
The 1Password 7 Beta for Mac - uptown
https://blog.agilebits.com/2018/03/28/the-1password-7-beta-for-mac-is-lit-and-you-can-be-too/
======
surfearth
I've been using 1Password since Version 3 in 2010 and was originally skeptical
about the move to a SaaS model. The value I (and now my wife) gets from the
Family Plan is easily worth it - it just works and we can easily share some
things while keeping others to ourselves.

One pro-tip I learned last year is to replace Google Authenticator with
1Password's 2FA solution. It is really well implemented and copies the 2FA
code to the clipboard when you fill in a login, and then removes it a minute
or so later. You do need to make sure you're 1Password recovery information is
someplace secure because you're in a bad place if you ever lost your devices.

~~~
latexr
This kind of defeats the point of 2FA. With your current setup, if anyone
accesses your vault and gets your password they also get your 2FA key.

At that point it’s no longer two-factor, it’s just two steps in the same
authentication.

~~~
AGKyle
We've written about this in the past, see a blog post by our chief of security
here:

[https://blog.agilebits.com/2015/01/26/totp-for-1password-
use...](https://blog.agilebits.com/2015/01/26/totp-for-1password-users/)

Hope that clears things up for both of you. Let me know if you have any
questions though!

Kyle

AgileBits

------
two2two
I’m not even that old and the use of “Lit” and “fam” kept me from continuing
to read whatever this was about.

~~~
gnodar
It doesn't even make sense. Their customers must cover a wide age range, so
why use language directed at only their youngest customers? Not to mention any
one who actually uses "fam" and "lit" is going to cringe at this post. The
whole thing belongs in r/fellowkids.

~~~
dwb
It's a (low quality, but still) use of irony. Come on, people.

------
atonse
Been a happy paying user for nearly 4 years now (still standalone though).

I like how this team keeps iterating and tweaking things, even though they've
largely already solved the issues with password management for me. And they
aren't just adding superfluous features.

I am most excited about markdown in notes!

~~~
tonyedgecombe
_I am most excited about markdown in notes!_

Is that the new version of Zawinski's Law:

[http://www.catb.org/jargon/html/Z/Zawinskis-
Law.html](http://www.catb.org/jargon/html/Z/Zawinskis-Law.html)

~~~
cdumler
I understand that apps expand, but I've come to move specifically to
applications that support markdown. Like Bear, Slack, Trello, etc. Being able
to have light-duty text formatting while not being dependent on RTF interface
means I can port the text around. Markdown is really gaining steam.

------
paulgb
I recently switched from LastPass to 1Password and was surprised with what a
bad user experience I'd gotten used to from LastPass. The attention to detail
(down to designing their own font!) from the 1Password team is impressive.

~~~
rconti
Yeah, I tried using LastPass for 6 months or so but never really got into it.
The browser integration (at least 3 or so years ago) was pretty janky.
Switched to 1Password and never looked back. I've been very happy so far, so
hopefully you continue to be as well.

------
Exuma
Can someone help me with 2 questions:

Question 1: Can someone comment on the actual severity of them storing all my
passwords remotely? I don't like the idea of it, but it seems like they're a
reputable company so I assume they have good systems in place. I have the
standalone right now but it's getting to be a pain to move from computer to
computer, and I don't trust dropbox sync.

Question 2: Lets say the online version gets hacked... and they steal all the
vaults, does that mean they only need my master password to get in? What about
people who have weaker master passwords. Can people brute force the password
vault in the same way that someone can if they have a hash database of
passwords?

~~~
ttul
Your passwords are encrypted using a master password that you enter in the
desktop app. They do not know your passwords.

~~~
Exuma
But can you brute force my vault using similar techniques as just brute
forcing a stolen DB of hashed passwords... in other words, if your vault
password is < 6 characters are you screwed? Or are the vault passwords more
'battle hardened'

~~~
eterm
Your vault password should have a similar amount of entropy to the encryption
strength, it's one of the good uses of a diceware passphrase, where I'd
recommend 8+ words for the encryption passphrase.

It's the only thing you'll have to remember, so while a pass phrase that
length would normally be a hurdle, it isn't hard to remember. It'll be a pain
to type at first but you'll get muscle memory before too long.

6 Characters? If your master password is only 6 characters then yes, you are
screwed if your vault leaks.

~~~
roustem
Not really. Your data would be safe even with 6 character master password
(which will not be allowed by 1Password).

The random Secret Key provides the additional protection against brute forcing
accounts even when the master password is weak.

