I'm doubting that I'll actually do this because I'm so steamed about the disabling of perfectly working features.
http://blog.agilebits.com/2013/08/08/1password-3-dropbox-syn...
They claim that Dropbox deprecated their existing API, so the software broke on it's own. AgileBits did not disable the integration, upsteam changed.
In the same way that Netscape 4 can't talk to SPDY-only websites, 1Password 3 can't talk to the new dropbox API.
I haven't found the doc from Dropbox that describes an API change on Sept 1 - They did do a V0-V1 change this year, however, and AgileBits' story is plausible.
The new feature in 1Password 4 for Mac that has me interested is shared vaults. Now you can finally use 1Password as a password sharing solution for a business. This has been on my wishlist for years.
http://learn.agilebits.com/1Password4/Security/keychain-desi...
Not every version. We've only charged for three upgrades in our history.
1Password 2 for Mac to 1Password 3 for Mac
1Password 3 for Mac to 1Password 4 for Mac
1Password 3 for iOS to 1Password 4 for iOS
So, two of the three updates happened in the last year for the latest release (1Password 4). All other updates were free for existing users.
That's over 4 years between releases with no charges for users who purchased on launch day. Now, not every user purchased on launch day obviously, but I think we've been pretty fair with the upgrades. We go out of our way to try to help users who purchased prior to the new version too. We gave every user who purchased 1Password 3 for iOS a free upgrade to 1Password 4 within a 30 day window from 1Password 4 release.
This is the App Store we're talking about, which doesn't provide a mechanism for giving the app away free (while having it a paid app). Unless you count those 50 app store promo codes you get each release... (that's cost of app + 30% hit from Apple). I don't know of any other company that would do that on the scale we did. We tried VERY hard to give our users the best we could while going to a new app.
Kyle
AgileBits Support
1Password 4 is a big leap for me in terms of usability (vs. v.3): the mini application can be quickly accessed via a key chord, similarly to what you can do within a browser. Very helpful for things like VPN access, encrypted HDs, and other non-web softwares.
The security audit is a great feature too: it can tell you where you are using weak passwords, or even repeated passwords. If you have used the same password on many sites, and one of those sites is compromised, you might want to change that password elsewhere, or better, make sure you use a unique strong password everywhere; so knowing what sites could be compromised is a huge help.
If you want to feel safe in the web, 1Password's high usability and new features will help you get there.
In my browsers, 1Password 4 still works less reliably than 1Password 3. Manual completion (I don't use auto competition) sometimes works and sometimes doesn't. In the former case, the user credentials get listed but not inserted. The issues occurs more often in Chrome than in Firefox. It might be just me of course.
In any case, I am already in contact with the great AgileBits support team. AgileBits is one of the companies where your support mails are taken seriously.
Kyle
AgileBits Support
I also use it to store secure account information like bank accounts and CC numbers. Ever needed your credit card or some account number but only had your phone on you? With services like 1Password that's no problem.
The auto-fill functionality seems greatly improved: there are many JS based lightbox or hidden-until-you-click logins that 1pass3 couldnt autofill. 1pass4 just works.
It's also a bit disappointing that I had to buy direct to get cross-platform support, which is the reason I chose 1Password, but then that means I have to pay for this upgrade. If I had paid them half the price via the Mac App Store, minus Apple's 30% no less, I would get the upgrade for free. Not sure what they are trying to tell me there.
Sorry to hear you feel it isn't worth the upgrade. I'd suggest trying the demo at least to see if there's anything there worth using. Personally, the new browser extension is amazing and I have a hard time going back to help users in support :)
You didn't have to buy direct to get cross platform support. We offer coupons to users who purchase on the Mac App Store and want to buy our Windows application as well. We match the price at the time of purchase. So, normally the Mac app is $50, we offer the Mac + Win bundle for $70. If you bought at $50 on the Mac App Store, we give a coupon to get the Windows app for the same price as our website bundle. We just need proof of purchase from the Mac App Store.
If you have concerns though, email us, support at company url. Mention me here and someone will add me to the ticket and we can discuss directly. I'll be happy to help however I can.
Kyle
AgileBits Support
My only suggestion is that you might want to document this somewhere, because I had no idea this was an option at the time I purchased in July 2012, and still don't see it on the store web pages.
Btw, my upgrade was free at the App Store.
Quick observations;
* Snappy and Fast.
* iCloud Sync will make it easier to sync between Devices - iOS and Mac OS X. Dropbox sync wasn't that great if I don't open the app often. (I hope I don't regret saying this.)
* Finally, "CMD + SHIFT + c" copies password to clipboard. Been asking that for ages.
* Security Audit is cool.
Hmmmmm;
* I wish I could choose the backup location.
* Allow me to create custom categories.
Overall, nice upgrade.
