
1Password 4 for Mac is here - bjonathan
http://blog.agilebits.com/2013/10/03/1password-4-for-mac-is-here/
======
adestefan
I'm okay with paying for the Mac update. What I'm not okay with is them
disabling Dropbox support in the old iOS program and then making the new
version a $18 app. That means I'll need to spend $51.58 ($33.59 for Mac +
Windows upgrade plus $17.99 for iOS app) to regain functionality the worked
perfectly fine until they crippled the iOS app.

I'm doubting that I'll actually do this because I'm so steamed about the
disabling of perfectly working features.

~~~
e1ven
AgileBits has relatively few options here- Their writeup is available at

[http://blog.agilebits.com/2013/08/08/1password-3-dropbox-
syn...](http://blog.agilebits.com/2013/08/08/1password-3-dropbox-sync-faq/)

They claim that Dropbox deprecated their existing API, so the software broke
on it's own. AgileBits did not disable the integration, upsteam changed.

In the same way that Netscape 4 can't talk to SPDY-only websites, 1Password 3
can't talk to the new dropbox API.

I haven't found the doc from Dropbox that describes an API change on Sept 1 -
They did do a V0-V1 change this year, however, and AgileBits' story is
plausible.

~~~
100k
But the only reason they couldn't update 1Password 3 to the new API is because
they pulled it from the store -- in order to force all users to upgrade for
$18.

~~~
e1ven
I don't think they pulled it to force people to upgrade.. I suspect they
pulled it because selling multiple versions would be confusing.

It's clearer if there is one app per platform. Getting my wife to use a
password manager is tough enough - Having to explain why there are 14
variations in the store would just add to the burden.

But as to why it was a new version in the first place.. This is Apple's
supported answer for paid upgrades. They did the same for Logic Pro X.

~~~
100k
I don't have a problem paying for an upgrade. There's features I am definitely
excited about, like multiple Vaults which I mentioned above.

But as an end-user who only owns an iPhone, the only "feature" I notice in
1Password 4 for iOS is "Dropbox syncing still works". Not very compelling.

------
tbatchelli
I use 1Password so extensively that the money I paid for it always seemed well
spent, if not cheap.

1Password 4 is a big leap for me in terms of usability (vs. v.3): the mini
application can be quickly accessed via a key chord, similarly to what you can
do within a browser. Very helpful for things like VPN access, encrypted HDs,
and other non-web softwares.

The security audit is a great feature too: it can tell you where you are using
weak passwords, or even repeated passwords. If you have used the same password
on many sites, and one of those sites is compromised, you might want to change
that password elsewhere, or better, make sure you use a unique strong password
everywhere; so knowing what sites could be compromised is a huge help.

If you want to feel safe in the web, 1Password's high usability and new
features will help you get there.

~~~
chmars
Are you happy with the browser support?

In my browsers, 1Password 4 still works less reliably than 1Password 3. Manual
completion (I don't use auto competition) sometimes works and sometimes
doesn't. In the former case, the user credentials get listed but not inserted.
The issues occurs more often in Chrome than in Firefox. It might be just me of
course.

In any case, I am already in contact with the great AgileBits support team.
AgileBits is one of the companies where your support mails are taken
seriously.

~~~
AGKyle
If you email me, my name (see sig at bottom) at company url with the email
address you used to send your support ticket in I'll personally take a look.

Kyle

AgileBits Support

------
smackfu
Personally, I see no compelling reason to upgrade. V3 works fine for me, and
99% of the time I'm just using the browser plug-in anyways, not the main app.

It's also a bit disappointing that I had to buy direct to get cross-platform
support, which is the reason I chose 1Password, but then that means I have to
pay for this upgrade. If I had paid them half the price via the Mac App Store,
minus Apple's 30% no less, I would get the upgrade for free. Not sure what
they are trying to tell me there.

~~~
AGKyle
AgileBits Support here.

Sorry to hear you feel it isn't worth the upgrade. I'd suggest trying the demo
at least to see if there's anything there worth using. Personally, the new
browser extension is amazing and I have a hard time going back to help users
in support :)

You didn't have to buy direct to get cross platform support. We offer coupons
to users who purchase on the Mac App Store and want to buy our Windows
application as well. We match the price at the time of purchase. So, normally
the Mac app is $50, we offer the Mac + Win bundle for $70. If you bought at
$50 on the Mac App Store, we give a coupon to get the Windows app for the same
price as our website bundle. We just need proof of purchase from the Mac App
Store.

If you have concerns though, email us, support at company url. Mention me here
and someone will add me to the ticket and we can discuss directly. I'll be
happy to help however I can.

Kyle

AgileBits Support

~~~
smackfu
>You didn't have to buy direct to get cross platform support.

