it makes large type passwords look absolutely incredible.

Speaking of incredible, when you combine our new custom font with Markdown support, Secure Notes are now at an entirely new level of awesome.

Once you start using Markdown in your notes you’ll find yourself wanting to create a lot of them. And when you do, you can keep your notes and items organized using tags. You can even use nested tags if you want to be fancy.

Oh and if you need to copy fields between items or into another app, you can detach the item details view into its own separate window by clicking the button in the toolbar. This is incredibly useful although to be honest I often find myself clicking it for no other reason than to see the lovely animation. 🙂

Watching out for you

1Password 7 is doubling down on how it keeps you safe online. We have bundled together a suite of security tools that notify you of breaches, warn you of bad habits, and highlight vulnerable passwords. We call it Watchtower and it’s amazing.

Watchtower integrates with Troy Hunt’s haveibeenpwned.com service to see if any of your logins are vulnerable. 1Password securely checks your items against a collection of breached passwords (over 500 million and counting) and notifies you to change them.

And thanks to twofactorauth.org, Watchtower also knows which websites support two factor authentication and will alert you when it finds logins without 2FA enabled.

Watchtower will also alert you to logins that are using an insecure (HTTP) website address, weak passwords, and horror of horrors, reused passwords (seriously, don’t do that!). And finally it’ll even warn you if your credit cards or passports are expiring soon so you don’t miss out on your vacation. 😎

Let’s get back to that sidebar because there’s more there than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items.

You can drag and drop items between vaults and even between accounts. Or, drop your items on the New Vault button and a new vault will be created for you right then and there. It’s so simple it’s like magic.

Once you have your new vault created, sharing it with your team or family couldn’t be easier. Select who you want to have access to your vault and 1Password will do the rest.

Best of all, any updates to the items appear automatically for everyone. It’s easier to share securely with 1Password than being insecure without it. 💪

Strong foundations

Along with all these new features and improvements, a lot of heavy lifting took place to make 1Password 7 faster and secure-er than ever.

It all began by combining 1Password and 1Password mini into a single process. This made items faster to load, reduced memory usage, and decreased launch times. The overall performance boosts made us smile as soon as we saw them and we think they’ll make you smile, too.

Also new in 1Password 7, we’ve taken advantage of Apple’s Secure Enclave to protect your Master Password when Touch ID is enabled. This is incredibly cool because the keys used for encryption are protected by the hardware and not accessible to other programs or the operating system.

And if you’re moving over to our new 1Password memberships, syncing your data is more secure than ever. With the addition of a Secret Key, Secure Remote Password, and Galois/Counter Mode, your data has never been safer. And the speed and reliability is simply unparalleled.

And so much much much more!

I told you at the beginning that I was going to write a lot about 1Password 7 and I could keep going. But in the interest of getting you into 1Password 7 sooner, I’m curtailing the rest into this fancy bulleted list!

Collapse the sidebar entirely so your items get all the love
Quickly find items with our new Spotlight integration
Use Handoff to view iOS items right from your Dock
Easily see your currently selected vault and account
Marvel at the monogrammed icons for tags and logins
Edit your vaults directly from the sidebar
Enjoy the new password strength meter
Remove duplicate items on a per-vault basis
Jump to items and vaults with ease using Quick Open
Opt in to automatic updates so you can always enjoy the latest and greatest 1Password has to offer

How do I get it?

To start enjoying the best version of 1Password ever built, grab it here:

Download 1Password 7

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many Macs as you have. 1Password 7 for Windows will be released next week as a separate purchase.

I hope you enjoy 1Password 7 as much as we enjoyed making it for you! We couldn’t have done it without your help. ❤

Please join us in our discussion forums or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘

1Password at Google IO

Saad Mohammad — Mon, 21 May 2018

Just over a week ago, I was incredibly lucky to attend Google’s annual developer conference at the Shoreline Amphitheatre in Mountain View. I always look forward to this event because it showcases the latest and greatest technologies coming to Google’s platforms. And to make things even better, I was joined by Gene, Peri, Shiner and Michael – our largest group at I/O yet!

Google I/O 2018

After grabbing coffee and snacks, we took our seats and eagerly waited for the keynote to begin. Sundar Pichai opened the conference by revisiting the most pressing issue of last year: the hamburger and beer emoji fiasco! With the cheese now in the right place, he continued with the keynote and introduced one of the main themes of the conference: leveraging machine learning to solve both simple and complex problems in our daily lives.

The improvements to the Google Assistant such as “continued conversations” and the new voices are fantastic. I do worry that I may fall back asleep if John Legend’s soothing voice reads my daily briefing each morning! The Duplex demo was just incredible and I am amazed at how the Assistant was able to understand and deliver natural language conversations over the phone. I’ve shown the video to all of my family members… maybe even scared them a bit. But don’t worry mom, I promise it will be the real me calling. 😉

Android P (Popsicle?)

It wouldn’t be Google I/O without a strong focus on the next version of Android. Immediately after they announced the Android P beta, I installed it on my Pixel 2 XL and revelled in the beautiful controls, typography, and roundedness of its design. Android P is all about intelligently analyzing and adapting to our usage patterns. This is being used to drive powerful features such as the new Digital Wellbeing. I’m looking forward to using it to remind me to disconnect and focus on the real world sometimes.

Developing on a Pixelbook

One pleasant surprise that got Michael very excited was the announcement that Android Studio is coming to Chrome OS. He quickly got it running on his Pixelbook and then challenged me to a race to see who could build 1Password faster. We were both shocked to find that his Pixelbook came in only 7 seconds behind my MacBook Pro. That’s pretty impressive!

The #chromeos team gave us an awesome present at #io18 this year. With support for Linux apps, I can now use @androidstudio on my Pixelbook to build and run @1Password. ❤️ pic.twitter.com/RzNEOdEGso
— Michael Verde (@michaelverde) May 10, 2018

1Password on Chrome OS

As exciting as it is to build 1Password on a Pixelbook, it’s even more thrilling to run an optimized version of it on Chrome OS. We built 1Password 6.8 for Android with an emphasis on the desktop experience, and we’re incredibly proud to have been featured by Google during I/O as an example of doing this well.

Shout out to @1Password from #chromeos #io18 pic.twitter.com/bukcOONpDM
— Shahid Hussain (@shahidhussain) May 10, 2018

One of my favourite desktop features added in 1Password 6.8 is using the arrow keys and the keyboard shortcuts to get around. I also find it extremely convenient using drag and drop to move text between Android apps. Now I can drag my credentials to sign into the Twitter app!

Give 1Password a try on your Chromebook and let us know what you think.

Until next year!

We all had a fun and productive week at Google I/O. It was my first time listening to Justice and Phantogram at the concert, and my god, do I love them! I have “Fall in Love” playing on repeat right now. 🕺

Google I/O sparked some great ideas that we’re eager to explore in 1Password on both Android and Chrome OS. Which of the showcased technologies are you excited to see in 1Password? Let me know in the comments below!

Using Splunk with 1Password Business

Jacob Wilson — Fri, 11 May 2018

1Password Business makes it easy to monitor events that happen on your team using the Activity Log, and you can take that to the next level by adding Splunk to the mix. Using the 1Password command-line tool, you can send your team’s 1Password activity to Splunk and keep track of it there alongside other happenings within your team.

One of Splunk’s most popular features is the ability to find events and trigger alerts based on them. For example, in your team you could set things up so the sysadmins are alerted whenever someone is added to the Owners group in 1Password. I’ll get into that example a bit more later in this post.

Set up the 1Password command-line tool

To kick things off, let’s set up the 1Password command-line tool, if you’re not using it already:

1Password command-line tool: Getting started

When setting up the tool, start by creating a custom group and giving it the View Admin Console permission so it can view the Activity Log, then add a user to that group. Once the tool is set up with that user’s account, get a session token:

$ op signin example

This will allow you to interactively enter the Master Password with secure input. Since you’re definitely putting this in a script, you’ll want to pass the Master Password through stdin to the op signin call to get your session token:

[password] | op signin example.1password.com wendy_appleseed@example.com A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX

To make things simpler, you can omit the email address and Secret Key from op signin since they are saved in ~/.op/config. You can then simplify the whole sign in step to one line by piping the Master Password to it:

gpg -q --decrypt password.enc | op signin example

To automate all this, though, you can get the Master Password from a secure storage location and pipe it to sign in. A HashiCorp vault is a good place to securely store the account’s Master Password. I’m using GPG in this example, but you can use KMS or something else that you’re comfortable with – just avoid echo. 😉

Start fetchin’ those audit events

Now that we have our session token, we can start getting some audit events. Create a script that’s run by a job scheduler such as cron at regular intervals (every 10 minutes should suffice). That script needs to:

Create the session like we just did above.
Read the last processed event ID from disk.
Fetch events newer than that ID.
Send the events to Splunk.
Save the latest event ID to disk.

To do this, we’ll be working with JSON, so JQ is a good idea if you’re working with bash; you could also use a scripting language that supports JSON, such as Python or Ruby.

You can fetch up to 100 events newer than $ID. To fetch them:

op list events $ID newer

To make sure you get all the events, you’ll need to run that until nothing is returned, since only 100 events are returned each time. This command will return a JSON array of event objects like this:

{
"eid": 392879,
"time": "2018-01-23T15:50:49Z",
"actorUuid": "YJTZ3RWWFRBNTF4M2YEEY3EPOQ",
"action": "join",
"objectType": "gm",
"objectUuid": "hd22y2bob6qdpap2ge6d7nn4yy",
"auxInfo": "A",
"auxUUID": "YJTZ3RWWFRBNTF4M2YEEY3EPOQ"
}

You can send all of the events in the array to Splunk at this point by using something like the Splunk universal forwarder.

Next, take the eid of the first object in that array and save it to disk so it can be used for the next fetch. If the array from op list events is empty, it means there are no newer events, and you’re done here — for now.

Get alerts about important actions in your team

Earlier I mentioned one such handy use for Splunk with 1Password Business would be to see when someone is added to the Owners group. To do this, you would find an event in the Activity Log that has:

action: join
objectType: gm (Group Membership)
objectUuid: your Owners group’s UUID, which you can get by opening https://start.1password.com/groups, signing in, and clicking Owners, then copying the UUID from the end of the address bar in your browser.

Every audit event comes with a actorUuid field. It’s a great identifier, but when perusing, we have no idea who YJTZ3RWWFRBNTF4M2YEEY3EPOQ is. To fix this up, let’s upgrade our script a bit. Before we fetch events, let’s get a user list with op list users. This will get us all users on the account along with some basic information like their name and email address. With that we can process each event object, look up the user by UUID, then add more descriptive information for when we send things to Splunk.

In this example case of sending an alert when someone is added to the Owners group, it’s probably nice to know who was added. The auxUUID field of the audit event will be the UUID of the user who was added to the group. You can do the same lookup that we did above for the actor. For many events, auxUUID will not be a user UUID, so make sure to fail gracefully there.

Now that we’ve set things up, whenever Splunk finds an event matching this, it’ll be able to alert your sysadmins via Slack or another method and let them know that Lorraine added Bobby to the Owners group. From there, they can take action if they need to.

Try it out and tell us what you think

When it comes down to it, sending your team’s 1Password activity to Splunk gives you one place to audit any administrative action your team has been taking in 1Password, alongside all the other tools your company uses. There are a lot of things you can look out for, from the Owners group example I mentioned before to knowing when someone adds or removes a team member from a vault or changes their permissions.

We’d love to hear how you set things up, so feel free to comment below or send us a message at support+cli@agilebits.com or start a discussion in our forum with suggestions, questions, and anything else you’d like to chat about!

