

1Password Watchtower Mac App Integration - ryanseys
http://blog.agilebits.com/2014/04/30/1password-mac-watchtower/

======
ColinDabritz
Do you know what would be amazing?

The ability to change all vulnerable passwords, automatically as a group.

I know it's very challenging because password change/reset procedures vary
widely, but that part of the process is still manual. 1Password already
automates logins almost entirely successfully. Perhaps password changing can
be automated as well?

If it were robustly automated, you cold easily rotate your passwords once a
month, with very little fuss, for example.

This is really something that authentication schemes could benefit from
supporting an automated API for.

Good work on the service. I suspect that heartbleed was the current use case,
but this service will be very helpful for future breeches and issues. For
example they could alert you that XYZ Service had a data breech, it's fixed,
and you should rotate your password.

Great work.

~~~
AGKyle
[I work for AgileBits, makers of 1Password]

Thanks for the feedback!

Filling into sites and gathering the necessary information for this I think is
far easier than determining how a password change takes place. We have an
algorithm that we've developed over years that is constantly changing in
subtle (and not so subtle) ways to make filling more accurate. Some of the
biggest changes in a long time will be coming in the 4.2 version of the
browser extension, currently in beta.

But you're right, sites and their password change processes differ greatly.
Some require the old password, some require only the new password. Some only
require the new password once (admittedly rare).

I think at best though we'd only be able to do this if we went to the password
change page for the site and attempted to fill the data in for changing the
password. There's no way we could bulk update as that would probably require
we hard code each individual site rather than relying on an algorithm for
filling data into the site.

It's a tricky thing, but we're always trying to come up with new ideas and
ways to accomplish those ideas.

Heartbleed was the first use case for Watchtower, but you're correct in that
it'll be available for other situations as well. Now that the foundation is
there we can leverage it for other issues in the future.

Thanks again for the wonderful feedback!

Kyle

AgileBits

~~~
masklinn
> Filling into sites and gathering the necessary information for this I think
> is far easier than determining how a password change takes place.

Maybe start talking it out with browser developers and big websites stuff so
there's a way to standardise an endpoint or in-page meta-information allowing
for automated password reset?

~~~
ColinDabritz
This could be a real win. If there was a way of marking a standardized form
with some meta data or tags to say "hey, this is safe to use automatically in
the expected way" such as the typical form with old > new > repeat new or
something. One little HTML change and it advertises compatibility.

That way, classy sites could enable a 'safe enough/good enough' flag that any
software could use.

There is also the thought that it may be worth hard-coding for the biggest
sites. The high profile sites are the most vulnerable when a vulnerability
hits, there are big existing databases of user names around, and these can be
exploited automatically and quickly on relatively high value targets (gmail
accounts, amazon, facebook, twitter etc). Even top 10 would be helpful, but
top 100 seems approachable, especially since the bigger sites are probably
more consistent. The payoff here could be big next time around.

Also if the framework were around for doing this, you could target a
particular site or three that just had a major breech, and push the rules for
reset out with the breech notification.

I know it's a huge amount of work to do manually, but even a relatively
focused effort could have payoffs, and if working with big sites can start a
'automated password reset' standard rolling, others might adopt it.

Just thinking out loud, I know you've got to juggle priorities and features
with limited time.

Thanks again!

------
bluetidepro
This is a neat integration by 1Password! 1Password is probably my favorite
Mac/iPhone app that I use. Their product is always top notch. Great work guys!