My only suggestion is that you might want to document this somewhere, because
I had no idea this was an option at the time I purchased in July 2012, and
still don't see it on the store web pages.

~~~
AGKyle
You're right, we don't have it anywhere anymore. We did have it when we were
using another support system that had a built in KB. Sadly that didn't work
out for us and I think that article disappeared along with the tool.

I'll put this on my todo list to see if we can get it handled soon.

That said, if you email us support at company url, maybe I can make it up to
you in some way or another. Just mention my name and remind me of this
discussion.

------
Brajeshwar
I found out about the "CMD + \" just now. I guess it wasn't there before or is
that because I never used the browser plugin.

Btw, my upgrade was free at the App Store.

Quick observations;

* Snappy and Fast.

* iCloud Sync will make it easier to sync between Devices - iOS and Mac OS X. Dropbox sync wasn't that great if I don't open the app often. (I hope I don't regret saying this.)

* Finally, "CMD + SHIFT + c" copies password to clipboard. Been asking that for ages.

* Security Audit is cool.

Hmmmmm;

* I wish I could choose the backup location.

* Allow me to create custom categories.

Overall, nice upgrade.

~~~
chmars
Is CMD + \ an easily reachable shortcut on American keyboards?

On my Non-American keyboard, CMD + \ equals CMD + Alt + Shift + / …

I have never used the setting so far. The current setting in 1Password on the
Mac I am using right now is CMD + S, that does not work of course. I guess I
changed it years ago since AgileBits is very unlikely to have chosen CMD + S
as shortcut for Non-American keyboards. I changed the shortcut now to CMD +
ALT + 7 …

~~~
AGKyle
Yup, it's been there for a long time. For at least as long as I've been a
user.

We had trouble with 1Password 3 and non-US keyboards, but the new app should
be MUCH better at handling non-US keyboard layouts. So change that shortcut
however you see fit :)

I just can't promise a t-shirt for your chosen replacement of the shortcut
(see our blog.agilebits.com header for this one).

Kyle

AgileBits Support

~~~
chmars
Your t-shirts look great!

I don't expect a t-shirt from you but maybe you could provide a template?

~~~
AGKyle
We do sell the command+\ shirts :)

[https://www.merchline.com/agilebits/category.6106.c.php](https://www.merchline.com/agilebits/category.6106.c.php)

They're "at cost" so we're not making money on the shirts but our users really
loved them so we found a way to at least make them available at a reasonable
price.

Kyle

AgileBits Support

------
GotNothing
Supported this company with the first version of 1Password. Then paid again
for a family version of v3 last year, as well as the paid version for the
iPhone which has been somewhat of a let down... now they want more money. All
so I can store/use passwords.

I've spent less money on other apps that I actually spend more time using
daily. Guess I'll start searching for some alternatives before they start
dropping support for v3.

~~~
x03
"— All Mac App Store customers get 1Password 4 for free. Yes, all of them

— All website customers who purchased 1Password for Mac in 2013 get v4 for
free. Yes, that’s a nine-month free upgrade window

— Launch sale price for new customers: $39.99 – that’s 20% off the regular
price of $49.99

— Launch upgrade sale price for website customers who bought before 2013:
$24.99 – that’s $10 off our regular upgrade price of $34.99".

~~~
GotNothing
Not sure why you're quoting this. I read this when I visited the page... I
just find it ridiculous that if I pay the $24.99 to upgrade, I will have put
close to $100 into an app that basically stores passwords for me conveniently.

~~~
adestefan
They can do what they want with their pricing, but I agree. I just don't see
the value at the current price points, especially the $18 iOS app. I'd be more
inclined to upgrade at around $20 and $10. At $18 and $7 I'd already have
pulled the trigger.

------
jdludlow
I've been using 1Password for years, and until I saw the picture of everyone
in their t-shirts, I had no idea that CMD-\ was the hotkey for the password
menu.