On my Non-American keyboard, CMD + \ equals CMD + Alt + Shift + / …
I have never used the setting so far. The current setting in 1Password on the Mac I am using right now is CMD + S, that does not work of course. I guess I changed it years ago since AgileBits is very unlikely to have chosen CMD + S as shortcut for Non-American keyboards. I changed the shortcut now to CMD + ALT + 7 …
Yes, there's a dedicated key for backslash on US keyboards: https://en.wikipedia.org/wiki/QWERTY#United_States
We had trouble with 1Password 3 and non-US keyboards, but the new app should be MUCH better at handling non-US keyboard layouts. So change that shortcut however you see fit :)
I just can't promise a t-shirt for your chosen replacement of the shortcut (see our blog.agilebits.com header for this one).
Kyle
AgileBits Support
It's one of the reasons I can get my parents to use 1P at all.
I've spent less money on other apps that I actually spend more time using daily. Guess I'll start searching for some alternatives before they start dropping support for v3.
— All website customers who purchased 1Password for Mac in 2013 get v4 for free. Yes, that’s a nine-month free upgrade window
— Launch sale price for new customers: $39.99 – that’s 20% off the regular price of $49.99
— Launch upgrade sale price for website customers who bought before 2013: $24.99 – that’s $10 off our regular upgrade price of $34.99".
It's available as an early beta and pretty promising. Competition is always good and Apple will pushing AgileBits further when they release Mavericks with the iCloud Keychain.
Still waiting for seamless Linux integration though. It's one of my killer apps that keeps me on OS X, connecting via ssh to headless Linux machines or VMs, as opposed to using the Linux desktop. And yes, I realize that there are other password managers out there for Linux. The point is that I already have my passwords and many notes in 1Password, and anything I switch to would have to sync with OS X and iOS.
Noted. We can't promise Linux support. It's hard to provide paid software on Linux and be able to pay for the development and technical support. The user base is tricky, many are used to free software via their favorite package manager. Serious professionals are likely to pay I think, but how many of those are there?
We'd love to support Linux in some way, and we just hired a guy who primarily works in Linux. We never say never, but we certainly can't promise Linux support. All that said, I'll pass your feedback along :)
I'd agree, I want our Windows application to get a make over and try to gain feature parity with our Mac app. We're a very small team though so focus tends to be on Mac and iOS since that's where a vast majority of our user base is. That's not to say we don't want the other platforms to be better. Example: We're working on a brand new Android application that should blend both our look and feel with Android's look and feel.
We'll get the Windows application there, just give it some time. :)
Kyle
AgileBits Support
Personally, I just use a variant of:
one-way-hash(master-password + site-domain)
Seems to work really well, doesn't require special software, allows me to replicate all my passwords on any computer, and passwords are unique to each website and seemingly-random. Use a strong master password and it seems like an ideal solution to me and you only have to remember one master password and use no special software.* For extra security, perhaps base85-encode the output and truncate it if you want a password with special characters in, and use a slower function (e.g. bcrypt with a high work factor?) to prevent brute force attacks if you're using a simple password.
[* Note, SuperGenPass basically does just this, but has security issues since it runs as JavaScript in the browser as a bookmarklet. My personal solution is a script which does something similar, run using a quick hot-key, that grabs the domain from my front-most web browser window and grabs my master password from the system keychain and then puts the generated password on my clipboard.]
Would be very grateful if someone could point out any security flaws in this method that haven't occurred to me!
One password flaw: some sites have weird restrictions (probably your bank, for instance). A hashing solution is unlikely to meet those requirements, meaning you have to store the value securely somewhere, so why not store them all? On the other hand, if the output can meet the requirements, it's probably partly based on the requirements. If the requirements ever change, your password now doesn't match.
I know I've thought of others previously, but the short version of it all is that at some point you'll probably have to have secure storage for something that doesn't work with the hashing system you have. Once you have that secure storage, why not just use it instead, since it can resolve nearly all of the problems?
The "one password flaw" has never been an issue, but my bank uses proper two-factor authentication with a physical card-reading device, so maybe that's why... I've never actually encountered a website that places problematic restrictions on passwords except (weirdly) Microsoft.
But they're just personal anecdotes that those flaws haven't been an issue for me, but I agree they exist and could be show-stoppers for others. I certainly wouldn't recommend it to anyone non-tech-literate. If I did need secure storage outside of that system (which, you're right, does happen–mostly for wifi passwords and the like) then I just use the system keychain as intended.
But I do still have concerns about the overall security of the system simply because I don't understand it well enough...
> Once you have that secure storage, why not just use it instead, since it can resolve nearly all of the problems?
Because I don't want to pay for 1Password licenses, or be caught out if I'm using someone else's computer, or if all my backups catastrophically fail :)
Seriously, use cryptographically random passwords.