Getting 1Password 7 ready for the Mac App Store

Jeff Shiner — Thu, 10 May 2018

1Password 7 has been in beta for 6 weeks now and the feedback has been fantastic. We are getting close to the official release date and have begun final preparations, including submitting 1Password 7 to the Mac App Store. 🎉

When 1Password 7 is released it will be available from the Mac App Store as well as our website, and will be available as both a subscription and a standalone license.

When adding 1Password 7 to the Mac App Store we needed to answer the following two questions:

Should it be a new app?
Should it support both subscriptions and licenses?

Ultimately we decided that 1Password 7 will be a new app in the Mac App Store, and available only as a subscription. I know that many of you will be curious about this, so I wanted to share with you why we decided on this approach.

Mac App Store and upgrades

The Mac App Store is one of the most convenient ways to purchase apps for your Mac. You can purchase with confidence, pay quickly in your local currency, and updates happen automatically. Overall it is a pretty sweet experience.

The App Store, for all it does well, struggles mightily when a paid upgrade is introduced because it does not allow developers to charge for an update to an existing app.

When considering a paid upgrade, developers have two choices: they can re-use their existing app or submit a new one. Both have their pros and cons.

Re-using an existing app

Developers are very creative and one approach that some have used to introduce paid upgrades is to re-use their existing app and offer an In-App Purchase to make the upgraded features available.

We actually went ahead and gave this an honest, if short-lived, try. Very quickly it became apparent that this would lead to a complete mess of spaghetti code as we tried to encapsulate new features. Worse yet, any significant UI updates (including the many we have in 1Password 7) were next to impossible to add as we’d have to keep the old UI around as well. Ultimately this proved infeasible and all my devs threatened to mutiny. 🙂

Submitting a new app

A new app avoids these issues, allowing us to keep our code base clean and my developers happy. It comes at a price though.

Introducing a new app means that everyone who wants the upgraded version needs to go back to the Mac App Store, find this new version, and download it.

We’ve done this before with 1Password 4 for iOS, and have the scars to prove it. Thousands of customers were confused when trying to update because their 1Password 3 app claimed to be up-to-date. To this day we have customers on 1Password 3 who do not realize a new version is out.

To be quite honest, one of the main reasons we haven’t had a paid upgrade on the Mac side for all these years is that we were dreading the pain this would cause us and our customers. However the time has come to bite the bullet and have a paid upgrade.

To avoid this pain in the future, this will be the last time we will be submitting a new app to the App Store. To make that possible, 1Password 7 will only be available as a subscription in the Mac App Store.

Mac App Store for subscriptions only

1Password subscriptions are eligible for free upgrades, meaning we can keep the same app in the App Store and seamlessly upgrade everyone to the new version as it comes out. This is just one of many the reasons why we love memberships.

If we were to sell standalone licenses in the Mac App Store we would have these same problems all over again when 1Password 8 is released. Ultimately this is why we decided not to sell licenses through the Mac App Store.

While still tough, this decision was easier to make as people looking for licenses will be able to download 1Password 7 directly from our website. I know this isn’t ideal for those who love the Mac App Store and prefer to purchase standalone licenses and I apologize for that. But overall I believe this was the correct decision to make.

I’ll be out at WWDC in a few weeks and would be more than happy to talk further if you have questions or are facing similar decisions with your own apps.

Learn how your business is using 1Password with reports

Jacob Wilson — Mon, 07 May 2018

One of the top requests we’ve gotten from teams using 1Password over the past few years is a way to see what items their team’s been using. With 1Password Business, we’ve added item usage reports, a new tool for you to see how the people on your team are using 1Password.

Know what your team can access

An administrator or owner on your team can create a report for a team member to see what items they’ve used, how many vaults and items they have access to, and more. To create your first report for a team member:

Sign in to your business account on 1Password.com.
Click People in the sidebar.
Click the name of a team member, then click Create Usage Report below their name.

We’ve designed reports to focus on the vaults that matter to you, so you’ll see items from shared vaults in a person’s report.

Know what’s being used in your vaults

You can also create a report for a vault to see what people have been using in it. To create a report for a vault:

Click Vaults in the sidebar.
Click the name of a vault, then click Create Usage Report below its name.

The handy thing about creating a report for a vault is that you can see what has been used often in that vault. Sorting by item name gives you an organized list, and each item will be shown as a separate entry for each person who has used it.

Know what to do when someone leaves your team

When someone leaves your team, you can suspend their account to revoke their access to vaults and items, then create a report to get an idea of what passwords you might need to change. Then you can click the item in the report and use 1Password to quickly change the password.

Keeping passwords in a shared vault in your team means any changes made to them will be available to the people who can access that vault right away. Then you can change the password to keep those accounts secure, and through the magic of shared vaults, everyone who needs that password will automatically get the new one so they can use it right away.

Start using reports

Usage reports are centered on the best part of any company: the people. They focus on the vaults someone has access to, as well as important dates, like when they joined the team or last signed in. And the best part is only the admins and owners of your team know which items and websites your team is using: we can’t see any of that.

The goal of reports is to help you make better judgments about whether Emmett or Lorraine really need to keep access to those potentially high-value resources. And if they don’t, you change their access to something that better suits them.

Learn more about creating reports in 1Password Business

This is only the beginning — we’d love your feedback on what else you’d like to see in the reports. Comment below to start a discussion or send us a message at business@1password.com to share some feedback.

Introducing Watchtower 2.0: The turret becomes a castle

Jeff Shiner — Fri, 04 May 2018

Introducing the all new Watchtower – it is absolutely gorgeous, and appears to be rather timely!

Twitter asked their 330 million users to change their password yesterday due to a security snafu, putting privacy and security at the forefront of everyone’s mind once again.

1Password includes Watchtower, with its suite of security tools, making it the easiest and most comprehensive way for you to check the security of all your passwords.

With a click of a button, Watchtower audits your passwords against a wide range of security vulnerabilities giving you an easy to read report with simple steps on how to fix any issues it finds.

Let’s take a look at some of the defences.

On the lookout for breaches

Watchtower will automatically notify you if there’s been a security breach for a website you use. A bright red bar that’s pretty darn hard to miss will display across the top of the item, prompting you to change the password for that site.

Please excuse me while I hop away for a sec and go change that Twitter password. 😀

A vanguard for pwned passwords

Watchtower can check your passwords to see if any have been exposed in a breach. Integrating with Troy Hunt’s haveibeenpwned.com service, your passwords are checked against over 500 million exposed passwords, highlighting any that are found.

To keep your passwords private, Troy found a brilliant way to check if passwords have been leaked without ever sending your password to his service.

Strong, unique passwords are your greatest defence

Using strong, unique passwords for every website is your surest way to keep safe. When a website is breached and your password compromised, that password can be used to sign in to other websites that use the same one. If you’ve reused that password elsewhere, you’re putting all those sites at risk.

Watchtower not only shows you which of your passwords should be stronger, it also alerts you when you’re using the same passwords for more than one website.

Now would be a great time to use Watchtower to see if you reused your Twitter password for your bank account 😱

A second line of defence

Enabling two-factor authentication (2FA) on websites is a great way to keep your accounts there safe. Watchtower will now let you know about websites you have saved in 1Password that support 2FA, but don’t have it enabled.

This gives you the chance to enable 2FA for those sites. When you enable 2FA, make sure to keep the one-time password in 1Password.

Don’t get caught off guard

Watchtower not only looks out for your passwords, but for you as well. It will now warn you if one of your credit cards, driver’s licenses, or passports are expiring soon, making sure you aren’t scrambling to make last-minute arrangements.

Here in Canada you can’t travel internationally if your passport expires within 6 months, so this can be a real life saver if you have that long-planned vacation coming up soon.

Try today with your 1Password membership

Watchtower is available today, so it’s time to give it a try now!

Sign in to your 1Password.com account, select a vault, and click Watchtower in the sidebar to create your report. If you don’t have a 1Password membership, start a free 30-day trial to get started.

Oh, and don’t forget to change your Twitter password :)

How strong should your Master Password be? For World Password Day we’d like to know

Jeffrey Goldberg — Thu, 26 Apr 2018

Just how strong should a 1Password Master Password be? We recommend that Master Passwords be generated using our wordlist generator using passwords that are four words long. This gets you something like “napery turnip speed adept”.

Among other things, this gives you the chance to learn new words. My dictionary has now informed me that “napery” means household linens such as table cloths and napkins. But let me move on from obscure vocabulary to asking about Master Password strength: What we know about Master Password strength, what we would like to know about it, and how can we get expert password crackers to help us learn?

That’s why we are announcing a password cracking challenge to be managed by Bugcrowd with cash money rewards. First prize earns $8192, second prize is half of that, and third prize is half again. The race ~~will begin~~ has begun at noon Eastern Time on World Password Day, May 3, 2018. For those who want to jump right to the contest details, without reading the rest of this, you can head right over to our Bugcrowd brief or to our description. The challenge hashes/keys are now available.

What is your Master Password for?

Your Master Password is your defense against someone who manages to steal your encrypted 1Password data from your own machines. Your data on our machines is also protected by your Secret Key, making Master Password guessing futile. Unlike a human usable password, your Secret Key is completely unguessable, and that is what makes what is stored on 1Password.com uncrackable.

But your Secret Key does not protect you if data is stolen from your own devices because your Secret Key is stored on your own devices. Likewise, our Multi-Factor Authentication only defends against attempts to connect to our systems. MFA doesn’t protect you from data acquired from your own machines. So when it comes to keeping 1Password data stored on your own machine from prying eyes, your Master Password is your defense. It needs to be as strong as you can reasonably use and it must be unique.

Consider Molly (a not all that bright dog), who has a Master Password of “RabbitHunter#1”. She also has some very important Login items, such as her PawPal account within 1Password. Now suppose that Mr Talk (the neighbor’s cat) has contrived to steal data off of Molly’s laptop, including her encrypted 1Password data.

Mr Talk will set up automated password guessing software to make many thousands of guesses per second. We can slow that down with PBKDF2, but Mr Talk is doing everything on his own machines and is not connecting to any of our systems. That is why MFA doesn’t do Molly any good in these circumstances. Now if Mr Talk has some expertise in password cracking and is willing to dedicate some computer power to this, he might be able to crack that Master Password within a few hours or maybe it would take a week. However long that is is how much time Molly has to change her PawPal password and other passwords that she keeps in 1Password.

Let’s suppose that Mr Talk got Patty’s data as well. But Patty (a clever dog) used our Strong Password Generator and ended up with a Master Password of “saddle harass mod gunk”. Even if Mr Talk dedicated enormous amounts of computer resources to this, it would take decades or centuries to crack that. So Patty remains safe because she used a strong, randomly generated Master Password.

Again, for Mr Talk to have a whisker of a chance of cracking any of these passwords, he’d need to get data directly from Patty and Molly’s system, which will also provide Mr Talk with their Secret Keys. Mr Talk would not be able to launch such an attack from data acquired from our systems.

Reducing the guesswork by measuring the guessing work

How did I come up with saying “hours to a week” for Molly’s and “decades to centuries” for Patty’s? I did so with a lot of guesswork. But we’d like to improve on that guess work, and the way to do that is to invite (incentivize) expert crackers to try to crack passwords and find out just how much work they have to put into it.

Now if my guess about decades is anywhere on target for the four word password, that is simply too large of a challenge. So we are presenting a number of keys derived from three word passwords from our password generator. We are also posting all the details about how they were generated and the wordlist used.)

We are also simplifying some of the odd details of our key derivation function to focus solely on the 100,000 rounds of PBKDF2-HMAC-SHA256. This will make it easier for participants to get set up without really affecting the result of what we are trying to measure with this exercise.