Still waiting for seamless Linux integration though. It's one of my killer
apps that keeps me on OS X, connecting via ssh to headless Linux machines or
VMs, as opposed to using the Linux desktop. And yes, I realize that there are
other password managers out there for Linux. The point is that I already have
my passwords and many notes in 1Password, and anything I switch to would have
to sync with OS X and iOS.

~~~
ajacksified
Same here; I had to get a Windows license when I was tired of read-only from
the dropbox utility, and then run 1Password for Windows using Wine (and
1Password for windows is a _massively inferior_ experience.) I'm surprised
they don't put more effort into improving the Windows app instead of releasing
v4 on top of an already pretty good v3, even if they don't feel it's the right
time to release a Linux version.

~~~
AGKyle
AgileBits Support here.

Noted. We can't promise Linux support. It's hard to provide paid software on
Linux and be able to pay for the development and technical support. The user
base is tricky, many are used to free software via their favorite package
manager. Serious professionals are likely to pay I think, but how many of
those are there?

We'd love to support Linux in some way, and we just hired a guy who primarily
works in Linux. We never say never, but we certainly can't promise Linux
support. All that said, I'll pass your feedback along :)

I'd agree, I want our Windows application to get a make over and try to gain
feature parity with our Mac app. We're a very small team though so focus tends
to be on Mac and iOS since that's where a vast majority of our user base is.
That's not to say we don't want the other platforms to be better. Example:
We're working on a brand new Android application that should blend both our
look and feel with Android's look and feel.

We'll get the Windows application there, just give it some time. :)

Kyle

AgileBits Support

------
Osmium
Hmm, 1Password always seemed like an overly-complicated (though polished)
solution to a basic problem to me.

Personally, I just use a variant of:

one-way-hash(master-password + site-domain)

Seems to work really well, doesn't require special software, allows me to
replicate all my passwords on any computer, and passwords are unique to each
website and seemingly-random. Use a strong master password and it seems like
an ideal solution to me and you only have to remember one master password and
use no special software.* For extra security, perhaps base85-encode the output
and truncate it if you want a password with special characters in, and use a
slower function (e.g. bcrypt with a high work factor?) to prevent brute force
attacks if you're using a simple password.

[* Note, SuperGenPass basically does just this, but has security issues since
it runs as JavaScript in the browser as a bookmarklet. My personal solution is
a script which does something similar, run using a quick hot-key, that grabs
the domain from my front-most web browser window and grabs my master password
from the system keychain and then puts the generated password on my
clipboard.]

Would be very grateful if someone could point out any security flaws in this
method that haven't occurred to me!

~~~
Groxx
One domain flaw: dropbox.com used to be getdropbox.com and probably others.
Unless you remember and/or changed your password when that happened, it might
now be unrecoverable.

One password flaw: some sites have weird restrictions (probably your bank, for
instance). A hashing solution is unlikely to meet those requirements, meaning
you have to store the value securely somewhere, so why not store them all? On
the other hand, if the output _can_ meet the requirements, it's probably
partly _based_ on the requirements. If the requirements ever change, your
password now doesn't match.

I know I've thought of others previously, but the short version of it all is
that at _some_ point you'll probably have to have secure storage for something
that doesn't work with the hashing system you have. Once you have that secure
storage, why not just use it instead, since it can resolve nearly _all_ of the
problems?

~~~
Osmium
Anecdotally, the "one domain flaw" has only ever happened for me for two
websites over long time I've been using this system: getdropbox.com and
amazon.com (using international amazon sites). Worst case scenario, you can
request a password reset if the domain changes, because it's not the sort of
thing that happens often.

The "one password flaw" has never been an issue, but my bank uses proper two-
factor authentication with a physical card-reading device, so maybe that's
why... I've never actually encountered a website that places problematic
restrictions on passwords except (weirdly) Microsoft.

But they're just personal anecdotes that those flaws haven't been an issue for
me, but I agree they exist and could be show-stoppers for others. I certainly
wouldn't recommend it to anyone non-tech-literate. If I did need secure
storage outside of that system (which, you're right, does happen–mostly for
wifi passwords and the like) then I just use the system keychain as intended.

But I do still have concerns about the overall security of the system simply
because I don't understand it well enough...

> Once you have that secure storage, why not just use it instead, since it can
> resolve nearly all of the problems?