~~~
infra178
How do you get around the lack of bookmarks in the 1password browser for ios?

~~~
AGKyle
[I work for AgileBits, makers of 1Password]

You could use the Favorites section. I favorite my most frequently used sites
and use that for most logins that I access often.

Would that work? If you have a particular use case that you can run me through
that would be wonderful.

Also, user gwkoehler, currently above me in this thread, suggests the
op[http://](http://) and op[https://](https://) in front of users to open in
1Password. There is a bookmarklet for this here:

[http://www.macstories.net/links/1password-4-1/](http://www.macstories.net/links/1password-4-1/)

Kyle

AgileBits

~~~
infra178
My wife bookmarks like a dozen tumblr pages, Reddit posts, fanfic stories,
random websites a day on her iPhone and then reads them in bed on her iPad at
the end of the day. She's not real tech savvy so I've got her using Chrome
which syncs them up to all of our devices: 2 iPads, 2 iPhones, a PC that boots
osx and windows, and a Nook. She can pick up any device and her bookmarks are
there. It would be difficult to get her to give up that functionality or have
to switch browsers depending on what site she's on. Even the bookmarklet that
switches you to 1Password isn't intuitive. I wish 1Password would manage
bookmarks and sync them between devices like Chrome does.

~~~
AGKyle
Thanks for this information!

I'll take this feedback and see if there's anything we can do in future
updates to try to come up with a solution.

I can't make any promises, but I'm sure you're not the only one with a similar
type of use case. That said though, I don't think we'll be able to integrate
with Chrome Sync, pretty sure that's closed up pretty tight.

Personally, one of the things I'd love to see is the ability to save a page to
Pinboard, which is what I use for bookmarks that I want to read later or
reference later. Not sure if that would be of any real use for you though.

Thanks!

Kyle

AgileBits

------
davak
AGKyle:

Since the update, I've spent the majority of the day updating zillions of
passwords. As other users have mentioned, bulk updates would be amazing, but I
can't imagine how complex that would be. Even trying to "open and fill" is
frequently wrong because 1password has saved the webpage as the new user
registration page instead of a true login. Small pain for the amazing product
you have.

I would recommend one thing very highly. Please give the user some information
why there is a vulnerability. I've noted some of them are marked from previous
large user/pass dumps that are available. If the user knows this, she will
know to never use that user/pass combo again. If the user is unaware, they may
rotate to another common user/pass that has also been released.

Thanks for considering my thoughts...

~~~
AGKyle
Hi davak!

We've made some improvements to the new user signup form end of the spectrum
in the latest beta version of our extension. You can install the beta by
visiting the page below:

[http://www.agilebits.com/browsers/index.html](http://www.agilebits.com/browsers/index.html)

Make sure you click "Enable Betas" below the Download button before
installing. This should improve things quite a bit in most cases. If you run
into any sites with issues please email us with the URL so we can test
(support at agile bits . com). If we don't know about the site having problems
we can't fix it.

If you're viewing a login that has a known vulnerability, you see a red bar at
the top that says:

"Vulnerability Alert - Change Password..."

If you click this, it shows a popover, that popover displays a bit more detail
with a "Learn More" link. That sends you to the Watchtower site with a lot
more detail about why and what to do next.

I suppose we could be better here and tag it differently saying it was part of
heartbleed, but not all vulnerabilities will have such a memorable name
(CVE-2014-0160 is hardly memorable, agreed?)

Does that explain things a little more?

Please let me know if you have any trouble with the beta extension, too.

Thanks!

Kyle

AgileBits

------
jhgg
Kyle,

Are there any plans to update the Android version of the app? I love 1Password
on my mac, but on my nexus 5, the experience sucks! Anything in the pipeline
on that? Or is agilebits just focused on OSX/iOS for now?

Thanks!

~~~
AGKyle
Hi!

Absolutely, we've posted a bit about it on our blog:

[http://blog.agilebits.com/2013/11/15/1password-4-for-
android...](http://blog.agilebits.com/2013/11/15/1password-4-for-android-the-
beta-like-winter-is-coming/)

The beta is coming along nicely, you can still sign up for the beta if you
wish to try it out.

Let me know if I can do anything else to answer any of your questions or
concerns.

Kyle

AgileBits

~~~
kolev
For months, autofilling doesn't work on Mac. Neither on stable, nor on
development releases. Firefox and Chrome complain about browser signature.

~~~
AGKyle
Sorry to hear you're having trouble.

Please email in to support @ agile bits . com, and mention my name please and
that I asked you to email in. I'll get this all fixed up for you. Give a brief
description of the error to jog my memory.

Kyle

AgileBits