We want winners

We want people to win the prizes, and we want people going into this to know that we want people to win. Otherwise we wouldn’t get participants to put in the effort that we are trying to measure.

So let me remind everyone again, the challenges that we have created here do not have the protection of the Secret Key and they are using Master Passwords that are at the weaker end of what we recommend. This contest simulates attacking only one single component of 1Password security.

Knowing your system is a good thing

It’s been nearly seven years since we helped revive the notion of wordlist-based passwords with our article Toward Better Master Passwords. And one of the many virtues of generated passwords is that they remain strong even if the attacker knows how they were generated. So with that in mind, we are also publishing the source used to generate the challenges.

How long until we have answers?

If we knew how much effort it takes to crack a three word password, we wouldn’t be giving away money to find out, would we? We also don’t know what kinds of resources people will throw at the problem. If people or teams dedicate fleets of hashing rigs at the problem they will find things more quickly than someone who just uses a couple of more ordinary computers.

Money is time

It may be more useful to ask about the cost of cracking a password versus how much time it takes. In any particular cracking attempt there will be some combination of fixed costs and variable costs ranging from developing the expertise and equipment depreciation to the cost of the electricity used to run and cool the machines. We want to develop an estimate that considers the total cost. So we hope that the challenge takes long enough that the results will show a useful mixture of fixed and variable costs.

We’ve also structured the contest as a race. The first to find a password will earn ~~$8192~~ $12288, while the second place prize is ~~$2048~~ $8192. The third place prize is ~~$1024~~ $6144, And the fourth place prize is $4096.

My own wild guess is that it could take anywhere between $250 and $2000 worth of effort to crack one of these three word passwords from our list, and so we’re offering a first prize that is double the higher end guess. This way it should be worth their time to switch some of their coin mining rigs over to password cracking.

Update: Nearly three months into the contest it is clear that I underestimated the cost. We have increased the prizes twice by now (July 26, 2018), and are still not certain that it is enough. Join us and participants in the forums for discussion of updates in cost estimates and how we may ensure that this challenge is worthwhile to participations.

What now?

If you would like to participate, head over to Bugcrowd for the official rules and to get set up with them if you are not already a Bugcrowd researcher, as all submissions will go through them. Details can also be found in our crackme challenge Github repository.

If you’d like to just follow along at home before and after the starting gun on World Password Day, keep following us on Twitter, Facebook, or your favorite place to do such things. And if you would like to discuss things further, just join us in our discussion forums. We’ve set up a specific discussion in our Lounge for this discussion.

Multi-Factor Authentication in 1Password

Rick Fillion — Wed, 25 Apr 2018

The more the merrier, my mother likes to say. And why shouldn’t that apply to authentication factors? You have your Master Password and Secret Key, and they’re combined to be one amazingly strong factor via Secure Remote Password. We’ve added two more to the guest list, and you get to invite whichever you’d like.

Two-Factor Authentication

Two-factor authentication in 1Password is implemented with Time-based One-Time Passwords. Time-based One-Time Passwords is a mouthful, so forgive me for abbreviating it to TOTP from here on out. TOTP is a widely adopted standard and it’s a great way of adding a familiar additional factor to your authentication process.

When setting up two-factor authentication, you’ll be provided with a TOTP secret that you can store in an authenticator app of your choosing. 1Password has been a TOTP authenticator for years now and storing it there is very convenient, but we recommend also storing it in an authenticator app like Authy. Ideally you’d store it in both so you have access to it when needed. When it comes to backups, the more the merrier, just like Mom said! 🙂

Any time you sign in to your account from a new device you’ll be prompted for a one-time password. Use the authenticator app to get the current one-time password, punch it in and you’re off to the races.

Turning on two-factor authentication is a breeze. All you need to do is go to My Profile, choose ‘More Actions’ on the action bar on the left, then ‘Turn On Two-Factor Authentication’. From there instructions will have you set up in no time. Just make sure that you keep your TOTP secret safe as it’s going to be required any time you sign in from a new device.

Duo Security

Duo Security is a slightly different approach to protecting accounts and has been available as a beta feature in 1Password for a number of months. The feedback we’ve gotten from it has been unanimously positive, and Duo is now available for anyone using 1Password Teams or 1Password Business. The best part of Duo is that once configured by an administrator it will automatically apply to all members of the team.

When you sign in to 1Password, you’ll be prompted to send a push notification to your mobile device where you can either allow or deny the request to sign in.

Duo is a great option if you’re looking to enforce the use of an additional factor across a whole team.

Another Layer of Protection

The awesome part about these additional factors during authentication is that they get to stand on the shoulders of Secure Remote Password. The SRP handshake needs to occur and all additional factor requests get the benefits of that secure channel. Without SRP the same attacks that could disclose your password to an attacker eavesdropping on a connection could also disclose your additional authentication factor. SRP protects both your password and the additional factor. This also means that enabling two-factor authentication or Duo does not mean that you can have a weaker Master Password. They protect against very different things, and your Master Password is ultimately what’s protecting your data.

Supported Across All 1Password Apps

We’ve rolled out support for both Duo and TOTP in all of our apps. Windows, Mac, iOS, Android, Web, and Chrome. We’ve even added both to our 1Password CLI tool, and it’s pretty amazing to have a terminal emulator trigger a push notification to my iPhone. Just make sure that you’re using the latest versions of our apps and you’ll be set.

Meet the team that builds 1Password.com

Rick Fillion — Mon, 23 Apr 2018

Last week found a number of us flying out to Toronto for what we called RickConf (I swear I didn’t name it!). The weather did its best to try to get in our way as the ice storm caused some of us to arrive a day later than expected. We all made it though, and I think we all took turns assuring the Californians that this weather is not normal.

RickConf was an opportunity for everyone that works on 1Password.com to get together, hang out, and prototype some ideas for the future. 1Password is a remote company, so this is one of the few times per year where the whole team gets together. We think that it’s incredibly important that we get to know each other beyond the avatars we have on Slack.

I’d like to introduce you to the team, and help put faces to names you may have seen when emailing in with questions.

From left to right we have Jiannine, Jasper, Jacob, Betty, Rob, Meek, Brett, Isha, Connor, Matt, and finally myself. Not pictured here are Shiner and Roustem who are an absolutely critical part of our team, and spent the week with us as well.

Our team is responsible for the 1Password.com service which includes:

The server app that stores all of your encrypted secrets and coordinates the syncing of that data across all of your apps.
The web app that allows you to manage your account as well as view and edit the contents of your vaults.
The command-line utility that provides a way to programmatically interact with your account.
And finally the SCIM bridge that allows you to connect an identity provider like Azure Active Directory to your 1Password.com account for automated user provisioning and deprovisioning.

Last week we prototyped some new ideas for each of those four projects. I won’t go into what those were, but I’m super excited for us to polish up that code and get it into your hands.

Introducing 1Password Business

Jeff Shiner — Tue, 03 Apr 2018

Since 2015, over 30,000 businesses have signed up for 1Password Teams and discovered how 1Password can help them be secure while also increasing their productivity.

We’ve learned a lot by working with these companies and found that what works for a team of 20 doesn’t necessarily work for a company of 20,000. So we got to work.

Today, I am thrilled to announce the results of that work: 1Password Business. 🎉

1Password Business provides the features you need as a larger team. It gives you the tools to protect your employees, secure your most important data, and stay compliant. Your administrators will love it for the control it gives them, and your employees will love how easy it is to use.

Control access and be compliant

GDPR, HIPAA, SOC2, PCI, PIPEDA… man, there’re enough compliance requirements to make your head spin.

Thankfully, 1Password helps by keeping you in control of who has access to what. Each employee gets a place to store their private, work-related passwords. But there are times when passwords need to be shared. For those times, it’s easy to share passwords with only the people who need them.

Fine-grained permissions – give employees exactly the access they need.

Custom Groups and Roles – organize your staff and their access.

Device Restrictions – limit where access is granted.

Managed Travel Mode – restrict employee access when travelling.

We ourselves are growing quickly and long gone are the days where everyone worked on every project. We are looking to hire another 100 people this year, and 1Password helps us stay compliant with our SOC2 regulations as we grow.

Automated provisioning

Sometimes you are growing so fast, or have gotten so large, that no matter how simple the onboarding steps, they just aren’t fast enough. In these cases automation comes to your rescue.

Active Directory Integration – automate provisioning and de-provisioning.

Okta Integration – allow Okta to manage your team for you.

Command line Integration – integrate 1Password into your custom business flows.

Now that we are starting to use Azure AD ourselves, onboarding those next 100 people should be a breeze. 😉

Adding a second third factor

1Password protects your passwords behind both your Master Password and your Secret Key. Now you can add yet another layer of protection with our multi-factor authentication (MFA) support.

Team members can turn on two-factor authentication to further protect their 1Password accounts. Or, if your company uses Duo, you can require its use for your entire team.

Advanced auditing and reporting

In 1Password Business, we’ve created some super useful reports for you and your administrators. It’s never been easier to keep track of everything happening on your team.

Employee Access Report – see which shared passwords an employee has used.

Shared Password Report – audit shared passwords to see who has used them.

Activity Log – review administrative actions taken by your team.

Action Dashboard – view activities that are awaiting your action.

Free family accounts

Your business data is only as safe as your employees’ habits. If anyone brings unsafe password habits from home into your work environment, they put your entire business at risk. Now, you can protect your business by keeping those you work with safe at home.

With 1Password Business, each employee on your team gets a free 1Password Families membership. This way they can learn the habits they need to protect themselves and your company.

Try 1Password Business today

Sign up today for a free 30 day trial and see for yourself how 1Password can help your company. Your data will be more secure and your employees more productive than ever.

If you have any questions or would like to schedule a demo, contact our business team. We’ll be happy to show you how 1Password can work for your business. After using 1Password for a few weeks at your company I promise you’ll wonder how you ever lived without it!

MyFitnessPal Shows How to Handle a Breach

Dave Teare — Mon, 02 Apr 2018

We all witnessed something refreshing last week when MyFitnessPal announced their data breach. They were open and honest about what happened and they should be congratulated.

Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak.

MyFitnessPal provides a great case study on how to handle a data breach and protect customer information. Let’s start with the announcement itself.

The Announcement

First it needs to be said that it was awesome that there actually was an announcement and that it was published in a timely manner. This is a very good thing!

There was an in-app notification, direct emails, and a pinned Twitter post.

They also posted Frequently Asked Questions that were excellent and when I emailed their support team with some questions for this post, their automated reply included information about the breach and what they were doing to protect their customers.

MyFitnessPal was incredibly open and transparent about everything and at no point did they try to hide details from their users, myself included! That allowed me to update my password and get on with my life.

I wasn’t overly attached to qdd84b7UayEwM9J6dZV anyway so I didn’t mind changing it. And since I only used this password on myfitnesspal.com I didn’t need to update any other websites.

Strong unique passwords FTW! 🙂

Secure Handling of Passwords

Equally commendable was how MyFitnessPal stored passwords in their systems. Or more to the point, how they didn’t store passwords.

Many sites choose to store the plain text password, which is bad. The fact that Have I Been Pwned? now has over a half a billion plain text passwords in their database shows how prevalent this horrible bad practice is.

MyFitnessPal was much smarter than that as they never stored the actual password. Instead they stored a hash of the password, most of which were created using bcrypt. Our Chief Defender Against The Dark arts wrote at length about bcrypt and how it can be used to protect user passwords.

It’s possible to go even further than bcrypt and avoid sending passwords to the server by using Secure Remote Password. We use this in 1Password and are quite smitten with it.