Because I don't want to pay for 1Password licenses, or be caught out if I'm
using someone else's computer, or if all my backups catastrophically fail :)

~~~
Groxx
Use any Google properties? Google.com and youtube.com (can) use the same
password across two domains. I think there are others within google too. Or do
they redirect to google.com for all logins? Meh. Like you said, it's a rare
problem.

Thought of another problem: when you're forced to change your password. How do
you encode that? Just add a version-N marker to the site name (which you have
to remember)?

I'm not trying to sell you on 1Password, just point out problems with hash-
only approaches :) And the storage-less nature is certainly a (big) plus when
it works out, you're right.

\--

And one possibly-significant danger you should be aware of: assuming you do
something simple (which has the advantage of being buildable from scratch on
any system, and easy to remember how), if your password is not _globally_
unique then your security partly relies on the security of whoever else uses
your password. If they lose it, anyone who knows that and guesses your
username _anywhere_ gets _proof_ that you use the same password, so they can
go test a bajillion sites immediately and with perfect success rates.

The standard technique for mitigating this is to salt the hash... but this is
just another secret you have to store somewhere or memorize, so we're back
where we started.

------
CountSessine
Maybe they can make a decent Android version one of these days. If they had a
good Android version, I'd update to v4 for OSX in a heartbeat. I own an OSX
license for v3, a Windows license for v3 (or whatever its at right now), and
iOS licenses for iPad and iPhone - even though I don't have an iPhone or iPad
anymore. I have a big investment in this program, but their slipshod Android
version has me re-evaluating this investment.

Are there any good alternatives to 1Password? I _need_ OSX, Windows, and
Android versions, and it needs to work in Chrome and Safari. I'd also need
synchronization between multiple machines/browsers. I'm not sure what I think
of a web version like LastPass - my 1Password keychain is in my dropbox, so
it's not like I have it locked-away and protected. But it still feels a bit
odd to have my passwords in a single service like LastPass - for some reason I
have more confidence in Dropbox's security than LastPass's.

~~~
Groxx
Yeah, they claim it's in the works, but I think that's been true for over a
year now. Maybe soon? An app like this shouldn't take a year to make,
especially since the current version is so incredibly bad. Some improvement
sooner would be preferable, I think.

I have yet to find any alternative that is even remotely as user-friendly.
LastPass does legitimately seem to be well run and secure, but the browser-
extension UI is horrible at omg levels. KeePass(X/etc) also looks decent, but
it's .NET (for what appear to be good reasons, but still), has slightly scary
code (lots of reimplementing builtin classes), and again, omg-horrible UI.

I'd love a reasonable alternative, 1Password is unfortunately getting too
pricy as time goes on, though it has been hands-down the best.

~~~
AGKyle
We are indeed working on a full Android application. We'll admit, it has taken
longer than we wanted. We're getting closer so hang in there and if you're
really interested in testing it, ping us at support at company url and mention
me. I'll see if I can add you to the list of testers when we get to that
point.

Kyle

AgileBits Support

------
pain_perdu
Isn't Apple about to release comparable native functionality into 10.9 in a
few weeks?

~~~
cytzol
Yes, but Apple's functionality only supports Safari on Apple devices.
1Password supports other browsers and Windows.

~~~
eknkc
Haven't tried Mavericks beta. Is there a management interface for saved
passwords or is it just the plain old Keychain Access utility?

All this "iCloud Keychain" hype looks like just a sync functionality on top of
current implementation.

~~~
itafroma
> Is there a management interface for saved passwords or is it just the plain
> old Keychain Access utility?

> All this "iCloud Keychain" hype looks like just a sync functionality on top
> of current implementation.

There's Keychain Access and a preference pane in Safari for web passwords. It
is exactly a sync feature added to the keychain implementation that exists in
Mountain Lion and earlier.

------
kstrauser
Ooh, the beautiful, lovely, shiny new "Security Audit" tab! It shows all of my
re-used passwords, which passwords are weak (even "Terrible", as it not-so-
subtly puts it), and which ones I haven't changed in years.

I've already added "perform 1Password security audit" to my monthly to-do
list.

------
deweller
Well, almost here.

Early adopters of 1Password 3 must wait a few more days in order to purchase a
v4 upgrade from the web store.

~~~
ndrake
v4 is available on their web store now.

------
weslly
It's kinda lame that website customers have to pay for the upgrade while
appstore users get it for free.

Yes, I know appstore doesn't support paid upgrades, but at least they could
have made it a little cheaper for us.

~~~
suninwinter
The website upgrade is free if you bought it this year, and it's only $24.99
if you bought it before 2013. Isn't that a little cheaper?

