If anything helped propel 1Password to the spotlight in the last few years, it’s the wave of hacking that has exposed consumer data–names, passwords, credit card numbers, Social Security numbers, and more–to cybercriminals. 1Password has given users ease of mind with encryption as well as convenience: An exemplar of its name, the password manager requires users to memorize a single password to unlock even more passwords across the web–and a vault of sensitive data.
Following up on a refresh of its iOS app last year, AgileBits launched 1Password 4 for Mac ($50, current promotional pricing is $40) on Thursday with more than 90 new features, including a user interface to match Apple’s upcoming OS X Mavericks, multiple and shared vaults, and enhanced security.
Jeffrey Goldberg, dubbed AgileBits’ “Chief Defender Against the Dark Arts,” talked to Fast Company about the security features that make up the core of 1Password. The previous version, 1Password 3, was designed with the idea that computers were stolen more often than data from Dropbox, which people can use to sync their 1Password vaults across multiple devices. “But widespread use of cloud syncing does open up some novel threats as well. So the new data format is designed to resist active attacks–what can someone do if they can manipulate the data you use–as well as passive attacks–what they can do if they obtain a copy of your data.”
With the exception of modify time and creation date, all information stored in 1Password has been secured with 256-bit AES encryption, a standard used by financial institutions. “So even mass harvesting of people’s 1Password data off of sync servers should tell the attacker nothing more than that these people use 1Password,” he added.
Using a single password to unlock a vault of many more passwords is convenient, but the possibility of hacked master passwords exists. “If we’ve done our job right, then the weak point in security is a person’s master password,” Goldberg said. “If an attacker gets hold of your encrypted data, then all she needs to do is guess your master password to be able to decrypt it.”
AgileBits added data integrity checks for modifications to the master password to defend against Chosen Ciphertext Attacks, where a hacker attempts to recover a hidden secret key to decrypt encrypted text. The previous version of 1Password used a type of encryption algorithm called PBKDF2 to slow down automated guesses of the master password. Building on that, AgileBits has updated the hash algorithm used in PBKDF2 to prevent sophisticated attacks that leverage the computing power of graphics processing units.
“So this rather mundane security change, making password crackers much slower, is probably the change that will have the biggest impact on 1Password users,” Goldberg said. “Of course they should still pick good master passwords.”
Some of the more visible changes to 1Password include multiple and shared vaults as well as the ability to share individual passwords (a feature offered by competitor LastPass) via email or obfuscated iMessage. Because the vaults use the same technology as the primary vault, “the technical aspects are easy–well, as easy as any security thing ever is,” he said. “The difficult part is behavioral. Will sharing vaults create security problems stemming from how people actually use them? Will people accidentally put things in the wrong vaults? Will people share vaults with the wrong people? We try to anticipate these sorts of things. Part of security design means making it much easier for people to behave securely than insecurely.”
This is where the UI comes in handy. Customized icons for vaults help people categorize items properly. “I think that this might illustrate a larger point–that you can’t address security separately from user interface and human behavior,” Goldberg said. “Sure, I love the math of cryptography, but you can’t get security just by getting the math right.”