Avoiding Other Sensitive Information

The other smart thing MyFitnessPal does that should be commended is collecting and storing the minimum amount of data. From their FAQ:

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

The easiest way to protect data is to not have it in the first place! We follow a similar mentality in 1Password and it’s refreshing to see other companies taking security and privacy seriously.

MyFitnessPal made some excellent design choices and quickly organized an effective response to a bad situation.

For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt.

P.S. A great deal of this post was inspired by an incredible letter I received from Benjamin Fox about how unique passwords helped him quickly recover from the MyFitnessPal breach. Thank you for the inspiration, Benjamin! ❤

Hi Dave,

I know you get hundreds of emails but I can’t help but send this email. I received an email from MyFitnessPal today and of course the news-breaking headlines.

In reading the email, I simply smiled. Headed to my 1password vault and checked the password.

Sure enough, there was a 40 character, numbers + symbols password. I smiled smugly and thought of you.

Your amazing product keeps my data safe every single day. I have not one single duplicated password. Back about 4 years ago I spent the entire weekend updating 200 plus sites with a unique password ( MyFitnessPal being one of them ).

I have recommended so many people to your platform knowing that you have an amazing product and just as importantly, a fantastic support team.

Take care my friend and I send you a warm-hearted thanks from Darwin, Northern Territory, Australia!

Keep doing what you’re doing!
Benjamin Fox.

We really do have the best users in the world. 😘

The 1Password 7 Beta for Mac Is Lit and You Can Be, Too

Dave Teare — Wed, 28 Mar 2018

Guess what, Mac fam? 1Password 7 for Mac is on its way! 🎉👏

This first beta is just a taste of what’s to come and it’s already packed full of new features and improvements. Here’s what we have so far.

Beta bling

The awesome starts with the lock screen but the real magic happens when those doors open.

1Password 7 comes at you fast with its bold, beautiful sidebar. The sidebar shows more information than ever, but the dark theme and monochrome icons allow you to focus your attention on what matters most: your items.

Drag and drop

You can now see all your vaults in the sidebar. This makes it easy to drag and drop items between vaults to organize them. You can even drag them between two different accounts. And if you drag items onto New Vault, a vault will be created for you right there and then. It’s never been easier to share and organize your information.

Easily edit vaults

With the new sidebar it seemed fitting to allow you to manage your vaults directly from there. So that’s what we did. Edit vault names, change their descriptions, choose an avatar or upload your own. All without ever leaving 1Password.

Rich formatting in notes

Are you feeling bold? How about emphatic? You can now express your emotions in secure notes. Use Markdown in any of your notes to add clickable links, ordered and unordered lists, and eye catching styles.

Nested tags

Tag fanatics rejoice! Not only can you organize your items with tags but you can also organize your tags. There’s an Inception joke here somewhere; while you wait for me to find it, add a forward slash to your tag names and 1Password will do the rest.

Pop-out items

If you use lots of different apps on your Mac or enjoy viewing multiple items at once, you’re going to love this: click the icon on the toolbar and your item details are whisked away into a new sticky window that will stick around until you dismiss it.

Our own font: Courier Prime Bits

No design is ever complete without finding the perfect font. We’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely Courier Prime). Alan Dague-Greene is the creative genius behind this font and it makes your passwords look alive.

Finding pwned passwords 🕵🏼‍♀️

Troy Hunt has collected more than 500 million passwords from various breaches in his Have I Been Pwned? database. Easily check if your password is among them.

Secure Enclave for Touch ID

Secure Enclave protects your Master Password when Touch ID is enabled. This greatly improves your security when using Touch ID because the encryption keys are protected by the hardware in your Mac and are not accessible to any other programs or the operating system.

Safari App Extension

Our Safari extension now comes built in to 1Password 7. There’s no need to manage it separately, it updates whenever 1Password updates, and it’s more secure to boot!

Single process architecture

We completely rearchitected 1Password 7 to run within a single process. This eliminates connection issues between the main app and mini, greatly speeds up loading, and improves performance everywhere.

Grab bag of lit-ness

The changelog for beta 1 is huge. Coming in at nearly 100 additional features and improvements, it’s literally too much to read. Here are the CliffsNotes (or Coles Notes if you’re reppin’ Canada):

Collapse the sidebar entirely so your items get all the love
Share vaults directly from the sidebar
Easily see your currently selected vault and account
Login details now highlight one-time passwords
Tags are monogrammed with their initials
Select which vaults to focus on right from the sidebar
Quickly find items with our new Spotlight integration
Use Handoff to view iOS items right from your Dock
Login icons have never looked better

Get it now

Getting lit with beta 1 is easy!

Download 1Password 7 Beta For Mac

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when the beta first opens. Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99. You can also try a membership and start enjoying 1Password 7 today with your first month free.

We’re looking forward to sharing more surprises with you on our journey towards 1Password 7. In the meantime, please join us in our beta forums and help craft the future of 1Password. We always love hearing from you. 😘

P.S. This post was heavily inspired by asking the question that we should all ask ourselves from time to time: what would Drake say? I think I got close but if you know Drake, please ask and let me know. 🙂

Introducing 1Password 7 Beta for Windows

Dave Teare — Tue, 20 Mar 2018

1Password 7 for Windows is almost here! 🎉🙌 Today marks our first beta and you’re invited to join in on the fun.

This is a massive release where quite literally everything has changed. And with support for local vaults, everyone can enjoy the awesomeness that is 1Password 7 for Windows.

Read on to see what all the hullabaloo is about and I think you’ll find our excitement is quite contagious. 🙂

Incredible New Design

Our design team has been working their tails off making 1Password 7 for Windows the best it can be, so it seems fitting that we start by showing how great 1Password 7 looks.

The awesome starts with the lock screen.

Once you unlock 1Password with your Master Password (or Windows Hello), you’re in for a delightful surprise. I’ll let 1Password speak for itself here.

From the typography to the rich icons to the layout, everything has changed. Yet the soul of 1Password remains, so you’re able to jump right in and find everything you need.

The new sidebar is not only gorgeous but it’s more powerful, too. It allows you to navigate between your categories and tags just like you always could, but now your vaults live there as well.

All your vaults, all in one place

Organizing your items into vaults is a great way to keep your items tidy and share them with those who need them.

Vaults are so nice that you’ll find yourself adding lots of them. Thankfully the sidebar makes it easy to see every vault you have at a glance. If you want to zoom in and see all the items in a vault or an account, just click on it. When you’re ready to zoom out again, click All Vaults to see all your items.

Between my AgileBits business and Teare family accounts, I now have over 50 vaults. Being able to switch between vaults and accounts makes it super simple to stay focused on the task at hand. Which is perfect for those days when I need to find my mom’s Pokémon password. 🙂

Small passwords. Large passwords!

If you spend as much time looking at computer screens as I do, your eyes will love our new Large Type. Passwords have never looked better!

This is great when you need to type a password into another app. But for browsers, 1Password mini will take care of this large task for you.

1Password mini is always by your side

To keep up with their bigger sibling, 1Password mini has a new design of their own and has learned some new tricks as well. As always, mini will automatically find the logins that are most relevant to the website you are on, making it super easy to sign in.

And if a website has been breached, mini will alert you so you know which of your logins need to have their passwords changed.

You can also open logins directly within your browser. And as an added bonus, your password will also be filled automatically after the page opens, making 1Password a great way to bookmark websites.

Designed for everybody

We wanted to create 1Password 7 for everybody and be as inclusive as possible. That started with allowing you to sync your vaults yourself as well as supporting 1Password accounts.

1Password also speaks your language and has been localized into 9 languages, including Français, Deutsch, Italiano, 日本語, 한국어, Português, Pyсский, and Español.

And for those of you who rely on assistive technologies, rest assured that 1Password 7 is fully accessible. Accessibility is near and dear to my heart and I’m looking forward to seeing your feedback on this beta.

Why hello there, Windows Hello

We also added support for Windows Hello so you can unlock 1Password using your fingerprint or simply your smile. This works great in the main app as well as in mini.

To keep things as secure as possible, the first time you unlock 1Password you will need to provide your Master Password. Windows Hello will then be able to unlock 1Password afterwards.

Pricing

1Password 7 is included free with every 1Password membership. This includes individual accounts, as well as anyone who is part of a family or team. If this is you, you’re all set! Jump to the next section to get started with the beta.

For standalone license holders, 1Password 7 for Windows will be a paid upgrade. Once 1Password 7 for Windows is officially released later this year, a new license will be required and will cost $64.99.

If you join the beta you will get access to a special discount to show our thanks for helping us get the beta polished. The code hasn’t been written yet, but in the next few months an upgrade window will appear, giving you the opportunity to purchase your license for just $39.99.

So join the beta, give us your feedback, and save! Here’s how…

Join our beta family

Intrepid testers who enjoy being on the cutting edge can jump right in by downloading the beta today.

Download the 1Password 7 Beta for Windows

Please see our release notes for known issues and join us in our discussion forum to let us know what worked great and where we need to improve.

We wouldn’t be here without you so thanks again for all your help! 😘

1Password X: Better, Smarter, Faster, and Japanese! マジで!

Dave Teare — Tue, 13 Mar 2018

If you’re new to 1Password X, you’re in for a treat! 1Password X is a full featured version of 1Password that runs entirely within your web browser. It’s great if you’re using Linux or Chrome OS and has quickly become my favourite way to enjoy 1Password on the web.

Since launching in November we’ve been hard at work exploring what’s possible and polishing everything else. I’d love to share with you what’s new since 1Password X blasted off! 🚀

Our best password generator yet

One of the things that we wanted to explore in 1Password X was how could we make our beloved password generator even better. And we were willing to go back to the drawing board to make it happen.

We started by suggesting new passwords directly within websites:

Just click Use Suggested Password when signing up and you’ve secured this website. It’s incredibly easy and perfect for most sites.

Some websites, however, don’t accept long passwords. Or sometimes you need a memorable password or a numeric PIN code.

1Password X now has a fully customizable password generator and it’s our best one yet! When you need a custom password just open 1Password from the toolbar and bring up the password generator:

In addition to looking amazing, our new generator is more powerful and easier to use than ever. You can customize everything and choose between different kinds of passwords depending on your needs.

I’ve always enjoyed the simplicity of our password generator and didn’t want to lose that as we added more options. I’m incredibly thankful that our designers found a way to pack so much power into such a simple and beautiful window.

Smarter filling and saving

Using machine learning, we can now distinguish between registration forms and sign-in forms. This is incredibly cool as it allows us to anticipate what you need and suggest appropriate actions.

When you’re on a sign-in form, 1Password X will offer to fill it for you. If you’re on a registration form, it will suggest a strong, unique password for you to use. And if you need to change an existing password, 1Password X can help you there, too:

Along with these more visible improvements, we also greatly improved form filling all around (especially credit cards and identities) and added support for those running in Incognito mode.

Faster everything

Feel the need for speed? 1Password X is packed full of it! Unlocking 1Password is now over 30 times faster and loading your items is instantaneous.

I’m now able to unlock 1Password X on my 2014 MacBook Pro faster than I can type my Master Password. I have over 3000 items in 50+ vaults spanning two accounts and I have access to everything I need before I can say “oh my”. 🙂

In addition to blazing unlock speeds, you’re also able to view your item details and fill Logins faster than ever.

To achieve this incredible speed, 1Password X caches your encrypted data locally so it’s always available. That means you always have access to your data, even when you don’t have internet or are on spotty Wi-Fi.

And so much more

We’ve added over 120 new features and improvements to 1Password X since our inaugural 1.0 release. In addition to the highlights above, some more of our favourites include creating new items, customizable auto-lock settings, and full support for Japanese!

To get started, all you need to do is install 1Password X and sign in to your 1Password account.