------
pretz
Watch out, the browser plugin upgrade instructions at
[http://learn.agilebits.com/1Password4/Mac/en/KB/v3-extension...](http://learn.agilebits.com/1Password4/Mac/en/KB/v3-extensions.html)
require you to launch 1Password 3 to sync your browser, something I can't do
after upgrading to 4 via the App Store.

I guess I'll go dig it out of Time Machine ....

~~~
Terretta
That's only if your browser widget hadn't sync'd.

------
fvrghl
Can someone please list the advantages of using 1Password instead of Keychain
Access? I can't find a simple difference list anywhere.

~~~
philwebster
Here are just a few. (Disclaimer: I use and love LastPass, but am familiar
with 1Password).

Sync- it's possible with Keychain Access + Dropbox, but not seamless

Easy password generation- no switching to Keychain Access, copying, etc.

iOS access- up until iCloud sync, passwords were not easily transferred to
devices

Support for Windows browsers

Form filling- Keychain will do addresses, but not credit cards

~~~
poolpool
Everything except windows support is solved in mavericks.

~~~
fvrghl
But all that stuff will only work with safari in Mavericks right?

------
TallboyOne
Wow, just YESTERDAY I was thinking... its disappointing I hardly get any
updates for 1Password 3 :( I checked the changelog and everything. I havent
even thought about this in MONTHS/years and suddenly the very next day
1Password 4 is announced. Amazing

------
bowlofpetunias
Multiple shared vaults each with their own sync and location sounds like a
godsend. I've been considering switching to LastPass Enterprise for work, but
the sharing there is awfully convoluted.

------
myko
I've been using 1Password for a couple of years.

I will probably switch soon given the current state of their Android app, but
maybe this OSX update is a hint at a visual refresh for all of their products?

~~~
halostatue
I _hear_ that there will be more than a visual refresh of the Android app (it
will fully participate in the 1Password ecosystem for update and read, less
iCloud support)—but it will be released when it’s ready.

~~~
CountSessine
In other words, Real Soon Now
[http://www.jargon.net/jargonfile/r/RealSoonNow.html](http://www.jargon.net/jargonfile/r/RealSoonNow.html)

------
everettForth
Does anyone have suggestions for what I can use, as a linux desktop user? The
best thing anyone has told me, so far, is Keepass, which has an interface I
don't like very much.

~~~
grimgrin
Well, I use LastPass, which is a browser plugin that works well between
browsers.

For a price you can use it on mobile, too.

[https://lastpass.com/misc_download.php](https://lastpass.com/misc_download.php)

------
Miyamoto
I don't really see the point of having 1Password on anything but your phone
(unless you don't have a smart phone).

It seems like the most secure way to use it, assuming you've enabled back ups
in 1Password to iCloud or DropBox.

Whenever I need a password I just grab my phone and look it up, then type it
in. Sure, I have to manually type passwords, and my randomized passwords all
have a minimum 18 character length, so it takes a bit longer. It's a plus
though, because over time I memorize my passwords through repetition. If you
have the program on a desktop and it just copies/pastes your password, you'll
never memorize it.

~~~
alex_doom
Serious? All my passwords are randomized with their generator. There's an
extension for every browser. So any time I need to login to a site I hit Cmd +
\ and it auto fills and logs me in. Fuck typing and remembering passwords.

~~~
Miyamoto
I guess I just don't want to install plug-ins on every browser/computer I use,
since I have a lot. Plus work, library, friends' computers, etc. Memorization
comes in handy at that point. As for typing, it's not like typing in even a
18+ character password is that slow.

~~~
philwelch
With iCloud sync now, all you need to memorize is your Apple ID password (to
install 1Password from the App Store and have it sync from iCloud) and your
1Password password and you can bootstrap your whole password database onto
every computer you own. Typing 20-30 character randomized strings is something
I try to avoid. What a pain in the ass.

------
Zelphyr
I'm confused. "All Mac App Store customers get 1Password 4 for free. Yes, all
of them."

But when I go to the Mac App Store it says $39.99. What gives?

~~~
astrism
They are referring to AgileBits customers on the Mac App Store. So anyone who
previously purchased 1Password on the Mac App Store. Apple doesn't offer
upgrade pricing, so it would make sense that the upgrade is free. Most likely
AgileBits calls that fact out due to past issues with the iOS App Store where
they took down the old app and created a new one so they could charge an
upgrade fee.