~~~
eterm
Correct me if I'm wrong, but the random secret key must be synchronised
somehow, surely? I'm talking about in the case that someone gains access to
all your synchronised data.

~~~
AGKyle
The secret key is combined with the master password. See our white paper here:

[https://1pw.ca/whitepaper](https://1pw.ca/whitepaper)

See Key Derivation on page 24 for this specifically. We call it 2SKD.

Page 26 also shows how the secret key and the master password are combined.
From that other keys are derived.

It's actually a very fascinating process, combined with our use of SRP, I have
to say I rather love how well all of this meshes together.

In the situation where someone gets your data from our server, which is the
big thing people are worried about, they're going to have to combine a guess
for your master password and the secret key to perform a guess.

They could in theory get your secret key from your local devices, as these are
saved there, but your Master Password protects in that case as it's not stored
anywhere (unless you've enabled features like Touch ID or Face ID, but those
are protected in other ways).

Your Secret Key protects your data on our server. It makes brute forcing that
data an incredibly expensive process.

Your Master Password also helps protect your data on our server, but it also
protects your data locally.

Let me know if that helps explain things.

Kyle

AgileBits

~~~
ADent1
How is the Master Password protected with Touch ID? Seems like it goes in the
Apple Keychain, which then Apple wants to sync to iCloud.

Can Apple then get my Master Password (along with FBI w/warrant, etc)?

~~~
gerald766
Apple doesn't sync secure enclave information to iCloud. Also, not all iCloud
synced information can be accessed. iCloud Keychain, for example, can not be
decrypted by Apple.

------
iBelieve
Nice to see it will still support standalone licenses without needing a
subscription.

------
zie
According to a comment on the blog we get yet another data file format, and
still looks like nothing to replace sudolikeaboss
([https://github.com/ravenac95/sudolikeaboss](https://github.com/ravenac95/sudolikeaboss)),
despite them saying they were working on it.

Mostly it looks like new eye candy, and apparently some speedups, not that it
was slow before.

~~~
nothrabannosir
This is incredibly frustrating, to be honest. They offer a CLI tool but it's
completely separate from the GUI session, which means juggling envvars and
typing your master password _many_ times.

Apple's keychain, while uglier than a Fiat Multipla and harder to use than a
Wiimote on a CRT, at least does get this right.

But apparently bold text and 21st century 1337speak sell better than a CLI
integration. Unfortunately, I can't say I'm surprised.

I guess the silver lining is: this can only mean password managers are not
just used by security professionals anymore, and are actually becoming
mainstream. Hurray :/

~~~
aerotwelve
Out of curiosity, do you use the CLI tool for feeding private keys and/or
passwords into scripts, environment variables, or other software that you
write?

I had no idea they had a CLI implementation, and I've been looking for
something that manages server/api keys as well as cloud service passwords. I
imagine there's a better way to do this using enterprise key management
software, but I no longer work for a place w/ this kind of budget.

~~~
zie
I'm the parent comment, but yes, among other things.

for enterprise key management, I recommend Hashicorp Vault
([https://www.vaultproject.io/](https://www.vaultproject.io/)) it's OSS so no
giant budget required.

There is a CLI available as a 3rd party app that works with newer 1P versions
and talks to your local 1P vault:
[https://github.com/peacetara/slab/blob/master/src/python/REA...](https://github.com/peacetara/slab/blob/master/src/python/README.md)

------
et2o
Love my 1Pass subscription. Hope more iOS apps keep integrating it.

Interesting they intentionally moved from multithreaded to singlethreaded.

~~~
hunter23
I had no idea there was app integration! which apps are integrated with the
ios app?

~~~
AGKyle
We have a full list from all developers who have informed us they have
integrated here:

[https://blog.agilebits.com/1password-
apps/](https://blog.agilebits.com/1password-apps/)

There are likely other apps that are not on this list, but if they don't tell
us they have added support it's difficult for us to add them.

You can request your favorite app add support, often times it only takes a
developer 15 minutes or so to add it. Details in our github repo here:

[https://github.com/agilebits/onepassword-app-
extension](https://github.com/agilebits/onepassword-app-extension)

Let me know if you have any questions! I handle all of our app extension
customer support and code maintenance.

Kyle

AgileBits

~~~
hunter23
Thanks for responding Kyle! No questions - I love your app. My partner is not
very technology savvy and I recently got them to adopt 1password which has
been a huge huge boost to her security; her previous solution was just recycle
passwords.

One piece of feedback is that when I was comparing your product to Dashlane,
they had much better tools to migrate your existing passwords. Specifically
Dashlane has a tool to migrate all your passwords in your Mac OS keychain
automatically to their manager. I remember y'all having a solution as well but
it was a lot more complex and wasn't something that my mom or dad could do
without me watching them.

So my main feedback is to build solutions and UX that cater towards your
grandma, not to the HN crowd. These are the users that you need to convert
over because they have the biggest security risks.

~~~
AGKyle
Thanks!

As you can imagine it's quite difficult to take complex topics like this and
make it easy to digest for people not familiar with it.

I hope we can continue to make small steps in the right direction in each
release. If we wanted to make 1Password as simple to use as possible we could
certainly do that by removing all the fancy features that most of our power
users find useful, but that would anger them greatly.

We started as a power user tool, so our roots are there. We can't abandon that
entirely. We just have to work harder to simplify in ways that aren't going to
remove these useful tools.