Oh, and there’s one more thing

1Password X initially came out for Google Chrome and since then we’ve added support for Vivaldi, Ghost Browser, and coming very soon, Opera. But as much as I love Chrome and its Chromium-based relatives, it’s time for 1Password X to support more browsers.

Mozilla does an amazing job of keeping the web an open and inclusive space for everyone to enjoy, and we want to support that. So that’s what we’re going to do! 1Password X is coming to Firefox. 🎉 🙌

We have an internal build of 1Password X running on Firefox Nightly already and we’re almost ready to share it with adventurous testers. If that’s you, please give us your email and we’ll be in touch.

There are even more exciting things planned for 1Password X and I hope to share them with you soon. Your feedback is immensely valuable in helping us set priorities so please join us in our 1Password X forum and say hi.

Onward and upwards! 🚀 😘

Install 1Password X

Give the gift of 1Password

Jeff Shiner — Tue, 27 Feb 2018

Ever since we launched 1Password memberships, people have been asking us how they can gift 1Password to their friends and loved ones. As you might expect, we see the most interest around the holidays, and this past holiday season was no different. I always thought it was a great idea, but we didn’t have a good answer – until now.

$125 for only $99 🎉

With 1Password Gift Cards, you can help anyone stay safe online. Give them to others or redeem them for yourself. You can purchase them in amounts of $25, $50, or $125. And because everyone loves to save money, we put the $125 gift cards on sale for only $99!

Get a 1Password Gift Card

PayPal and more

Another request we’ve seen is the ability to pay for a 1Password membership without using a credit card. Gift cards make that easy.

You can purchase 1Password Gift Cards with PayPal, and – because it’s 2018 – cryptocurrencies, like Bitcoin, Ethereum, and Litecoin. You can even use 1Password to manage your cryptocurrencies.

And for those of you who are like myself – a bit old-fashioned – credit cards are still an option as well. 😉

Gifts are for everyone

Giving the gift of 1Password is incredibly easy. When you purchase a gift card, you’ll receive an email with the gift code. Simply forward that email to your friend or loved one, and they can sign up for 1Password to redeem the gift card or apply it to the 1Password membership they already have.

And you don’t even have to limit gift cards to people you like. You can send one to someone you don’t like. Maybe it’ll be the beginning of a beautiful friendship. 😊

How to use 1Password to manage cryptocurrency

Lisa Verheul — Wed, 21 Feb 2018

In 2017, the cryptocurrency market skyrocketed to over $600 billion. It’s the digital gold rush, and everyone wants their share. The lure of riches is too much to ignore, but there are also enormous risks. We can’t teach you how to make the best investments, but we can help you manage your cryptocurrencies securely.

I’ve been trading crypto for a while now, and to be perfectly honest, none of it would be possible without 1Password. It helps me stay secure, and creating and managing all of my credentials – 46 and counting – is an absolute breeze.

My #1 rule: Set up 1Password before investing in crypto

Before you invest in crypto, you need to take your security seriously. The best way to do that is with 1Password. I’ve seen people invest without using a password manager at all, and I’m seriously terrified for them. They create weak passwords, which they store on a piece of paper or unencrypted on their device. Or, like a number of early bitcoin investors discovered, they no longer remember their credentials. So while they may have thousands of dollars stored in a digital wallet somewhere, it’s lost forever.

There have already been reports of people losing over $100,000 by accessing their accounts on public Wi-Fi, or signing in to a fake website. While 1Password can’t protect you from insecure networks (if it’s unavoidable, always use a VPN like Encrypt.me), we can protect you from phishing sites, weak and duplicate passwords, and a foggy memory.

How to use 1Password to store your crypto

So just how can you use 1Password to manage your crypto? It depends what you’re storing: account credentials, private keys, wallet seeds and backups, or crypto addresses. I’ll shed some light on how I use 1Password to manage them all.

Exchange accounts

Exchanges are where all the action takes place. After you’ve purchased some crypto, you can send it to an exchange and trade it for any other coin on offer. Unless you only trade the top 20, you’ll need to sign up for a few exchanges to buy the coins you want.

When I sign up for an exchange like Bittrex, Binance, or Kucoin, I save it as a Login item, just as I would for a regular account. I enable 2-factor authentication using one-time passwords, and I strongly recommend you do the same before depositing money there.

When I want to sign in, 1Password fills my username and password, and copies my one-time password to the clipboard for easy retrieval. Plus, it won’t fill my details anywhere except the specified URL, keeping me well protected from both man-in-the-middle and phishing attacks.

Wallets

If the collapse of Mt Gox taught us anything, it’s that you should always take your coins off an exchange. To keep them safe, you’ll need to set up some wallets. Cryptocurrency wallets allow you to interact with the blockchain to store, send, and receive crypto. Because most coins have their own blockchain, you’ll likely need more than one.

There are 3 main wallet types: software, hardware, and paper. Many people prefer hardware wallets like the Ledger Nano because they’re not connected to the internet. My only advice here? Don’t buy one second hand.

I’m worried I’d lose a hardware wallet, so I use a mix of paper and software wallets and store the details in 1Password. I set up my software wallets on an encrypted Virtual Machine with the password saved as a Login item. I create a Login item for each wallet (software and paper), and use the password generator to create a wallet seed or passphrase.

If my wallet address won’t change, I set it as the username. If I create multiple addresses, I add them to a new section called Addresses for easy retrieval. And if I need to save private keys, I add a new field to the Login item, label it Private Key and set it as a password so it’s always concealed.

Once my wallet is encrypted, I save a backup and attach it to the Login item in 1Password. This way, if I ever lose my MacBook Pro, I can restore the wallets on another computer using my wallet backups and credentials.

To help me see how my coins are spread, I can use the notes section to keep a tally. I find this especially helpful for keeping track of coins in MyEtherWallet, a paper wallet that stores both Ethereum and ERC20 tokens.

Cryptocurrency addresses

Much like a bank account, if someone in my family wants to send me crypto, they’ll need to know my wallet address and the currency tied to it. 1Password covers that, too. I simply create a Bank Account item and name it after the currency. I use the name of the wallet for the bank, and insert my wallet address into the account number field. Then I just add it to our Shared vault so it’s there whenever they need it.

Organise your crypto with tags

I have a lot of data in my vaults, and with my crypto items growing rapidly, I need a good way to organise them. Luckily, that’s a simple fix. All I need to do is tag them crypto and I can see everything at a glance.

Pay for your 1Password account with crypto

If you ever wanted to pay for your 1Password account with crypto, now you can. We’ve released 1Password Gift Cards as an alternative payment option, which you can purchase with Bitcoin, Ethereum, Litecoin, and Bitcoin Cash. When you get to the checkout, choose Coinbase as your payment method and complete your order in the cryptocurrency of your choice. Once your payment has cleared and you’ve received your gift card, you can redeem it by adding the code to your Billing page.

1Password is for Families

Sara Teare — Fri, 16 Feb 2018

Today we’re celebrating Family Day here in Ontario and throughout other parts of Canada. It’s a great way to remind ourselves of the people in our lives who are always here when we need them. Family can mean a lot of different things – my brother-in-law Mike calling to ask if I need help shovelling snow, my aunt sharing a new card game, or a friend who needs a ride to an appointment – in the end, family means “together”.

Most of the time, sharing lives together is as simple as sharing a meal, sharing how your day was, and – these days – sharing Wi-Fi passwords and Netflix accounts. 1Password Families can’t cook for you or get your kids to clean their rooms, but it’s great with online accounts. In fact, it’s great for sharing a lot more than passwords, too.

The Winter Olympics in Pyeongchang got me thinking about international travel, and I’m reminded of Jeff’s post about his son’s trip to Texas. He used 1Password Families to help his son prepare for his trip to the USA for an international gymnastics training camp. I’ll let him tell the story:

I created a Texas Trip vault [and] added our passports, contact info, and a credit card for emergencies (new headphones are not an emergency). In went the flights, insurance policies, consent forms, and all the rest. Finally, I added passwords for all the ways he could reach us, from Skype to FaceTime to Zoom; although, trying to get a 15-year-old to actually talk to his parents was another matter.

It was really quite reassuring to know that all of that information was there for him to easily access on either his Mac or his iPhone.

And that’s just one example. There are as many different ways to use 1Password Families as there are families. You get to choose who has access to shared information, and everyone gets their own personal vault for stuff that’s private. But no matter what you share with your family, you can be sure that your secrets are safe.

Recovering your peace of mind

One of my favourite taglines for 1Password is “Go ahead, forget your passwords”. Taking that plunge into a world of not knowing my passwords was scary, but now that I’m here, I can’t imagine going back. There’s only one password I need to remember now: my Master Password. But what happens if I forget that?! I’d normally start to feel my peace of mind slip away just thinking about that, but thanks to my family, I don’t have to worry.

Nobody at 1Password ever has access to your information. That means that if you forget your Master Password, we can’t help you recover your account. But if you have a 1Password Families membership, you can designate another family member who can help you recover your account. You get to have peace of mind because you’re in control.

Make the switch

If you have a 1Password account and have been considering inviting your family, there’s never been a better time. There are a ton of benefits to 1Password Families, some of which I mentioned above. A family account lets you:

Share vaults securely. Shared vaults show up on your family’s devices instantly.
Recover accounts. If someone in your family forgets their Master Password or can’t find their Secret Key, a family organizer can help recover their account.
Simplify payment. A single subscription covers a family of 5, with room to grow.

Upgrading to a family account is as easy as inviting more people.

Simply sign in to your account on 1Password.com and click Invite People in the sidebar. 😀

Love for our 1Password Family

With that, I’d like to wrap this up with a special thank you to all of our extended 1Password family members. Without the lovely people I work with every day and all the amazing customers who have supported us over the years, 1Password wouldn’t be where it is today. Thank you! And I mean it when I say we have amazing customers. Dave and I were recently away and came back one day to our room and saw this on the door:

It’s heartwarming to be making connections with people, and we’re so glad we’ve had the chance to be a part of your lives! ❤️

Developers: How we use SRP, and you can too

Rick Fillion — Wed, 14 Feb 2018

1Password uses a multi-layered approach to protect your data in your account, and Secure Remote Password (SRP) is one of those very important layers. Today we’re announcing that our Go implementation of SRP is available as an open source project. But first, I’d like to show you the benefits SRP brings as an ingredient in the 1Password security parfait.

Donkey: Oh, you both have layers. Oh. You know, not everybody likes onions. Cake! Everybody loves cake! Cakes have layers!

Shrek: I don’t care what everyone likes! Ogres are not like cakes.

Donkey: You know what else everybody likes? Parfaits! Have you ever met a person, you say, “Let’s get some parfait,” they say, “Hell no, I don’t like no parfait”? Parfaits are delicious!

Parfaits: delicious and secure

The first layer of security in 1Password, your Master Password, protects your data end to end – at rest and in transit – but we wanted to go further. The second layer is something we call Two-Secret Key Derivation. It combines your Secret Key with your Master Password to greatly improve the strength of the encryption. Thanks to your Secret Key, even if someone got your data from our servers, it would be infeasible to guess your Master Password.

That still wasn’t enough for us, though. When we first started planning how we were going to securely authenticate between 1Password clients and server, we had a wish list. We wanted to ensure that:

your Master Password is never transmitted or stored on the server.
eavesdroppers can’t learn anything useful.
the identity of user and server are mutually authenticated.
the authentication is encryption-based.

There was actually one other requirement that wasn’t exactly part of the list but applied to every item in the list: we didn’t want to roll our own solution. We know better than to roll our own crypto, and we wanted to find a proven solution that’s been around and has stood the test of time.

We wanted this layer to be just right.