I appreciate the input and advice anyway. Security being a system of compromises, my current stance is that the security offered by a system like this, despite its flaws, is greater than a password database system (with truly random passwords) because then both I need to keep the database physically secure and trust that e.g. 1Password have designed it properly (or that my cloud provider is capable of keeping it secure). Since 1Password has apparently had potential issues in the past I don't have too much faith, but perhaps I'm being overly cynical.
Comments like yours and Groxx's help me re-evalute what I'm doing though, so maybe I will switch to proper random passwords in future. So thanks again for the input!
http://blog.agilebits.com/2012/11/08/dont-trust-a-password-m...
I suspect you'll find that at least somewhat useful :)
Kyle
AgileBits Support
But it's not just me using a system like this. Everyone using SuperGenPass is using something similar too. That's why I think it's important to talk about it more.
However, I can share some inspiration to get started:
SuperGenPass (the original place I saw the idea): http://supergenpass.com
A fork of SuperGenPass using bcrypt/base85: https://github.com/cmcnulty/SuperGenPass
I wouldn't use either of the above because they're JavaScript-based, but someone has implemented it in Python: https://github.com/gfxmonk/supergenpass
I took that script as inspiration, modified it to use bcrypt, and then used the Python "keyring" module for access to the OS X keychain, and calling "osascript" to use an AppleScript one-liner to get Safari's front-most URL as an input.
It does potentially have the side-benefit of protecting against phishing attacks too, since if the domain is different, the password is different, so you can't be fooled into giving your password to the wrong website.
Are there any good alternatives to 1Password? I need OSX, Windows, and Android versions, and it needs to work in Chrome and Safari. I'd also need synchronization between multiple machines/browsers. I'm not sure what I think of a web version like LastPass - my 1Password keychain is in my dropbox, so it's not like I have it locked-away and protected. But it still feels a bit odd to have my passwords in a single service like LastPass - for some reason I have more confidence in Dropbox's security than LastPass's.
I have yet to find any alternative that is even remotely as user-friendly. LastPass does legitimately seem to be well run and secure, but the browser-extension UI is horrible at omg levels. KeePass(X/etc) also looks decent, but it's .NET (for what appear to be good reasons, but still), has slightly scary code (lots of reimplementing builtin classes), and again, omg-horrible UI.
I'd love a reasonable alternative, 1Password is unfortunately getting too pricy as time goes on, though it has been hands-down the best.
Kyle
AgileBits Support
All this "iCloud Keychain" hype looks like just a sync functionality on top of current implementation.
iCloud Keychain is a better experience on iOS because only Apple can extend Safari - If you're using 1Password on iOS, you can't do the equivalent of "CMD+\" - you have to use the launch the 1P app - which breaks the workflow.
I don't see me moving away from 1Password anytime soon - though the ability to have multiple agile keychains in a single 1P session would have me pulling out my wallet - been waiting for that for awhile.
I've already added "perform 1Password security audit" to my monthly to-do list.
Early adopters of 1Password 3 must wait a few more days in order to purchase a v4 upgrade from the web store.
Yes, I know appstore doesn't support paid upgrades, but at least they could have made it a little cheaper for us.
I guess I'll go dig it out of Time Machine ....
Sync- it's possible with Keychain Access + Dropbox, but not seamless
Easy password generation- no switching to Keychain Access, copying, etc.
iOS access- up until iCloud sync, passwords were not easily transferred to devices
Support for Windows browsers
Form filling- Keychain will do addresses, but not credit cards
On the other hand, the new keychain access will have direct Mobile Safari integration.
It will also allow you to share passwords (via Dropbox) between Macs and Windows machines. It can generate strong passwords as well.
I will probably switch soon given the current state of their Android app, but maybe this OSX update is a hint at a visual refresh for all of their products?
For a price you can use it on mobile, too.
It seems like the most secure way to use it, assuming you've enabled back ups in 1Password to iCloud or DropBox.
Whenever I need a password I just grab my phone and look it up, then type it in. Sure, I have to manually type passwords, and my randomized passwords all have a minimum 18 character length, so it takes a bit longer. It's a plus though, because over time I memorize my passwords through repetition. If you have the program on a desktop and it just copies/pastes your password, you'll never memorize it.
For me, not-memorizing it is the whole point of 1Password. 1Password lets me generate and store passwords which are MUCH longer/more random than normal people can memorize.
I store them on my PC, and lock/unlock them with a strong master password - They're synced via local network to my phone, and never travel outside my network. Where possible, accounts are additionally secured via 2-factor auth.
This seems like a much better solution than variations on song-lyrics, cat names, 'P4zzw0Rd', which is the 'standard' solution to passwords.
FWIW, passwords are something I'd consider a 'hair on fire' problem. The current solutions are very very broken.
Passwords are terrible. 1Password and related software make having to live with them significantly less terrible.
But when I go to the Mac App Store it says $39.99. What gives?