As for the Mac OS Keychain import bits. There is actually no official way to
do this that isn't an incredibly ugly hack. Apple doesn't provide a mechanism
to get data out of the macOS keychain, and the one way they do, while it can
be scripted requires asking for the user account's password for each item. I
suspect if we looked at how other tools do this they are doing some incredibly
wonky things that you might be afraid to understand :)

I understand that the point remains, they import, we don't... but it's a tight
rope. We don't want to do things that potentially risk us losing goodwill with
our users by doing weird things in the background to make it work seamlessly.

Kyle

AgileBits

------
ArmandGrillet
Allowing Markdown in secure notes is a great new feature!

I've recently set up 1Password for my parents and it works fine. The
applications are still a little too complicated for them though, the gap
between a physical notebook containing passwords and 1Password is large.
Thankfully the UX on iPhone/iPad with TouchID is simple enough.

------
benbalter
Did I miss something? Is there not a way to use 1Password 7 without it
automatically uploading your 1Password 6 vault to their cloud as part of the
setup flow (as it did for me)? Unless I did something wrong, it looks like a
my.1password.com account is _required_ in 1Password 7.

~~~
rabboRubble
I've been testing 1PW7 Windows beta, and I'm testing against a local vault.
Would surprise me if the Mac version only supported 1password.com cloud
vaults.

------
_jordan
One of the highest quality software projects I've ever seen. It just works so
well.

------
teddyfrozevelt
Wow. 1Password 7 for Mac looks quite a bit better than 1Password 7 for
Windows. I wish they put an equal amount of effort into all platforms but I do
understand why the develop the way they do. I just hope I can get that new
sidebar.

~~~
AGKyle
Our Windows app has come a long way in the ~2 years or so of it's existence.
We rewrote everything from the ground up with 1Password 6 for Windows. It has
roughly 8 years of ground to make up to our Mac and iOS apps. They've come a
long way in a short period of time. And it'll continue to get better, but we
had some really big features to implement on Windows that just took a lot of
time and effort. Adding in standalone license support and syncing to Dropbox
is not a simple process but they're now available there in the latest beta.

We want our Windows users to be happy as well, and if you have features that
are vital to you please write into our support. They use these requests to
help gauge what to work on next, and the list is long so the more we hear from
users about what they value the better we can prioritize that list.

As a Mac and iOS developer on the team I am very impressed by how quickly our
Windows team has caught up.

Thanks,

Kyle

AgileBits

~~~
rabboRubble
Yes, the 1PW7 beta release really raised that version of the software. Thank
you for the attention to that platform. Been quite active on the bug reporting
forum and I hope you are able to make further improvements. If only the
Windows version search capabilities expand, basically the product will be near
perfect for me.

Example:

1)search for entries using two or more strings

2)search for entries __without __two or more certain text. Example, find all
entries unrelated to entertainment in "All Items", search for -tag:book
-tag:movie -tag:streaming -tag:tv

And saving a search so that I don't have to retype the search language when I
QA my 1PW data!

------
alphabettsy
Big fan of this software, have been for using for almost 10 years and love
that it keeps getting better. Using family and teams is great too. Even my
Grandparents use it on their iPhones.

------
rconti
OOH integration with the pwned password database.

However, it looks like it pings Troy's service to do its magic so not
everything is kept locally. (I don't blame them, for speed, and for not
needing a many-gig database download for each client.

Still, a cool feature, but something to be aware of.

[https://blog.agilebits.com/2018/02/22/finding-pwned-
password...](https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-
with-1password/)

~~~
crazysim
You lose about 5 characters of the SHA1 hash to the remote service. Pretty
acceptable.

------
NelsonMinar
I wish AgileBits put as much effort into their Windows version as their Mac
version.

~~~
Aaronn
I don't use Windows so I don't know if there are any particular bugs in their
Windows software but they announced the 1Password 7 beta for Windows eight
days before they made this Mac announcement
[https://blog.agilebits.com/2018/03/20/introducing-1password-...](https://blog.agilebits.com/2018/03/20/introducing-1password-7-beta-
for-windows/)

------
MightySCollins
I keep checking these articles in hope they mention Linux. How can a 1Password
expect companies to use it when it does not have a cross platform solution...

~~~
roustem
Did you check 1Password X?

~~~
MightySCollins
Yep but a Chrome extension is not really a client. Especially when it has no
offline support...

~~~
beyer
Hey MightySCollins!

1Password X is a Chrome extension, but it's also a full-featured 1Password
client! Additionally, 1Password X does work without an internet connection. In
version 1.5 we added an offline cache so you can boot up your laptop, unlock
1Password X and get that WiFi password or whatever item you need. If you
haven't checked it out lately, I'd highly recommend taking a peek at this
recent blog post: [https://blog.agilebits.com/2018/03/13/1password-x-better-
sma...](https://blog.agilebits.com/2018/03/13/1password-x-better-smarter-
faster-and-japanese/)

&drew