SRP: a hell of a layer

It took us a while to find what we needed for this layer. (Apparently the marketing department of augmented password-authenticated key agreement protocols is underfunded.) But we eventually found SRP, which ticked all our boxes. SRP is a handshake protocol that makes multiple requests and responses between the client and the server. Now, that may not sound very interesting – and I’m not one to show excitement easily – but SRP is a hell of a layer. With SRP we can:

authenticate without ever sending a password over the network.
authenticate without the risk of anyone learning any of your secrets – even if they intercept your communication.
authenticate both the identity of the client and the server to guarantee that a client isn’t communicating with an impostor server.
authenticate with more than just a binary “yes” or “no”. You actually end up with an encryption key.

All this makes SRP a great fit for 1Password, and it keeps your data safe in transit. As an added bonus, because SRP is encryption-based, we end up with a session encryption key we can use for transport security (the fourth layer) instead of relying on just Transport Layer Security (TLS).

So that’s four layers of protection for your 1Password account: Master Password, Secret Key, SRP, and TLS. Now I’d love to show you how SRP works step by step in 1Password.

How 1Password uses SRP

Before any authentication can be done, the account needs to be enrolled. 1Password does this when you create an account. To use SRP, you’ll need a couple different things:

a key derivation function (KDF) that will transform a password (and, in our case, also your Secret Key) into a very large number. We’ve chosen PBKDF2.
an SRP group consisting of two numbers: one very large prime and one generator. There are seven different groups; we’ve chosen the 4096-bit group.

Enrollment

To enroll, the client sends some important information to the server, and the server saves it:

The client generates a random salt and Secret Key.
The client asks the user for a Master Password.
The client passes those three values to the KDF to derive x.
The client uses x and the SRP group to calculate what’s called a verifier.
The client sends the verifier, salt, and SRP group to the server.
The server saves the verifier and never transmits it back to the client.

Now the account is ready for all future authentication sessions.

Authentication

To authenticate, the client and server exchange non-secret information. Then the client combines that with a secret that only it knows and the server combines it with a secret only it knows:

The client requests the salt and the SRP group from the server.
The client asks the user for the Master Password and Secret Key.
The client passes those three values (minus the SRP group) to the KDF to derive x.
The client:
1. Generates a random secret number a.
2. Uses the SRP group to calculate a non-secret counterpart A.
3. Sends A to the server.
The server:
1. Generates a random secret b.
2. Uses the SRP group to calculate a non-secret counterpart B.
3. Sends B to the client.

So A and B are exchanged, but a and b remain secrets. Through the power of math, the client (with x, a, B) and the server (with the verifier, A, b) can both arrive at the same very large number using different calculations. This is the number that 1Password uses as a session encryption key.

Verification

The last step is verification. After all, no amount of fancy math will help if the numbers don’t match up between client and server.

To verify, the client and server exchange encrypted messages:

The client encrypts a message with the session encryption key and sends it to the server.
The server decrypts the message and verifies it.
The server encrypts its own message with the same session encryption key and sends it to the client.
The client decrypts the message and verifies it.

If the client and server both used the correct inputs then they’ll both have the same session encryption key, which allows them to decrypt and verify the message. If they don’t use the correct inputs, everything fails.

The verification process proves to the server that the client has x, which can only be derived using the correct Master Password and Secret Key. It also proves to the client that the server has the verifier, which ensures that the client is communicating with the 1Password server, not an impostor.

Now that it has been verified, the session encryption key can be used to encrypt every message between the client and server going forward.

As you can see, it’s critical to remember your Master Password and keep your Secret Key safe if you ever want to authenticate your 1Password account. They’re also very important layers, after all. 🙂 And, like any good parfait, everything comes together to create something better than the individual layers alone.

Implement SRP in your own app

We love SRP so much that we want to see it used in more of the apps we use. That’s why we want to help you get started with SRP in your own project. Our Go implementation of SRP is available as an open source project:

GitHub: agilebits/srp

This package provides functions for both clients and servers, and you only need to BYOKDF (Bring Your Own Key Derivation Function, like any good party). It’s the same code we’re using on our server and in the 1Password command-line tool, so we welcome security researchers to take a look and report any issues through the 1Password Bugcrowd bug bounty program.

SRP is one of the less appreciated parts of 1Password, and I hope I’ve explained it well enough for you to implement it in your own project. You can read more about how we use SRP in the 1Password Security Design White Paper. Leave a comment if you have any questions, or file an issue if you see something that can be improved.

Until next time, enjoy that parfait!

Terraforming 1Password

Roustem Karimov — Thu, 25 Jan 2018

A tweet i posted a few days a go generated quite a bit of interest from people running or managing their services, and I thought I would share some of the cool things we are working on.

1Password servers will be down for the next few hours. We are recreating our entire environment to replace AWS CloudFormation with @HashiCorp Terraform. It is like creating a brand new universe, from scratch.
— Roustem Karimov (@roustem) January 21, 2018

This post will go into technical details and I apologize in advance if I explain things too quickly. I tried to make up for this by including some pretty pictures but most of them ended up being code snippets. 😊

1Password and AWS

1Password is hosted by Amazon Web Services (AWS). We’ve been using AWS for several years now, and it is incredible how easy it was to scale our service from zero users three years ago to several million happy customers today.

AWS has many geographical regions. Each region consists of multiple independent data centres located closely together. We are currently using three regions:

N. Virginia, USA us-east-1
Montreal, Canada ca-central-1
Frankfurt, Germany eu-central-1

In each region we have four environments running 1Password:

production
staging
testing
development

If you are counting, that’s 12 environments across three regions, including three production environments: 1password.com, 1password.ca, and 1password.eu.

Every 1Password environment is more or less identical and includes these components:

Virtual Private Cloud
Amazon Aurora database cluster
Caching (Redis) clusters
Subnets
Routing tables
Security roles
IAM permissions
Auto-scaling groups
Elastic Compute Cloud (EC2) instances
Elastic Load Balancers (ELB)
Route53 DNS (both internal and external)
Amazon S3 buckets
CloudFront distributions
Key Management System (KMS)

Here is a simplified diagram:

As you can see, there are many components working together to provide 1Password service. One of the reasons it is so complex is the need for high availability. Most of the components are deployed as a cluster to make sure there are at least two of each: database, cache, server instance, and so on.

Furthermore, every AWS region has at least two data centres that are also known as Availability Zones (AZs) – you can see them in blue in the diagram above. Every AZ has its own independent power and network connections. For example, Canadian region ca-central-1 has two data centres: ca-central-1a and ca-central-1b.

If we deployed all 1Password components into just a single Availability Zone, then we would not be able to achieve high availability because a single problem in the data centre would take 1Password offline. This is why when 1Password services are deployed in a region, we make sure that every component has at least one backup in the neighbouring data centre. This helps to keep 1Password running even when there’s a problem in one of the data centres.

Infrastructure as Code

It would be very challenging and error-prone to manually deploy and maintain 12 environments, especially when you consider that each environment consists of at least 50 individual components.

This is why so many companies today switched from updating their infrastructure manually and embraced Infrastructure as Code. With Infrastructure as Code, the hardware becomes software and can take advantage of all software development best practices. When we apply these practices to infrastructure, every server, every database, every open network port can be written in code, committed to GitHub, peer-reviewed, and then deployed and updated as many times as necessary.

For AWS customers, two major languages could be used to describe and maintain the infrastructure:

CloudFormation is an excellent option for many AWS customers, and we successfully used it to deploy 1Password environments for over two years. At the same time we wanted to move to Terraform as our main infrastructure tool for several reasons:

Terraform has a more straightforward and powerful language (HCL) that makes it easier to write and review code.
Terraform has the concept of resource providers that allows us to manage resources outside of Amazon Web Services, including services like DataDog and PagerDuty, which we rely on internally.
Terraform is completely open source and that makes it easier to understand and troubleshoot.
We are already using Terraform for smaller web apps at AgileBits, and it makes sense to standardize on a single tool.

Compared to the JSON or YAML files used by CloudFormation, Terraform HCL is both a more powerful and a more readable language. Here is a small example of a snippet that defines a subnet for the application servers. As you can see, the Terraform code is a quarter of the size, more readable, and easier to understand.

CloudFormation

"B5AppSubnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": { "Fn::Select" : ["0", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
"AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]},
"VpcId": { "Ref": "Vpc" },
"Tags": [
{ "Key" : "Application", "Value" : "B5" },
{ "Key" : "env", "Value": { "Ref" : "Env" } },
{ "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet1"]] } }
]
}
},
"B5AppSubnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": { "Fn::Select" : ["1", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
"AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : "" } ]},
"VpcId": { "Ref": "Vpc" },
"Tags": [
{ "Key" : "Application", "Value" : "B5" },
{ "Key" : "env", "Value": { "Ref" : "Env" } },
{ "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet2"]] } }
]
}
},
"B5AppSubnet3": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": { "Fn::Select" : ["2", { "Fn::FindInMap" : [ "SubnetCidr", { "Ref" : "Env" }, "b5app"] }] },
"AvailabilityZone": { "Fn::Select" : [ "2", { "Fn::GetAZs" : "" } ]},
"VpcId": { "Ref": "Vpc" },
"Tags": [
{ "Key" : "Application", "Value" : "B5" },
{ "Key" : "env", "Value": { "Ref" : "Env" } },
{ "Key" : "Name", "Value": { "Fn::Join" : ["-", [ {"Ref" : "Env"}, "b5", "b5app-subnet3"]] } }
]
}
},

Terraform

resource "aws_subnet" "b5app" {
count = "${length(var.subnet_cidr["b5app"])}"
vpc_id = "${aws_vpc.b5.id}"
cidr_block = "${element(var.subnet_cidr["b5app"],count.index)}"
availability_zone = "${var.az[count.index]}"
tags {
Application = "B5"
env = "${var.env}"
type = "${var.type}"
Name = "${var.env}-b5-b5app-subnet-${count.index}"
}
}

Terraform has another gem of a feature that we rely on: terraform plan. It allows us to visualize the changes that will happen to the environment without performing them.

For example, here is what would happen if we change the server instance size from t2.medium to t2.large.

Terraform Plan Output

#
# Terraform code changes
#
# variable "instance_type" {
# type = "string"
# - default = "t2.medium"
# + default = "t2.large"
# }
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
-/+ module.b5site.aws_autoscaling_group.asg (new resource required)
id: "B5Site-prd-lc20180123194347404900000001-asg" => (forces new resource)
arn: "arn:aws:autoscaling:us-east-1:921352000000:autoScalingGroup:32b38032-56c6-40bf-8c57-409e9e4a264a:autoScalingGroupName/B5Site-prd-lc20180123194347404900000001-asg" =>
default_cooldown: "300" =>
desired_capacity: "2" => "2"
force_delete: "false" => "false"
health_check_grace_period: "300" => "300"
health_check_type: "ELB" => "ELB"
launch_configuration: "B5Site-prd-lc20180123194347404900000001" => "${aws_launch_configuration.lc.name}"
load_balancers.#: "0" =>
max_size: "3" => "3"
metrics_granularity: "1Minute" => "1Minute"
min_size: "2" => "2"
name: "B5Site-prd-lc20180123194347404900000001-asg" => "${aws_launch_configuration.lc.name}-asg" (forces new resource)
protect_from_scale_in: "false" => "false"
tag.#: "4" => "4"
tag.1402295282.key: "Application" => "Application"
tag.1402295282.propagate_at_launch: "true" => "true"
tag.1402295282.value: "B5Site" => "B5Site"
tag.1776938011.key: "env" => "env"
tag.1776938011.propagate_at_launch: "true" => "true"
tag.1776938011.value: "prd" => "prd"
tag.3218409424.key: "type" => "type"
tag.3218409424.propagate_at_launch: "true" => "true"
tag.3218409424.value: "production" => "production"
tag.4034324257.key: "Name" => "Name"
tag.4034324257.propagate_at_launch: "true" => "true"
tag.4034324257.value: "prd-B5Site" => "prd-B5Site"
target_group_arns.#: "2" => "2"
target_group_arns.2352758522: "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e" => "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-8080-tg/33ceeac3a6f8b53e"
target_group_arns.3576894107: "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4" => "arn:aws:elasticloadbalancing:us-east-1:921352000000:targetgroup/prd-B5Site-80-tg/457e9651ad8f1af4"
vpc_zone_identifier.#: "2" => "2"
vpc_zone_identifier.2325591805: "subnet-d87c3dbc" => "subnet-d87c3dbc"
vpc_zone_identifier.3439339683: "subnet-bfe16590" => "subnet-bfe16590"
wait_for_capacity_timeout: "10m" => "10m"
-/+ module.b5site.aws_launch_configuration.lc (new resource required)
id: "B5Site-prd-lc20180123194347404900000001" => (forces new resource)
associate_public_ip_address: "false" => "false"
ebs_block_device.#: "0" =>
ebs_optimized: "false" =>
enable_monitoring: "true" => "true"
iam_instance_profile: "prd-B5Site-instance-profile" => "prd-B5Site-instance-profile"
image_id: "ami-263d0b5c" => "ami-263d0b5c"
instance_type: "t2.medium" => "t2.large" (forces new resource)
key_name: "" =>
name: "B5Site-prd-lc20180123194347404900000001" =>
name_prefix: "B5Site-prd-lc" => "B5Site-prd-lc"
root_block_device.#: "0" =>
security_groups.#: "1" => "1"
security_groups.4230886263: "sg-aca045d8" => "sg-aca045d8"
user_data: "ff8281e17b9f63774c952f0cde4e77bdba35426d" => "ff8281e17b9f63774c952f0cde4e77bdba35426d"
Plan: 2 to add, 0 to change, 2 to destroy.

Overall, Terraform is a pleasure to work with, and that makes a huge difference in our daily lives. DevOps people like to enjoy their lives too. 🙌

Migration from CloudFormation to Terraform

It is possible to simply import the existing AWS infrastructure directly into Terraform, but there are certain downsides to it. We found that naming conventions are quite different and that would make it more challenging to maintain our environments in the future. Also, a simple import would not allow us to use the new Terraform features. For example, instead of hard-coding the identifiers of Amazon Machine Images used for deployment we started using aws_ami to find the most recent image dynamically:

aws_ami

data "aws_ami" "bastion_ami" {
most_recent = true
filter {
name = "architecture"
values = ["x86_64"]
}
filter {
name = "name"
values = ["bastion-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
name_regex = "bastion-.*"
owners = [92135000000]
}

It took us a couple of weeks to write the code from scratch. After we had the same infrastructure described in Terraform, we recreated all non-production environments where downtime wasn’t an issue. This also allowed us to create a complete checklist of all the steps required to migrate the production environment.

Finally, on January 21, 2018, we completely recreated 1Password.com. We had to bring the service offline during the migration. Most of our customers were not affected by the downtime because the 1Password apps are designed to function even when the servers are down or when an Internet connection is not available. Unfortunately, our customers who needed to access the web interface during that time were unable to do so, and we apologize for the interruption. Most of the 2 hours and 39 minutes of downtime were related to data migration. The 1Password.com database is just under 1TB in size (not including documents and attachments), and it took almost two hours to complete the snapshot and restore operations.

We are excited to finally have all our development, test, staging, and production environments managed with Terraform. There are many new features and improvements we have planned for 1Password, and it will be fun to review new infrastructure pull requests on GitHub!

I remember when we were starting out we hosted our very first server with 1&1. It would have taken weeks to rebuild the very simple environment there. The world has come a long way since we first launched 1Passwd 13 years ago. I am looking forward to what the next 13 years will bring! 😀

Questions

A few questions and suggestions about the migration came up on Twitter:

By “recreating” you mean building out a whole new VPC with Terraform? Couldn’t you build it then switch existing DNS over for much less down time?1

This is pretty much what we ended up doing. Most of the work was performed before the downtime. Then we updated the DNS records to point to the new VPC.

Couldn’t you’ve imported all online resources? Just wondering.2

That is certainly possible, and it would have allowed us to avoid downtime. Unfortunately, it also requires manual mapping of all existing resources. Because of that, it’s hard to test, and the chance of a human error is high – and we know humans are pretty bad at this. As a wise person on Twitter said: “If you can’t rebuild it, you can’t rebuild it“.

If you have any questions, let us know in the comments, or ask me (@roustem) and Tim (@stumyp), our Beardless Keeper of Keys and Grounds, on Twitter.

1Password command-line tool 0.2: Tim’s new toys

Connor Hicks — Thu, 11 Jan 2018

Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com.

Tim can script and automate with the best of them, and from the moment he got a preview of op, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just start playing with op 0.2 now. To find out more, read on.

Vault into the new year

Our first gift to Tim was more control over vault access. He can now use op to add users to vaults, remove users from vaults, and even delete vaults.

So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up.

Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project:

op create vault "Honey Badger"

But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault:

op add "Chris Meek" "Honey Badger"
op add "Betty Da" "Honey Badger"
op add "Matt Davey" "Honey Badger"

Tim can even create a script to take a list of email addresses and add everyone to the vault at once:

#!/bin/bash
# Usage: add-everyone.sh "Honey Badger" < emailaddresses.txt
while read p; do
op add $p $1
done

After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault:

op remove "Matt Davey" "Honey Badger"

When everyone is done with the project, Tim can use op delete vault "Honey Badger" and move on to his next gift.

New year, new groups

The next gift we gave Tim was control over group membership. He can now use op to create and delete groups and choose who belongs to them.

When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands:

op remove "Wendy Appleseed" "Support"
op add "Wendy Appleseed" "Design"

Tim can also create and remove groups with op create group and op delete group if ever he needs to.

Resolve to level up your skills

The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the full documentation on our support site.

Level up with op 0.2!

Then pop in to the 1Password Support forum to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release.

We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.

1Password X: A look at the future of 1Password in the browser

Dave Teare — Mon, 13 Nov 2017

“Wouldn’t it be cool if 1Password could do X?” is a question we often ask ourselves. The values for X are always changing, but some ideas come up again and again. Wouldn’t it be cool if…

When you log in to a site, 1Password is right there on the page ready to fill?
You could use 1Password without downloading the app?
Linux users and Chrome OS users could join in on the fun?

Now 1Password can do all these and more. We call it 1Password X, and it’s our brand new, full-featured experience that runs entirely in your browser.

It’s super easy to set up, deploy, and use. It works everywhere Chrome works, including Linux and Chrome OS. And it’s a re-imagination of how 1Password works on the web.

X is for extension

Before we jump in, I want to address one thing you may be thinking: our X is a letter, not a version number. Our X is a hat tip to one of the most beloved features of 1Password, namely our 1Password extension.

The extension is what allows us to have the little 1Password icon in your browser toolbar. I call it our bread and butter, and I couldn’t live without it. 😊

1Password X builds on this experience and takes it to the next level. The most visible change you just saw above – your logins are now available directly within the webpage you are viewing!

It’s smart, too. 1Password anticipates what you need and shows you the options that are most relevant to your current task. If you are signing up for a new site, 1Password suggests a generated password for you right then and there.

You can also save your new login, name it, and pick which vault to store it in.

X is for Linux

One of the most popular requests of all time has been Linux support. In fact, the forum thread asking for Linux has over 75,000 views. That’s a lot of cold penguins. 🙂

Because 1Password X is a Chrome extension, it works everywhere Chrome is available, including Linux. In fact, we initially shared 1Password X exclusively with Linux users as we wanted to make sure we nailed it.

Tim, our chief sysadmin and “beardless keeper of keys and grounds” is a hardcore Linux evangelist who, until now, has had no other choice than to use Wine to run 1Password. Tim has been our toughest critic over the years for our lack of Linux support, and so far he’s been thrilled.

There’s still lots of work to do, but we have thousands of happy Linux users already enjoying 1Password X. And we can’t wait to invite all of the other penguins in out of the cold! 😘

X is for exceedingly powerful

1Password X has all of the power of a full-featured app. And because it connects directly to your 1Password account, everything you expect from 1Password is there – your vaults, your items, and all their details.

And we’ve sprinkled in some additional features to absolutely delight you:

Keyboard navigation: We know this is a big one for power users, so we made sure everything can be done without lifting your fingers from the keyboard.
Smart search: Just start typing to find exactly what you need – ideal for when you have multiple logins for a site.
Perfect memory: 1Password remembers what you were doing last, whether you were in the middle of a search or looking at an item’s details.
One-time password filling: Your two-factor authentication codes are filled just like usernames and passwords.
Authentication dialog filling: If you ever see one those old-school HTTP authentication prompts, rest assured that 1Password can fill them.

My personal favourite has to be our amazing new search – I just start typing and my matching items appear automatically. I love it so much that filling one-time passwords had to take second factor place. It was close, though – only 30 seconds behind! 😃

X is for extra easy setup

Historically, we’ve needed to teach people how to first install and set up the app, and then take them out of the app to install the extension. With 1Password X, they’re one and the same. Just install it, enter your Master Password, and you’re in.

Because there’s no need to install a separate desktop app, deployment within team environments is as simple as can be. And by using multiple Chrome profiles, your team members can share the same machine while having access to their own 1Password data.

1Password X can even be installed on Chrome OS, which makes me super excited as now I can finally buy one of those lovely new Pixelbooks. 🤘

X is for Excelsior!

1Password X is a radical new way of using 1Password, but it’s not (yet) for everyone. It’s still in its early stages so some features are not yet available. For example, it’s not yet possible to customize generated passwords or use browsers like Safari, Firefox, and Edge.

But it is an exciting new way to use 1Password on the web, and for me, that outweighs any drawbacks. I’ve been using 1Password X exclusively for the last 6 months, and I couldn’t be happier.

So is 1Password X for you? If you’re running Linux or Chrome OS, you should jump right in. Or if you’re adventurous and enjoy the thrill of discovering new things while being on the cutting edge, then 1Password X is for you – it runs fine alongside the 1Password apps and extension you already use.

1Password X was designed for our hosted 1Password service and connects directly to your account. It is available in English, French, German, Italian, Russian, and Spanish and can be installed from the Chrome Web Store:

Install 1Password X

I hope you’re as excited about 1Password X as I am! Learn how to get started with 1Password X and join the discussion in the 1Password Support forum to let us know what you think! ❤️

Now let’s all go join Harold in their rocket ship and explore what’s possible! 😃 🚀

1Password 7 for iOS: Efficiency Abounds

Michael Fey — Fri, 03 Nov 2017

Hello and happy November, everyone! We’ve long anticipated this day here at AgileBits. After months of hard work, 1Password 7 for iOS is now available on iOS 11.

The very first step in the journey that brought us to this point was taken back in June, shortly after the Apple Worldwide Developers Conference. Before a single line of code was written, before a single new screen was designed, we set a single goal for this update: efficiency. Along the way, we also added a few more features, like support for iPhone X and Face ID, and we’re excited to finally share it all with you.

As our release notes say, this is the greatest version of 1Password for iOS we have ever shipped, so let’s dive in, shall we?

iPhone X and Face ID

On September 12th, like many of you, everyone here at AgileBits was glued to their screens watching Apple’s keynote from the beautiful Steve Jobs Theater at the new Apple Park campus. The announcement of iPhone X was already exciting, but the introduction of Face ID was like Christmas for us. We knew right away that we’d move heaven and earth to be there on launch day with Face ID support.

We began working immediately to make sure that 1Password worked perfectly on iPhone X. Apple was smart and made Face ID work wherever Touch ID already does, so technically we didn’t need to do anything. But that’s not the way we roll.

We completely optimized the lock screen for Face ID. Matt Davey, who led the design effort, blew the doors off with this one. 🙂

My iPhone X is set to arrive tomorrow, and I can’t wait to install 1Password and step into the future.

Quick Copy

In a perfect world, every developer would be as awesome as these folks and take five minutes to add support for 1Password to their app. But because we don’t live in a perfect world, signing in to another app sometimes used to mean you needed to:

Open 1Password.
Find the Login you need.
Copy your username.
Switch back to the app where you need it.
Paste your username.
Switch back to 1Password.
Copy your password.
Switch back to the app where you need it.
Paste the password.

And if you needed the one-time password for that app, there were four more steps after that. Yeesh!

In 1Password 7, copying is now done automatically. After you copy your username and paste it in another app, switching back to 1Password will automatically copy your password. And it’s the same with one-time passwords. Switch back one more time, and they’re copied automatically, too.

You can learn more about Quick Copy on our lovely support site.

Favorites

There’s no faster way to access an item than by adding it as a favorite. At least, that’s what we used to think. In 1Password 7, I’m happy to say that we’ve done better. Way better.

Now, when you tap an item in Favorites, you’ll see all the details you want to copy in a beautiful array of bubbles. Simply tap on any one of the bubbles to copy its value to the clipboard. Not only that, but items on the Favorites list participate in Quick Copy as well!

The Key to a Great App

iOS has wonderful support for external keyboards, and I’m happy to report that now 1Password does, too. If you’re one of our keyboard warriors, make sure you give it a try. 1Password 7 includes keyboard shortcuts for searching, switching tabs, opening and filling items, and more.

Go Speed Racer

Big, new features are awesome, but we didn’t stop there. We dug deep to unearth some truly fantastic perfomance increases for this update as well. 1Password now unlocks 33% faster and has seen a 400% increase in stability throughout. We also made some improvements to our password generator to make it much more responsive and easier to use.

Wrapping It Up In a Pretty Package

No major update would be complete without a fresh coat of paint on the user interface. 1Password 7 sports a beautiful new icon with a gorgeous gradient on the lock ring. That color scheme carries through to the lock screen where, if you let it sit for a few seconds, you’ll notice a gentle “happiness vortex” animation take place as the colors go for a spin.

Many of you use the 1Password extension to sign in to websites directly in Safari or other third-party apps. The next time you do, you’ll see the extension received a fantastic visual update as well!

We’ve also overhauled the navigation bar at the bottom of the screen with some new iconography and a better layout. Coupled with the aforementioned new look for Favorites, our beloved iOS app has never looked better.

And the Hits Keep Coming

Check out the 1Password for iOS release notes for a full account of everything we’ve crammed into 1Password 7, but I wanted to close out with a few more of my top picks:

If you register a new fingerprint with Touch ID, 1Password will require your Master Password the next time you open it.
You can now delete multiple items at once. Swipe down from the top of an item list, select the items you want to remove, then tap Delete.
Recently used items appear in Favorites for easy access.
Saving a new Login now informs you that the password for that Login has been copied to the clipboard.
An advanced security setting allows you to use a PIN code to unlock 1Password, even on devices that support Touch ID or Face ID.

Whew! Are you still with me? If so, well done! If you haven’t already done so, go download 1Password 7 now and tell us what your favorite new feature is.

Until next time!

1Password living on the [Microsoft] Edge

Kate Sebald — Tue, 10 Oct 2017

I’ve long been curious about Microsoft Edge. It’s fast, light-weight, and much more secure than the Internet Explorer of my childhood. It had everything you look for in a browser … except 1Password support. Today that changes!

Thanks to the hard work of the Microsoft Edge and Windows Store teams, along with our own Windows team, I’m excited to announce that 1Password now has a lovely new home right on your Microsoft Edge toolbar. 🎉

To bring your items with you to explore Microsoft Edge, first make sure you have 1Password 6.7 or later installed and set up. Then, head to the Windows Store and grab the 1Password extension. Open Microsoft Edge, enable the 1Password extension, and enjoy saving new Login items, opening and filling in Microsoft Edge from 1Password mini, filling addresses and credit card details, and easy access to the Strong Password Generator, just like you’ve come to know and love. If you’re still using an older version of 1Password, you can follow this handy guide to migrate your existing data to the latest version of 1Password to get ready to seek out new frontiers in Microsoft’s latest browser.

Hello dark mode, my old friend

As you’re working your own 1Password magic in Microsoft Edge, don’t forget to check out my favorite feature: its super-sleek dark mode. I love how it turns your 1Password extension icon into a lovely point of light on your toolbar and it’s perfect for late-night browsing. Let the stars next to your favorites light up Microsoft Edge and help guide you to your most loved websites at the click of a Login item. Of course, if a different vision has been planted in your brain, the extension icon looks right at home in light mode too. 😉

To the Edge and beyond!

As stoked as we are about 1Password coming to Microsoft Edge, this is only the beginning and some finishing touches are coming in future releases. Support for keyboard shortcuts to fill logins and some tweaks to how mini lets you know you’re filling in Edge are included with the latest 1Password 6 for Windows beta. Additional improvements for filling on certain sites will also be addressed down the road.

Currently, the 1Password extension in Microsoft Edge requires 1Password 6.7 for Windows or later and a 1Password membership. We will be expanding Edge availability in future releases but if you’d like to enjoy using Edge sooner than later, now is a great time to give a 1Password membership a try. In addition to early access, there are many other benefits and it’s free for 30 days!

I hope you enjoy saving and filling in Microsoft Edge and, as always, we love seeing your feedback in our support forum. 😊

Announcing the 1Password command-line tool public beta

Connor Hicks — Wed, 06 Sep 2017

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing `op`

Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

$ op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'
"genuine-adopt-pencil-coaster"

Creating new items and vaults:

$ op create item login $(cat aws.json | op encode) --title="AWS"
{"uuid":"5hinhvejl7wtmbeorfts7ho3di","vaultUuid":"i5imjpvdivbsxo56m2ap2n66gy"}

$ op create vault devops
{"uuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

Working with documents:

$ op create document ./devops.pdf --vault=devops --tags=architecture
{"uuid":"i3rsiwjfh7aryvbu5odr4uleki","vaultUuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

op suspend john@acmecorp.com

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

Download the 1Password command-line tool
Discover all the amazing things you can do with the tool
Stop by the 1Password Support forum to post your ideas, scripts, and feedback

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶

Introducing Travel Mode: Protect your data when crossing borders

Rick Fillion — Thu, 18 May 2017

We often get inspired to create new features based on feedback from our customers. Earlier this month, our friends at Basecamp made their Employee Handbook public. We were impressed to see they had a whole section about using 1Password, which included instructions for keeping work information off their devices when travelling internationally.

We knew right away that we wanted to make it easier for everyone to follow this great advice. So we hunkered down and built Travel Mode.

Travel Mode is a new feature we’re making available to everyone with a 1Password membership. It protects your 1Password data from unwarranted searches when you travel. When you turn on Travel Mode, every vault will be removed from your devices except for the ones marked “safe for travel.” All it takes is a single click to travel with confidence.

It’s important for me that my personal data be as secure and private as possible. I have data on my devices that’s ultimately a lot more sensitive than my personal data though. As one of the developers here at AgileBits I’m trusted with access to certain keys and services that we simply can’t take any risks with.

How it works

Let’s say I had an upcoming trip for a technology conference in San Jose. I hear the apples are especially delicious over there this time of year. :) Before Travel Mode, I would have had to sign out of all my 1Password accounts on all my devices. If I needed certain passwords with me, I had to create a temporary travel account. It was a lot of work and not worth it for most people.

Now all I have to do is make sure any of the items I need for travel are in a single vault. I then sign in to my account on 1Password.com, mark that vault as “safe for travel,” and turn on Travel Mode in my profile. I unlock 1Password on my devices so the vaults are removed, and I’m now ready for my trip. Off I go from sunny Winnipeg to hopefully-sunnier San Jose, ready to cross the border knowing that my iPhone and my Mac no longer contain the vast majority of my sensitive information.

After I arrive at my destination, I can sign in again and turn off Travel Mode. The vaults immediately show up on my devices, and I’m back in business.

Not just a magic trick

Your vaults aren’t just hidden; they’re completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled.

In 1Password Teams, Travel Mode is even cooler. If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times.

Travel Mode is going to change how you use 1Password. It’s already changed the way we use it. When we gave a sneak peak to our friends at Basecamp, here’s what their founder, David Heinemeier Hansson, had to say:

International travel while maintaining your privacy (and dignity!) has become increasingly tough. We need better tools to help protect ourselves against unwarranted searches and the leakage of business and personal secrets. 1Password is taking a great step in that direction with their new Travel Mode. Bravo.

Travel Mode is available today, included in every 1Password membership. Give it a shot, and let us know how you travel with 1Password.

Learn how to use Travel Mode on our support site.

1Password Blog

Tips and tricks for setting up 1Password on your new Android device

Let’s get started

The perfect setup

Download your other apps

Sign up for 30 days free!

1Password X 1.17: New brain, new menu, and even more accessible

New Filling brain written in Rust

New inline menu

Accessibility

Get the update today

Sign up for 30 days free!

1Password SCIM bridge now available on the DigitalOcean Marketplace

Get started with just a click

Get down to business

From Black Friday to seasonal travel: how to stay safe over the holidays

No holiday promo is worth risking your security

Secure your wallet when shopping

Keep your family safe and connected

Get organized before you hit the road

Turn on two-factor for all accounts

Get started with 1Password Families

CEOs, take action: how to defend your business from CEO fraud

What is CEO fraud?

CEO fraud comes in different forms

It’s for time CEOs to take action

Make it a company-wide effort

1Password partners with Accel for continued growth

We’ve come so far

We’ve stayed true to our values

We’ve made a new friend

We’re excited for the future

Use the SCIM bridge and the command-line tool to automate 1Password Business

Speed up specific tasks using the command-line tool

Manage your whole team with the SCIM bridge

Why 1Password excels on the new Surface Pro

Privacy-focused browsing

Unlocking with ease

Make it my way

Keep it small

Sign up for 30 days free!

1Password + Pixel 4 + Android 10 = ❤️🔐

Pixel 4 XL, meet 1Password

Face unlock everywhere

Easy sign-in and sign-up

Looks aren’t everything, but they certainly help

Sign up for 30 days free!

Security is a key focus in macOS Catalina

Lock it up tight

Exploring Safari

Protection for macOS

Enhanced Gatekeeper

Sign up for 30 days free!

Ghosts of passwords past: When old accounts come back to haunt you

Ghost accounts

Resurrected email addresses

Somebody’s watching me

The doppelgänger

Fun-size Halloween security tips

Get started with 1Password Families

1Password and Mozilla at The Glass Room exhibition

Mozilla has selected 1Password X as a Recommended Extension for Firefox

Sign up for 30 days free!

The Climate Fixathon: using tech to fight climate change

Behind the scenes of Random but Memorable

Planning and research

Getting the perfect guest

Recording the show

Getting it ready to release

Sending it out into the world

1Password 7.4 on iOS 13: Dark Mode, Documents, and Voice Control

Dark Mode for iOS

Use your voice

Documents, documents, documents

In closing

Get to know 1Password Advanced Protection with our next webinar

Introducing 1Password Advanced Protection: powerful security tools for business

Master Password policy

Two-factor authentication

Firewall rules